How-To

Building a Directory Service in AWS, Part 1: Available Types

Fortunately, says Brien Posey, there are a number of options for setting up a directory service in AWS.

• By Brien Posey
• 07/29/2021

You may occasionally find that the resources that you deploy in the AWS cloud require access to an Active Directory environment in order to work. The FSx file system, for example, has an underlying dependency on the Microsoft Active Directory, as do some of the other services. Fortunately, there are a number of options for setting up a directory service in AWS.

The good news is that you don't necessarily have to build and maintain a collection of EC2-based domain controllers and DNS servers, although that is an option. As an alternative, you can create a directory service natively within AWS. Better still, Amazon allows you to pick from a variety of directory types.

In this blog series, I want to show you how to build a directory service in the Amazon cloud. This blog post will explain how to get started, and I'm also going to spend some time talking about the various types of directory services that you can create. Each type of directory service that Amazon supports is intended for specific use cases, so it's really important to understand which type of directory service best aligns with your organization's needs. I will wrap things up in part two by explaining how to create a Microsoft Active Directory environment in the Amazon cloud.

To get started, log into AWS and go to the list of services. Next, click on the Directory Service link, which is located in the Security, Identity and Compliance section. When the Directory Service screen appears, click on the Set up Directory button, shown in Figure 1.

At this point, you will be taken to a screen that asks you to select your directory type. This step differs significantly from the normal Microsoft way of doing things. The vast majority of directory services that exist in Windows environments are based on the Microsoft Active Directory. Windows does however, provide an option to create an LDAP directory as an alternative. As you can see in Figure 2 however, AWS lets you choose from four different types of directories.

• Create an AWS managed Microsoft Active Directory: Choosing this option causes AWS to create a Microsoft Active Directory environment in the cloud. The main difference between this environment and an on premises Active Directory environment is that the AWS version is a managed service. That means that the necessary domain controllers and DNS servers are deployed on the backend without you having to worry about setting them up in EC2. In fact, the domain controllers don't even show up in EC2. Amazon takes care of patch management and all of the other server level maintenance tasks on your behalf.
• Create a Simple AD: The Simple AD might best be described as a non-Microsoft Active Directory. Rather than the domain controllers being hosted on Windows servers, AWS creates a directory on a Linux Samba server that is designed to be Active Directory compatible. This option will generally work fine if you're not doing anything overly elaborate, and it might even save you a little bit of money.
• Create an AD connector: As its name implies, the AD connector is not actually an Active Directory environment. Instead, it is a mechanism that redirects Active Directory requests to another Active Directory environment. This might be your on premises Active Directory, or it could be a directory service that you set up in a competing cloud such as Azure.
• Create and Amazon Cognito User Pool: I tend to think of this option as being a special purpose directory environment. The Microsoft Active Directory is probably best known as an authentication mechanism, but it provides a number of other services as well. In contrast, an Amazon Cognito User Pools directory is used solely for authentication purposes. More specifically, this type of directory is designed to enable authentication for applications.

Developers who need to build some sort of authentication into their application often rely on external providers such as Facebook or Google. You've no doubt come across web applications that ask you to login with a Facebook or Google account. While using these types of accounts is an easy way for developers to authenticate the users of their applications, reliance on external providers raises a number of privacy concerns. The Amazon Cognito Pools are designed to give developers an easy way to authenticate users, but without having to rely on external authentication providers.

Now that I have explained the various types of directory services that you can create, I want to continue the discussion in part two by showing you how to build an AWS Managed Microsoft Active Directory.