[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
•Download as PPTX, PDF•
2 likes•1,135 views
Want to learn about your options for running Microsoft Active Directory on AWS? When you move Microsoft workloads to AWS, it is important to consider how to deploy Microsoft Active Directory in support of group policy management, authentication, and authorization. In this session, we discuss options for deploying Microsoft Active Directory to AWS, including AWS Managed Microsoft AD and deploying Active Directory to Windows on Amazon EC2. We cover such topics as how to integrate your on-premises Microsoft Active Directory environment to the cloud and how to leverage SaaS applications, such as Office 365, with the AWS Single Sign-On service.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to [REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
Similar to [REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018 (20)
More from Amazon Web Services
More from Amazon Web Services (20)
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
- 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Directory Service for Microsoft Active Directory Deep Dive Ron Cully Principal Product Manager W I N 3 0 3 N o v e m b e r 2 6 , 2 0 1 8
- 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What we will cover • What AWS Managed Microsoft AD is • Key use cases • How applications use AWS Managed Microsoft AD • Deployment models (user vs. resource forest) • How to install, administer, and configure • Supported trust models • Security event logging • Directory sharing
- 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Managed Microsoft AD DC AW S D ir ec tor y Ser vic e for Mic r os oft Ac tive D ir ec tor y “AWS Managed Microsoft AD” AWS Managed Microsoft AD DC
- 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AW S D ir ec tor y Ser vic e for Mic r os oft Ac tive D ir ec tor y “AWS Managed Microsoft AD” Domain controllers are exclusively yours Compliance audited AWS Managed VPC Customer VPC App 1 App 2 App 1 App 2 AWS Managed Microsoft AD DC AWS Managed Microsoft AD DC D C Availability Zone 1 Availability Zone 1 10.0.2.0/24 10.0.3.0/24 Availability Zone 2 Availability Zone 2
- 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AW S D ir ec tor y Ser vic e for Mic r os oft Ac tive D ir ec tor y Customer—administer and configure • Administer users, groups, GPOs, other AD content • Administration via Active Directory Users and Computers (ADUC) and other standard AD tools • Configure password policies • Add domain controllers as needed • Configure trusts (resource forest deployment) • Configure certificate authorities (for LDAPS) • Configure federation Amazon—operates • Multi-AZ deployment, patch, monitor, DC recovery, instance rotation, snapshot, restore “AWS Managed Microsoft AD” AWS Managed VPC Customer VPC App 1 App 2 App 1 App 2 AWS Managed Microsoft AD DC AWS Managed Microsoft AD DC D C Availability Zone 1 Availability Zone 1 10.0.2.0/24 10.0.3.0/24 Availability Zone 2 Availability Zone 2
- 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AW S D ir ec tor y Ser vic e for Mic r os oft Ac tive D ir ec tor y Standard Edition Enterprise Edition Storage Capacity 1GB 17GB Performance Optimized ~5,000 employees Over 5,000 employees “AWS Managed Microsoft AD”
- 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Azure AD Connect AD FS AW S Managed Mic r os oft AD us e c as es Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Compatible AWS Applications and Services Azure AD User Directory Pass- through Use Microsoft Tools with Web Applications Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services AWS Managed Microsoft AD Domain Join, Manage with Group Policy, run Traditional AD Applications
- 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AW S Managed Mic r os oft AD us e c as es Azure AD Connect AD FS Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Compatible AWS Applications and Services AWS SSO User Directory Traditional AD Applications Use AWS SSO with Web Applications Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services Azure AD Sync SAML AWS Managed Microsoft AD Use Microsoft Tools with Web Applications
- 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AW S Managed Mic r os oft AD us e c as es Azure AD Connect AD FS Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Compatible AWS Applications and Services AWS SSO User Directory Traditional AD Applications Active Directory Extend Existing AD Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services SAML Use AWS SSO with Web Applications Sync Azure AD AWS Managed Microsoft AD Use Microsoft Tools with Web Applications Azure AD Connect
- 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Prerequisites you must create • Virtual Private Cloud (VPC) • Two subnets in different AZs • Optional on-premises link • Amazon Direct Connect or Virtual Private Network (VPN) • Optional AD on-premises docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html Customer VPC D C Availability Zone 1 10.0.2.0/24 10.0.3.0/24 Availability Zone 2 Corporate data center Active Directory VPN Connection AWS Direct Connect Optional
- 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • One AWS security group During creation AWS creates • 2 DCs with Dynamic DNS • Elastic network interface in your subnets docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html Customer VPC D C Availability Zone 1 10.0.2.0/24 10.0.3.0/24 Availability Zone 2 AWS Managed VPC AWS Managed Microsoft AD DC AWS Managed Microsoft AD DC Availability Zone 1 Availability Zone 2 VPN Connection AWS Direct Connect Corporate data center Active Directory Optional Use extreme caution modifying the security groups!
- 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • EC2 Windows (Install AD Administration Tools) • Key-pair (PEM) file • IAM role/policy for EC2 (AmazonEC2RoleforSSM) • AWS security group (for your EC2 creations) Best practice after creation docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html Customer VPC D C Availability Zone 1 10.0.2.0/24 10.0.3.0/24 Availability Zone 2 AWS Managed VPC AWS Managed Microsoft AD DC AWS Managed Microsoft AD DC Availability Zone 1 Availability Zone 2 VPN Connection AWS Direct Connect Corporate data center Active Directory Optional • DHCP option sets DHCP Opt Set PEM File IAM Role
- 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Configure administration instance RDP to Instance yourdomainadmin 1 Add Features Group Policy Management AD DS and AD LDS Tools DNS Server Tools 2 Verify Tools Added Active Directory Administrative Center Active Directory Domains and Trusts Active Directory Module for Windows PowerShell Active Directory Sites and Services Active Directory Users and Computers ADSI Edit DNS Group Policy Management 3
- 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Administer with AD tools Configure from AWS Console
- 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Managing from AD Administration Tools 88-856-43-585 88-856-43-585 OU “admin” Customer Domain “administrator”
- 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Managing from AD Administration Tools 88-856-43-585 88-856-43-585 OU “admin” Customer Add OU and on-premises users/groups to reserved security groups
- 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Trusts Trust Access Active Directory Access requires permissions to resource in the trusting domain Active Directory
- 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Forests,domains, treedomains Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain
- 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSManaged MicrosoftADforesttrustsupport Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain Forest Trust
- 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSManaged MicrosoftAD domain trustsupport Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain Domain Trust Domain Trust
- 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSManaged MicrosoftAD mixedtrustsupport Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain Forest Trust Domain Trust
- 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customer VPC AWSapplicationsand trustsforhybridITusecases Availability Zone 1 10.0.2.0/24 AWS Managed VPC AWS Managed Microsoft AD DC Availability Zone 1 VPN Connection AWS Direct Connect Corporate data center Active Directory RDS for SQL Server Traditional AD aware applications
- 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSapplicationsand trustsforhybridITusecases Customer VPC Availability Zone 1 10.0.2.0/24 AWS Managed VPC AWS Managed Microsoft AD DC Availability Zone 1 VPN Connection AWS Direct Connect Corporate data center Active Directory Amazon Connect Amazon WorKSpaces Amazon WorkDocs Amazon WorkMail Amazon QuickSight Amazon Chime AWS SSO RDS for SQL Server Traditional AD aware applications AWS cloud-based applications
- 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security event logging to CloudWatch
- 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use existing or create a new log group
- 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cross-accountsharing
- 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. DC1 DC2 DC3 AWS Managed VPC Customer VPC1 Account A Amazon WorKSpace s RDS for SQL Server EC2 Amazon Connect Amazon WorkMail Amazon WorkDocs Amazon QuickSight Amazon Chime AWS SSO AWS Internal DC APIs CommunicationpathstoAWS ManagedMicrosoftAD Discover DCs Domain Join Read
- 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. InternalDCAPIsinaccessiblein otheraccounts DC1 DC2 DC3 AWS Managed VPC Customer VPC1 Account A Amazon WorKSpace s RDS for SQL Server EC2 Amazon Connect Amazon WorkMail Amazon WorkDocs Amazon QuickSight Amazon Chime AWS SSO AWS Internal DC APIs Account B EC2 Customer VPC2 Discover DCs Domain Join Read Peering
- 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cross-accountdirectorysharing DC1 DC2 DC3 AWS Managed VPC Customer VPC1 Account A Amazon WorKSpace s RDS for SQL Server EC2 Amazon Connect Amazon WorkMail Amazon WorkDocs Amazon QuickSight Amazon Chime AWS SSO AWS Internal DC APIs Account B EC2 Customer VPC2 Discover DCs Domain Join Read AWS Internal DC APIs Peering
- 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SharingacrossmultipleVPCsand accounts DC1 DC2 DC3 AWS Managed VPC Account A Customer VPC2 Customer VPC3 Customer VPC4 Account B Customer VPC5 Account C Customer VPC6 Customer VPC1
- 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Recap • What AWS Managed Microsoft AD is • Key use cases • How applications use AWS Managed Microsoft AD • Deployment models (user vs. resource forest) • How to install, administer, and configure • Supported trust models • Security event logging • Directory sharing
- 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reference information Documentation AWS Directory Service—aws.amazon.com/directoryservice AWS Security Blog—aws.amazon.com/blogs/security/ (search for “AWS Managed Microsoft AD”) • AWS What’s New—aws.amazon.com/new/ (Security, Identity & Compliance) AWS Managed Microsoft AD—aws.amazon.com/documentation/directory-service/ RDS for SQL Server—aws.amazon.com/documentation/rds/ AWS Quick Starts— aws.amazon.com/quickstart/ Active Directory Domain Services Exchange Server 2013 SharePoint Server 2016 Enterprise Lync Server 2013 SQL Server 2014 AlwaysOn Windows PowerShell DSC
- 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 41. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you!
Editor's Notes
- This AWS managed service provides domain controllers that run on actual Microsoft Windows Server.
- The service is compliance audited so it’s eligible to support your PCI, HIPAA, or SOC audited application.
- You administer users and configure the directory including password policies, scale-out, and AD trusts.
- The Standard Edition offers 1 gigabyte of customer usable storage for objects, and scripts. Enterprise Edition offers 17 gigabytes.
- With users in AWS Managed Microsoft AD, you have the option to use Azure AD Connect with pass-through authentication to Azure AD. This enables your Office 365 users to authenticate with their AWS Managed Microsoft AD credentials. Click: Advanced organizations can even use Active Directory Federation Service for web applications.
- Alternatively you can use AWS Single Sign-on, to enable your users to sign in to the AWS Management Console and a variety of web applications such as Office 365, G-Suite, Box or SalesForce. In this case, you use Azure AD Connect to sync the users into Azure AD and configure O365 to use AWS SSO as an IdP.
- But maybe you have an existing AD deployment in your data center or on EC2 in a VPC. Click: With AWS Managed Microsoft AD you can extend that infrastructure with AD trusts to reduce the footprint of AD infrastructure you manage. Without synchronizing identities, your users can access Amazon applications and get the familiar Windows single-sign-on experience to applications in the AWS Cloud. Click: In this case, you can use Azure AD Connect to sync your on-premises users into Azure AD. Instead of AD FS, your users can then sign in to O365 and other applications through AWS SSO using their existing on-premises AD credentials.
- What I’m covering here is described in more detail in the tutorials you can find in the directory service documentation pages. First you start in your AWS account. <Click>will need a VPC in your account. <Click> You will also need 2 subnets in your VPC that are in different availability zones. <Click> If you have a corporate datacenter, <Click> You can optionally link it to your VPC with Amazon Direct Connect or a VPN <Click> You can also have an existing AD on-premises. Later I’ll talk about how to use that AD infrastructure with AWS Managed Microsoft AD.
- With the network infrastructure in place, you create AWS Managed Microsoft AD. This creates 2 domain controllers in the same Availability Zones but in a VPC that AWS owns <Click> These domain controllers get ENIs into your availability zones. <Click> They also share an AWS security group that filters traffic to and from the DCs. Because these AWS security groups are in your account, you can tailor them to meet your security requirements. <Click> However you must use extreme caution. Mistakes can make your directory unusable in ways that AWS cannot identify.
- After you create your directory, there are some best practices to follow <Click> First, you should create DHCP option sets that tell EC2 to use AWS Managed AD for DNS <Click> Second, you should create a separate AWS Security Group for your EC2 instances. Don’t re-use the security group that is intended for your DCs. <Click> Next, create an IAM role that has the AmazonEC2RoleForSSM <Click> You also will need a PEM file with a key pair to use for creating EC2 instances <Click> Next you create an EC2 Windows instances using the PEM file, and join it to the AWS Managed AD domain. You will sign into the instance and install the AD Administrative Tools
- Once you join your EC2 instance, you can sign in using RDP with the ADMIN credentials for the domain you created <CLICK> Then using the Server Manager, you will add Group Policy Management, AD DS and AD LDS Tools, and DNS Server Tools <Click> When finished, you’ll verify that it added these tools to the instance
- You will administer users, groups, and other aspects of the directory using the AD Administration tools on the EC2 instance. You will configure features of the service such as trust configuration and schema changes from the AWS Console or APIs.
- In the AD Users and Computers tool, you can open your domain (in this case the example.com domain). In order to perform operational management of the directory, AWS retains ownership of the domain administrator. This account owns several containers within the root of the forest. AWS also creates delegates administrative control or an organizational unit of the same name as your domain. Using your ADMIN account, you can add computers, users, groups, and other OUs within your OU. You can also assign fine grained password policies to groups and users, and perform other normal administrative tasks on objects within your OU.
- AD has a number of administrative functions that are frequently performed by the domain administrator, but can be delegated to others. To enable you to perform those operations, we create a number of security groups that have been delegated rights, and we delegate your ADMIN account the permissions to add your users to these security groups. You can add users to these groups that you created in AWS Managed AD, or users or groups that come from your existing on-premises AD if you implement a trust. I’ll cover more on that later.
- To give you a little better context, I’ll walk through a demo of how to configure AWS Managed Microsoft AD. <SWITCH Screens> I’m signed in to my account and I’ve navigated to the AWS Management Console First I’ll create a directory by going to the Directory Service Console Switch to the existing directory Show tour of tabs Show EC2 seamless domain join Switch to existing instance Sign in with example\ADMIN Show ADUC
- One of the unique features of AWS Managed AD is its support for AD Trusts. AWS is the only cloud-provider who can use trusts to preserve the Windows single sign-on experience for your existing on-premises users, in hybrid-IT use cases. Let’s take a look at how this works.
- Lets say you have an existing on-premises deployment of active directory. <click> In that directory you have all your user accounts and you have joined computers to the domain where you run workloads. <click> Suppose you want to run some Windows workloads in the AWS cloud and you want the on-premises users to have access to those workloads. However, lets say you don’t want to manage AD infrastructure in the cloud and you want to keep management of the instances in the cloud to be isolated for management purposes. <click> You could create an Active Directory in the cloud and join those instances to the domain in the AWS Cloud. <click> You might even create some user accounts in the cloud for people who manage the instances. To make it possible for the on-premises users to access the resources, <click> you can create an Active Directory trust from the cloud to your on-premises directory. <click> With the trust in place, the AWS Cloud becomes the trusting side of the trust, and the on-premises side becomes the trusted side. <click> The direction of the trust is important because it defines the direction of access. <click> In this case, the users in the AWS Cloud cannot access any of the resources in the on-premises network because they are not trusted by the on-premises AD. <click> The users in the on-premises network have potential access to the resources in the trusting AD. <click> It is only potential access because actual access requires that the trusting side resource administrator must establish permissions that enable the on-premises user to access the resource. This kind of configuration is often called a resource domain, or a resource forest model. What is great about a trust is that the user experience of accessing a resource through a trust is the same as accessing a resource in the same domain where the user account is. You can take advantage of this model with AWS Managed Microsoft AD to migrate Windows workloads into AWS without the burden of managing all the AD infrastructure in the cloud. Let’s take a look at the options for using a trust with AWS Managed Microsoft AD. (click)
- AD is a forest that contains one or more domains. The top of the forest is the root domain. <click> The root domain can have child domains that share the same root domain name. <click> A forest can also contain tree domains that consist of a tree-root and optionally child domains from the tree root. Tree domains have a completely different root domain name, but they are part of the same forest and have inherent trust properties in the forest. While AD provides this flexibility, more common patterns today consist of a single root domain forest with no child domains. <click> AWS Managed AD provides a root domain forest only and does not support child domains.
- When you use AWS Managed Microsoft AD as a resource forest, you have different options for how you configure your trust. <Click> If you use a forest trust, then all users in all domains within the trusted forest have potential access to resources in the AWS Managed Microsoft AD domain. However, with a forest trust, AWS Managed Microsoft AD does not know how to reach the domain controllers for any tree domains you might have in your on-premises forest. Therefore it is not able to verify the users that come from the tree domain. AD provides two ways of solving that. One way is to configure Name Suffix Routing. With Name Suffix Routing, you specify the tree-root domain name and a DNS conditional forwarder that knows how to find domain controllers in that tree domain. Another way is to use External Domain trusts.
- With external domain trusts, you can establish a trust between AWS Managed AD and one or more individual domains in your on-premises forest. These trusts establish trust to just between a two domains. <click> In this case, AWS Managed AD has just one domain and it can create a trust to the tree-root domain. In addition, you might not want all users from all child domains to have potential access to resources in your AWS Managed Microsoft AD. <click> In that case, you can create additional external domain trusts to the root of your forest or child domains of your forest. In this example, users in the highlighted domains have potential access to resources in the AWS Managed Microsoft AD forest, while users in other domains do not.
- You can also combine forest trusts and external domain trusts. However you should not create a external domain trust to a child domain to which you have a forest trust. This may cause some confusion for AD.
- Lets look at how AWS applications and services use trusts in hybrid IT use cases. <Click> RDS for SQL Server is a more traditional AD applications. It’s an AWS Managed AD service that is accessible via ENIs in your availability zone. <Click> RDS for SQL can join to the AWS Managed AD domain, and then use Kerberos tickets it receives to authorize access to your data <Click> With a 1-way trust from AWS Managed AD to your existing AD in your data center, your users in your datacenter can sign-in with their existing credentials and use RDS for SQL Server with a Windows integrated authentication experience.
- The second kind of use is from AWS managed cloud-based applications. <click> User access solutions like AWS SSO, WorkSpaces, and QuickSight by signing in over the Internet. <click> These solutions use AWS Managed AD to provision users into the application, authenticate the users, and then share between users in the directory. <click> In order to provision users and to share information with users that are in your datacenter AD, AWS Managed AD needs read access to your datacenter AD. Today, this requires a 2-way trust. The trust from the datacenter to Managed AD gives Managed AD read access. The trust from Managed AD to the datacenter enables Managed AD to direct authentication to your datacenter.
- Another unique capability of AWS Managed AD is how it makes security event logs available for your use. Of course you can use the Event Viewer from a domain joined EC2 instance. But we also provide 2 other models. First, we automatically maintain a 1 year window of event logs as part of our PCI compliance. These logs are kept by AWS and are available to you through a support ticket request. This model exists to support compliance audits.
- However many companies want to be able to monitor what is going on in their directory in near real time. As I showed earlier, you can go to the Networking and Security tab to configure log forwarding. This feature enables you to fully customize the processing of your AWS Managed AD security event logs by forwarding the events to CloudWatch in an account of your choice.
- We tried to make the set-up as easy as possible. If you don’t have any Cloudwatch groups, it defaults to creating one. If you have an existing one, it defaults to using an existing Cloudwatch log group. When configuring the CloudWatch, we automatically look for and use an existing resource policy that permits us to publish logs. If one doesn’t’ exist, we create a resource policy for you. Once logging starts, you will have a different stream for each of the Domain Controllers. This enables you to then use any tools that work with CloudWatch to monitor the security events from your domain controllers. This includes events from your users, as well as events related to any access by AWS operators in the unusual case that we have to sign in to correct an operational problem that automation failed to handle.
- Another unique feature of the services is that it is the only managed AD that can be shared across multiple virtual networks.
- Directory Sharing enables you to combine the isolation and billing benefits of accounts and VPCs with the benefits of managing access and EC2 Windows instances using a single managed AD. Let’s dive a little deeper to understand how we changed things when we added this feature.
- This slide illustrates how traditional AD applications access managed AD over an IP network path in their single account and single VPC. <Click> However other AWS Managed applications don’t use an IP path through your network to reach the directory. <Click> These applications use internal AWS APIs. <click> The APIs enable the applications to discover DCs, join to the domain, and read the directory. Some of these APIs are also used by EC2, RDS, and WorkSpaces to find the DCs and join to the domain.
- Suppose you have a second account and VPC where you have EC2 and you want it to use the directory. Today you can use VPC peering to connect the second VPC to the VPC where you have AWS Managed AD. With that in place, you can manually join the instance to the domain. <Click> But what if you want to take advantage of the automatic seamless domain join capability? EC2 needs to talk to an API in the second account.
- To address this, we made it possible to share the interface from AWS Managed AD to other accounts within a region.
- This solution enables you to create a shared services VPC where you install Managed AD. <Click> You can then use VPC peering or a VPN to connect any other VPCs you have in the same account. EC2 can then find and use the directory. <Click> You can then also share the directory to other accounts and connect VPCs from those accounts to the shared services VPC. <Click> Currently, EC2 takes advantage of this to provide seamless domain join capability from any VPC within a region. <Click> To share the directory, requires the directory owner to offer the directory to another account and the other account has to accept the offer. If the directory is in the root account of an AWS Organization, no handshake is required for the acceptance. If the account is outside of your organization, then the consumer must accept the offer. There are some nominal charges to share a directory, and those charges go to the consuming account. The amount of VPC connections you can have are limited by the number of route table entries in your VPCs. This makes it possible to share a single AWS Managed AD with up to about 100 other VPCs across multiple accounts within a region.
- That completes the deep dive for today. We covered what AWS Managed AD is We went through an overview of the main use cases I gave an introduction on how to install, administer and configure the directory We walked through how AD trusts can be used between AWS Managed AD and your existing AD infrastructure with forest and external domain trusts. We talked about how to use CloudWatch to monitor security events from your AWS Managed AD DCs And we covered how you can share AWS Managed AD with multiple accounts and VPCs within a single region
- I’ve included a set of reference links for you here.
- Please remember to complete the session survey in the mobile app. By completing that, you will get access to the presentation when it gets published.