AWS AD Connector

AD Connector Overview

AWS AD Connector is a directory gateway service that allows you to redirect directory requests from AWS applications to your on-premises Microsoft Active Directory without caching any information in the cloud.It acts as a bridge between AWS services and your existing on-premises Active Directory infrastructure, enabling seamless integration and authentication.

Purpose:
AD Connector is designed to provide a way for organizations to leverage their existing on-premises Active Directory for authentication and authorization in AWS environments. Its primary purpose is to enable the use of existing corporate credentials for accessing AWS resources and applications, eliminating the need for separate user management in the cloud.

Key features and capabilities

1. Directory Gateway: AD Connector functions as a gateway, redirecting authentication requests to your on-premises Active Directory without storing any directory information in the cloud.

2. Scalability: Available in two sizes - small and large - to accommodate different organizational needs and performance requirements.

3. Existing Credentials Usage: Allows end users and IT administrators to use their existing corporate credentials for AWS applications.

4. Security Policy Enforcement: Enables consistent enforcement of existing security policies across on-premises and AWS environments.

5. Multi-Factor Authentication (MFA): Supports integration with existing RADIUS-based MFA infrastructure for enhanced security.

Common use cases and applications:

1. AWS Application Access: Enables users to log in to AWS applications like Amazon WorkSpaces, WorkDocs, or WorkMail using their existing corporate credentials.

2. AWS Resource Management: Allows management of AWS resources such as EC2 instances or S3 buckets through IAM role-based access to the AWS Management Console.

3. Unified Identity Management: Provides a seamless way to extend on-premises identity management to the AWS cloud without the need for complex federation setups.

4. Compliance and Security: Helps maintain compliance by enforcing existing security policies consistently across on-premises and cloud environments.

AWS AD Connector Authentication Flow for Cloud Access

The diagram below describes the authentication process for connecting on-premises Active Directory to AWS Cloud services using AD Connector.

Key points of the authentication flow:

• Step 1: End User initiates the process by sending AD credentials over SSL

• Step 2: Credentials are forwarded to AD Connector in AWS Cloud

• Step 3: AD Connector verifies credentials with on-premises Active Directory

• Step 4: Upon verification, an IAM role is mapped and temporary AWS credentials are issued to the user

Additional Information

• AD Connector has a 1-to-1 relationship with on-premises Active Directory domains. Each domain, including child domains in an Active Directory forest, requires a unique AD Connector.

• It does not support Active Directory transitive trusts.

• AD Connector cannot be shared with other AWS accounts. For multi-account scenarios, AWS Managed Microsoft AD is recommended.

• While AD Connector provides many benefits, it's important to note that it is not multi-VPC aware, which may limit its use in certain complex network architectures.

Official Links to Read More

For more detailed information about AWS AD Connector, you can refer to the following official AWS documentation:

1. AD Connector - AWS Directory Service

2. What is AWS Directory Service?