Learning Objectives:
- Learn how to setup SSO for your .NET applications, Amazon QuickSight, and AWS Enterprise IT Applications such as Amazon Workspaces.
- Learn how to manage your AWS Cloud Windows workloads such as Amazon EC2 for Windows Server and Amazon RDS SQL Server using GPOs.
- Learn how to configure trusts between your on-premises and AWS Cloud Microsoft Active Directory domains securely.
Managing your AWS Cloud Windows workloads using Microsoft Active Directory doesn’t require complex networking or synching your identity data across multiple systems. AWS Directory Service for Microsoft Active Directory offers you actual Microsoft Active Directory as a managed service. Attend this tech talk to become an expert at managing single sign-on (SSO) and Group Policy objects (GPOs) for your AWS Cloud Windows workloads. You will also see a demonstration on how to configure trusts between your on-premises and AWS Cloud Microsoft Active Directory domains securely.
2. Quick word on logistics
Content of today’s webinar
• Presentation: 30 minutes
• Q&A: 15 minutes
Please ask questions in the questions pane
Slides are available for download after the webinar
3. What to expect from this webinar
• Examples of how AWS Cloud workloads use Active Directory
• Options for integrating your AWS Cloud workloads with Active
Directory
• An introduction to AWS Directory Service for Microsoft Active
Directory (AWS Microsoft AD)
• Overview of identity federation using AWS Microsoft AD
• A deep-dive on setting up trusts to your on-premises Active
Directory domain securely
• Guidance on how to administer your AWS managed domain
4. Why AWS Cloud Windows workloads need
Microsoft Active Directory (AD)
• Enable single sign-on (SSO) to applications running on
the AWS Cloud and AWS services, such as Amazon
Workspaces
• Manage access to your AWS Cloud resources using AD
groups
• Enforce policies for Amazon EC2 Windows Server
instances and Amazon RDS for SQL Server via AD
Group Policy objects
5. Options for using Active Directory in the AWS Cloud
• Use AWS Directory Service for Microsoft Active Directory
(AWS Microsoft AD)
• Deploy and manage your own Active Directory on
Amazon EC2
• Domain join your AWS Cloud resources to your on-
premises Active Directory domain (not covered in this
webinar)
6. Poll Question
How do you use Active Directory with your AWS Cloud
workloads today?
a) AWS Directory Service for Microsoft Active Directory
b) Active Directory running on Amazon EC2 Windows
Server
c) Domain join my workloads to my on-premises Active
Directory
d) Other (Simple AD, AD Connector, etc.)
e) No solution – this is a blocker for cloud adoption
7. Active Directory best practices on AWS
Availability Zone B
Private subnet
DC2
Availability Zone A
Private subnet
DC1
company.local
RELIABILITY
COMPLIANCEGLOBAL
REACH
SECURITY
Amazon VPC in an AWS Region
8. Hybrid integrated enterprise
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3
company.local
company.local
VPN
AWS Direct
Connect
Amazon VPC in an AWS Region
9. Hybrid with resource forest
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
Paris
DC2Availability Zone A
Private subnet
DC3 company.local
company.cloud
VPN
AWS Direct
Connect
Amazon VPC in an AWS Region
10. Hybrid with resource forest
Availability Zone B
Private subnet
Corporate Network
London
DC1
Paris
DC2Availability Zone A
Private subnet
company.local
company.cloud
VPN
AWS Direct
Connect
Amazon VPC in an AWS Region
AWS Directory Service
11. AWS Directory Service for
Microsoft Active Directory
Highly available and
managed directory
Built on actual Microsoft
Active Directory running
on Windows Server
2012 R2
Extends your on-
premises domain to the
AWS Cloud without
synching identity data
Managed Microsoft Active Directory running in the AWS Cloud
12. Poll Question
Which benefit of AWS Directory Service for Microsoft Active
Directory is most important to you?
a) Highly available managed infrastructure
b) Built on actual Microsoft Active Directory
c) Does not require you to sync your identities to the AWS
Cloud
18. Forest Trusts
Time tested, secure model
The trusting forest has no admin control over
the trusted forest
Trusted users have cloud resource access,
only if entitled by trusting admins (you control
both sides)
Resources in the cloud have no access to
on-premises resources unless on-premises
trusts the cloud AND on-premises admins
grant permissions to user identities in the
cloud
AD AD
On-premises
network
VPC
Trust
AWS Managed
Microsoft AD DC
Windows
AD DC
Access
Security group
(access entitlements here)
Security group
Trusting Trusted
Cloud On-premises
19. No trust vs. 1-way vs. 2-way trusts
Do you need users from one forest to access resources in another forest?
• If no, use no trust
Can you use only a 1-way trust?
• If yes, only use 1-way
• RDS for SQL Server with on-premises users requires at least 1-way
Is a 2-way trust required?
• If yes, use 2-way trust
• WorkSpaces, QuickSight Enterprise Edition, and Chime use 2-way trusts
• On-premises to AWS Managed Microsoft AD trust used only to read users/groups to
provision them into the application
Always Secure Your Trust
20. Securing trusts
Leave SID filtering on when setting up the on-premises side of a trust
Turn on selective authentication on the on-premises side of a trust
• https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx#w2k3tr_trust_security_zyzk
Only permit AD trust ports to the DCs in the cloud
• https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx
For cloud-client-to-AD, only permit AD authentication ports to on-premises AD;
minimize all other ports from cloud to on-premises
(e.g., WorkSpaces login using on-premises credentials)
• https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts
Don’t grant groups in the cloud access to on-premises resources
28. Other AWS Microsoft AD features
• Automated Daily Snapshots
• Extensible Active Directory Schema
• Fine grained password policies
• Amazon SNS-based monitoring and alerting
• Amazon Enterprise Applications management
32. What we covered
• Best practices for using Microsoft Active Directory with your
AWS Cloud workloads
• Extending your on-premises Active Directory to the AWS
Cloud
• Managing your AWS Microsoft AD domain
• Auditing and securing your AWS Cloud environment
33. How to get started
30-day limited free trial available to
try AWS Microsoft AD at no additional charge!
Visit our website to learn more
aws.amazon.com/directoryservice