This document discusses identity and access management in hybrid cloud environments using AWS services. It provides an overview of integrating on-premises Active Directory with AWS using identity federation and AWS Directory Service. It also covers managing users, servers, applications and auditing across environments. Case studies are presented on how companies like Hess have used these AWS services to migrate infrastructure to the cloud within tight timelines while maintaining security, compliance and control of identities.
Why Teams call analytics are critical to your entire business
Managing your identities in the cloud with AWS and Microsoft Active Directory - Pop-up Loft TLV 2017
1. Identity in the cloud
Julien Lépine, Principal Solutions Architect
2. What to expect from this session
Microsoft Active Directory integration with AWS
Identity federation
Directory management
AWS Directory Service value added features
Security and auditing
12. Cloud based AD Management
Availability Zone B
Private subnet
DC2
Availability Zone A
Private subnet
DC1
company.cloud
AWS Directory Service
Amazon VPC in an AWS Region
17. Other Directory Service features
Automated and Manual Snapshots
Managed Active Directory Schema extension
Amazon SNS based monitoring and alerting
Amazon Enterprise Applications management
19. Active Directory best practices on AWS
Availability Zone B
Private subnet
DC2
Availability Zone A
Private subnet
DC1
company.local
RELIABILITY
COMPLIANCEGLOBAL
REACH
SECURITY
Amazon VPC in an AWS Region
21. Hybrid integrated enterprise
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3
company.local
company.local
VPN
AWS Direct
Connect
Amazon VPC in an AWS Region
22. Hybrid with Resource Forest
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
Paris
DC2Availability Zone A
Private subnet
DC3 company.local
company.cloud
AWS Directory Service
VPN
AWS Direct
Connect
Amazon VPC in an AWS Region
23. Create an AWS Directory Service trust
CONTROL
COMPLIANCE
31. Hess Uses AWS to Streamline Data Center Migration in 6 Months
• When Hess divested its Energy Marketing division,
the IT department had to create a separate
environment that could be handed off to a buyer
• Working with APN partner, Nimbo, Hess packaged
and moved the infrastructure, including 300 servers
and almost 500 TB of data, to the AWS Cloud
• Using AWS gave Hess the flexibility to build out
100 servers in one day
• Hess met the six-month divestiture deadline
and transferred the business to the buyer in a
30-minute meeting
“The flexibility and scale of
AWS enabled us to rapidly
migrate a fully functional
infrastructure for our divested
business in just 6 months.”
Jim McDonald
Lead Architect, Hess
”
“
Hess Corporation is a leading global independent
energy company
32. How to get started
Create an AWS Account and leverage the free tier
• 1 year Amazon EC2 instance
• 1 year AWS Directory Service for Microsoft Active Directory
Contact us and come meet us
AWS and partners offer training and certification
Amazon
EC2
AWS Directory
Service
From an on-premises existing Active Directory environment, how can we give access to specific accounts to our users.
Talk about how AWS IAM secures access and AWS CloudTrail and AWS Config can help auditing the environment.
Explain how ADFS is used for federation and the flow of information that goes on.
*Demo: Show how ADFS can be configured to access the platform and what features it gives*
Used for: migration
One way trust does activate SID filtering
For two way trust, customers can and should activate selective authentication and SID filtering
STORY BACKGROUND
Hess Corporation is a leading global independent energy company engaged in the exploration and production of crude oil and natural gas
Founded in 1933, Hess Corporation has offices in more than a dozen countries
In anticipation of separating business systems and data for potential buyers, Hess IT initiated work on Amazon Web Services (AWS) in July 2013 and entered a contractual agreement to have the environment operational and in production by January 2014
SOLUTION & BENEFITS
To prepare the infrastructure for migration to AWS, Hess and Nimbo developed a two-prong approach that they implemented in parallel:
A detailed inventory that identified the servers to be moved, operating system levels, processor and memory requirements, storage configuration, and backup and restore requirements
An application review process that identified the applications that would transition to the buyer, integration points, performance requirements, remote access, disk consumption and growth
Hess established a VPN connection in August 2013 to bridge its on-premises data center using Amazon Virtual Private Cloud (Amazon VPC) on AWS
Hess migrated approximately 300 servers to AWS in the US East (Northern Virginia) Region. Amazon Elastic Block Store (Amazon EBS) attached to Amazon Elastic Compute Cloud (Amazon EC2) instances provides block level storage for almost 500 TB of data
Ability to lift and shift infrastructure as is
Rapid prototyping and deployment, ability to fail fast and course correct
Easy network configuration
Hess used AWS AMIs to install Microsoft Windows and SQL Server and build virtual appliances easily without a lengthy procurement and licensing process
Using Amazon CloudWatch, Amazon EC2 , Amazon Glacier, Amazon S3, Amazon VPC, Amazon EBS Provisioned IOPS, AWS Direct Connect, Amazon Route 53 and AWS Marketplace