AWS Directory Service¶

What Is This Service?¶

Managed AWS directory and identity integration service that enables AWS workloads to use Microsoft Active Directory (AD) and LDAP-compatible identity patterns.

Mental model:

AWS Directory Service = Authenticate → Join → Trust → Authorize → Manage

Primary purpose:

Provide centralized directory-aware authentication and identity integration for AWS resources and enterprise environments.

Typical use cases:

Windows authentication
domain join
Kerberos authentication
hybrid identity
RDS SQL Server authentication
EC2 Windows fleets
AWS application authentication
IAM Identity Center integration

MOST TESTED:

AWS Directory Service primarily exists for:

Microsoft Active Directory integration

Why It Matters for Security¶

Enterprise identity often already exists in:

Active Directory

Without centralized directory integration:

duplicate identities appear
password sprawl increases
Windows administration becomes fragmented
Kerberos trust breaks

AWS Directory Service exists to:

extend enterprise identity into AWS
support Windows-native authentication
centralize directory operations
enable hybrid identity

Security outcomes:

centralized identity
Kerberos authentication
reduced local accounts
enterprise policy enforcement

Architecture Example¶

Hybrid Active Directory Integration¶

flowchart TD

subgraph OnPrem[On-Premises]
AD[Enterprise Active Directory]
end

subgraph AWSCloud[AWS Cloud]

subgraph SharedServices[Shared Services VPC]
ManagedAD[AWS Managed Microsoft AD]
end

subgraph ApplicationVPC
EC2[Windows EC2]
RDS[RDS SQL Server]
FSx[Amazon FSx]
Workspaces[Amazon WorkSpaces]
end

end

AD <-- Trust Relationship --> ManagedAD

ManagedAD --> EC2
ManagedAD --> RDS
ManagedAD --> FSx
ManagedAD --> Workspaces

Architecture goals:

hybrid identity
centralized authentication
Kerberos trust
Windows-native integration

Workflow(s)¶

Domain Join Workflow¶

sequenceDiagram

participant EC2
participant Directory
participant DNS
participant Kerberos

EC2->>DNS: Resolve domain

EC2->>Directory: Join domain request

Directory->>Kerberos: Authenticate

Kerberos->>EC2: Trust established

User Authentication Flow¶

sequenceDiagram

participant User
participant Application
participant Directory
participant Kerberos

User->>Application: Login request

Application->>Directory: Authenticate user

Directory->>Kerberos: Validate credentials

Kerberos->>Application: Authentication success

Trust Authentication Flow¶

sequenceDiagram

participant User
participant OnPremAD
participant ManagedAD
participant AWSResource

User->>OnPremAD: Authenticate

OnPremAD->>ManagedAD: Trust validation

ManagedAD->>AWSResource: Grant access

Core Concepts¶

AWS Managed Microsoft AD¶

MOST TESTED

Fully managed Microsoft Active Directory.

Characteristics:

real Microsoft AD
AWS managed
multi-AZ deployment
supports trusts
supports Group Policy

Use cases:

enterprise Windows workloads
Kerberos authentication
hybrid AD integration

Exam trap:

AWS Managed Microsoft AD is not a lightweight directory.

It is full Microsoft AD.

AD Connector¶

HIGH VALUE

Proxy service to existing AD.

Characteristics:

no directory storage
forwards authentication
requires on-prem AD

Flow:

AWS Resource
↓
AD Connector
↓
On-Prem AD

Benefits:

no synchronization
no duplicate identities

Exam trap:

AD Connector does not cache passwords permanently.

Simple AD¶

MOST TESTED

Low-cost Samba-based directory.

Characteristics:

basic directory features
limited compatibility
not full Microsoft AD

Use cases:

small environments
simple Linux/Windows auth

Limitations:

no advanced AD features
no trusts
limited Group Policy

Exam trap:

Simple AD is not suitable for complex enterprise AD scenarios.

Directory Trusts¶

HIGH VALUE

Supported with:

AWS Managed Microsoft AD

Trust types:

one-way trust
two-way trust

Purpose:

Allow authentication across directories.

Multi-AZ Deployment¶

MOST TESTED

AWS Managed Microsoft AD deploys:

Domain Controllers
↓
Multiple AZs

Benefits:

high availability
resilience

Exam trap:

AWS manages domain controller infrastructure.

Important Integrations¶

Service	Purpose
EC2 Windows	Domain join
Amazon FSx	Windows authentication
RDS SQL Server	Integrated authentication
WorkSpaces	User authentication
IAM Identity Center	Workforce federation
Route 53 Resolver	DNS
Systems Manager	Managed access
Organizations	Governance
CloudTrail	Auditing
Kerberos	Authentication
Microsoft AD	Hybrid identity

Security Features¶

Kerberos Authentication¶

MOST TESTED

Supports:

Kerberos tickets
integrated Windows authentication

Benefits:

centralized authentication
reduced password transmission

Group Policy Support¶

Supported with:

AWS Managed Microsoft AD

Use cases:

security baselines
hardening
Windows policy management

Secure LDAP (LDAPS)¶

Supports:

encrypted LDAP communication

Benefits:

credential protection
encrypted directory queries

MFA Integration¶

HIGH VALUE

Can integrate with:

RADIUS
external MFA providers

Common use:

WorkSpaces MFA

Advanced Security and Operational Concepts¶

Control Plane vs Data Plane¶

Control Plane:

create directories
manage trusts
configure integrations

Data Plane:

authentication
Kerberos tickets
LDAP queries

Exam trap:

Directory Service is identity infrastructure, not IAM authorization.

AWS Managed Microsoft AD vs AD Connector¶

MASSIVE EXAM TRAP

Capability	Managed Microsoft AD	AD Connector
Stores directory	Yes	No
Full Microsoft AD	Yes	No
Trusts	Yes	No
Requires on-prem AD	Optional	Yes

Rule:

Need real AD in AWS → Managed Microsoft AD

Need proxy to existing AD → AD Connector

AWS Managed Microsoft AD vs Simple AD¶

Capability	Managed Microsoft AD	Simple AD
Full Microsoft AD	Yes	No
Enterprise support	Yes	Limited
Trusts	Yes	No
Group Policy	Full	Limited

Rule:

Enterprise Windows → Managed Microsoft AD

Basic authentication → Simple AD

Hybrid Identity Architecture¶

MOST TESTED

flowchart LR

OnPremAD[On-Prem AD]

Trust[Trust Relationship]

ManagedAD[AWS Managed Microsoft AD]

AWSApps[AWS Applications]

OnPremAD <-- Trust --> ManagedAD

ManagedAD --> AWSApps

Benefits:

centralized credentials
seamless authentication
hybrid access

IAM Identity Center Integration¶

HIGH VALUE

Pattern:

External AD
↓
Directory Service
↓
IAM Identity Center
↓
AWS Accounts

Benefits:

workforce federation
centralized authentication

DNS Dependency¶

MASSIVE EXAM TRAP

Active Directory depends heavily on DNS.

Common failure causes:

broken DNS resolution
missing conditional forwarders
incorrect DHCP options

Exam trap:

Most domain join failures are DNS-related.

Network Requirements¶

Required:

VPC connectivity
security group rules
DNS resolution
time synchronization

Common ports:

Kerberos

LDAP

SMB

DNS

Regional Behavior¶

Directory Service is regional.

Implications:

deploy per Region
no automatic global replication

Exam trap:

Cross-Region architectures require planning.

High Availability¶

MOST TESTED

AWS Managed Microsoft AD automatically deploys:

redundant domain controllers
Multi-AZ architecture

Benefits:

resilience
managed failover

Cost Model¶

Primary drivers:

directory type
size
hourly deployment

Optimization:

avoid oversized directories
use AD Connector when possible

Exam trap:

Managed Microsoft AD costs significantly more than Simple AD.

Comparisons¶

Service	Primary Role
AWS Directory Service	Managed directory integration
IAM Identity Center	Workforce federation
IAM	AWS authorization
Cognito	Customer identity
Microsoft AD	Enterprise directory

Common Exam Traps¶

AWS Managed Microsoft AD is full Microsoft AD.
AD Connector proxies authentication.
Simple AD is Samba-based.
Directory Service is regional.
DNS failures commonly break authentication.
Kerberos powers Windows authentication.
Managed Microsoft AD supports trusts.
AD Connector requires existing AD.
Group Policy support varies by directory type.
IAM Identity Center differs from Directory Service.
Multi-AZ deployment is automatic.
Directory Service is not IAM.
WorkSpaces commonly integrates with Directory Service.
RDS SQL Server supports integrated authentication.
Most enterprise scenarios use Managed Microsoft AD.

5-Second Recall¶

Managed Microsoft AD = real AD
AD Connector = proxy
Simple AD = lightweight Samba
Kerberos authentication
DNS critical
Supports trusts
Multi-AZ managed
IAM Identity Center ≠ Directory Service

Quick Revision Notes¶

Extend enterprise AD into AWS
Use Managed Microsoft AD for enterprise workloads
Use AD Connector for proxy authentication
Kerberos powers integrated auth
DNS is critical for AD health
Trusts enable hybrid identity
Multi-AZ is automatic
Integrate with WorkSpaces and FSx
Directory Service ≠ IAM authorization
Hybrid identity is a major exam topic