- https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html
- Identity Federation is the process of delegating an individual's or entity's authentication responsibility to a trusted external party. Each partner in federation plays the role of either an identity provider (IdP) or a service provider (SP).
- Available on AWS:
§ MS Active Directory
§ Best for more than 5000 users and both on-site and AWS services are used
§ Allows for snapshots, backups and point-in-time restore
§ Simple AD
§ Inexpensive Directory options, most common non-advanced features available; best for less than 5000 users – when all services are in the cloud
§ Allows for snapshots, backups and point-in-time restore
§ AD Connector
§ Connect on-premise Directory with AWS – proxy b/w two directory services
§ No snapshot capabilities
§ Amazon Cloud Directory
§ Cognito
AWS – MS Active Directory
- Fully managed service
- Single sign-on into AWS and on-premise services
- VPN or Direct Connect connectivity required
- Can set up federation to use 3rd party cloud apps. Ex: Office 365 on Azure
- Can use LDPA encryption though SSL – for use with Linux applications
- Can set up MFA
- CouldTrail + SNS are available
- Scalable, redundant – AD infra set up in 2 AZ in a region at least
- Compatible with RDS SQL server
- Standard Edition – up to 5k users, 30K objects (users/groups/devices)
- Enterprise Edition – up to 500K objects
- Can build your own custom AD on EC2 and join in with the on-remise AD
§ Replication mode – with user info on both sides
§ Can promote AWS AD to be the primary
§ Need VPN between the two for secure data replication
§ Trust mode – with user info on both sides
§ More secure than Relationship§ AWS Microsoft AD does not support Replication – only Trust mode
Simple Service AD
- Standalone fully managed Directory on AWS
- Low-cost low scale
- LDAP compatible (on-premise LDAP can have replicas on AWS)
- Redundant – 2 servers in 2 VPCs
- Subset of features of MS AD
- Kerberos-based Single Sign On
- Monitoring, Snapshots, Recovery
- Integrates with AD-enabled AWS apps: Amazon WokrSpaces, WorkDocs, WorkMail, QuickSight
- Small – up to 500 users / 2000 objects
- Large – 5000 users / 20000 objects
- Not compatible with RDS SQL server
- No MFA
- No Trust relationship with other AD services
AD Connector
- Proxy between applications on AWS and on-premise AD
- Removes the need for synchronization
- Small – up to 500 users
- Large – up to 5000 users
- VPC or Direct Connect required
- Authentication latency implied – reaching out to on-premise
- Allows users access to AWS management console with on-premise AD credentials
- No RDS SQL
- Can integrate with on-premise RADIUS-based MFA services
- No AD data from on-premise AD is replicated into AWS
- Use case: EC2 running Windows integrating into in-premise use
No comments:
Post a Comment