AWS Security, Identity & Compliance – Directory Service

28

Directory Service

  • Provides multiple ways to use Amazon Cloud Directory and Microsoft Active Directory with other AWS services.
  • You can choose the directory service with the features you need at a cost that fits your budget.

Which to Choose?

  • Amazon Cloud Directory is a cloud-native directory that can store hundreds of millions of application-specific objects with multiple relationships and schemas.
  • Amazon Cognito is a user directory that adds sign-up and sign-in to your mobile app or web application using Amazon Cognito User Pools.
  • AWS Directory Service for Microsoft Active Directory (Enterprise Edition) is a managed Microsoft Active Directory hosted on the AWS cloud.
  • AD Connector is a proxy service for connecting your on-premises Microsoft Active Directory to the AWS cloud without requiring complex directory synchronization or the cost and complexity of hosting a federation infrastructure.
  • Simple AD is a Microsoft Active Directory–compatible directory from AWS Directory Service.

Amazon Cloud Directory

  • Amazon Cloud Directory is a highly available multi-tenant directory-based store in AWS.
  • It is a directory-based data store that can create various types of objects in a schema-oriented fashion.
  • These directories scale automatically to hundreds of millions of objects as needed for applications.
  • Amazon Cloud Directory is a highly available multi-tenant directory-based store in AWS.
  • It is a directory-based data store that can create various types of objects in a schema-oriented fashion.
  • These directories scale automatically to hundreds of millions of objects as needed for applications.
    • Directory Structure

    ○Data in a directory is structured hierarchically in a tree pattern consisting of nodes, leaf nodes, and links between the nodes, as shown in the figure.

29

  • Root Node : The root is the top node in a directory that is used to organize the parent and child nodes in the hierarchy.
  • Node : A node represents an object that can have child objects.
  • Leaf node : A leaf node represents an object with no children that may or may not be directly connected to a parent node.
  • Node link : The connection between one node and another.

Microsoft Active Directory

  • It is created as a highly available pair of domain controllers connected to your virtual private cloud (VPC).
  • With Microsoft AD, you can run directory-aware workloads in the AWS Cloud, including Microsoft SharePoint and custom .NET and SQL Server-based applications.
  • Securely connect to Amazon EC2 Linux and Windows instances.
  • Simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads.
  • You can use Microsoft AD to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access AWS applications.
  • AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud.
  • AD Connector comes in two sizes, small and large.
  • A small AD Connector is designed for smaller organizations of up to 500 users.
  • A large AD Connector can support larger organizations of up to 5,000 users.

Simple Active Directory

  • Simple AD is a standalone managed directory.
  • It is available in two sizes, small and large.
  • A small Simple AD supports up to 500 users (approximately 2,000 objects including users, groups, and computers).
  • A large Simple AD supports up to 5,000 users (approximately 20,000 objects, including users, groups, and computers).

Managing Your Directory

  • You use the AWS Directory Service management console to perform certain directory-related actions, such as changing directory information or deleting an existing directory.
  • After a directory is created, most administrative functions are performed with directory management tools, such as the Active Directory Administration Tools.
    • Get Notified of Directory Status Updates Using Amazon SNS

    ○Using SNS, you can receive email or text (SMS) messages when the status of your directory changes.

    ○You get notified if your directory goes from an Active status to an Impaired or Inoperable status.

    ○You also receive a notification when the directory returns to an Active status.

    • Snapshots

    ○The snapshots can be used to perform a point-in-time restore for your directory.

    ○A snapshot can be used to restore your directory to what it was at the point in time that the snapshot was taken.

    ○Restoring a directory from a snapshot is equivalent to moving the directory back in time.

    ○You can also delete the snapshot whenever required.

Add Users and Groups

  • You can create users and groups with the Active Directory Users and Computers tool.
  • Users represent individual people or entities that have access to your directory.
  • Groups are very useful for giving or denying privileges to groups of users, rather than having to apply those privileges to each individual user.

Grant Users and Groups Access to AWS Resources

  • AWS Directory Service provides the ability to give your directory users and groups access to AWS services and resources, such as:

○Editing the Trust Relationship for an Existing Role

○Creating a New Role

You must create a new IAM role using the IAM console

○Assigning Users or Groups to an Existing Role

■You can assign an existing IAM role to an AWS Directory Service user or group.

■The role must have a trust relationship with AWS Directory Service.

○Viewing Users and Groups Assigned to a Role

○Removing a User or Group from a Role

Add an Instance to Your Directory

  • You can seamlessly join an EC2 instance to your directory domain when the instance is launched using the Amazon EC2 Systems Manager.
  • If you need to manually join an EC2 instance to your domain, you must launch the instance in the proper region and security group or subnet, then join the instance to the domain.

Authentication and Access Control

  • You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access AWS Directory Service resources.
  • Every AWS resource is owned by an AWS account, and permissions to create or access the resources are governed by permissions policies.
  • An account administrator can attach permissions policies to IAM identities, and some services also support attaching permissions policies to resources.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s