This is the solution I created for account I supporting. Using AWS managed Microsoft Active Directory (AD) less headache for administrator and team because no need to manage license and it is pay as you go model. Also it is Highly Available (HA) configuration and managed service so no need to patching or easy to add more AD nodes.
Major benefit of using AWS managed AD is on-board and off-board user easily and handle outside of AWS console. Also can use AD connector to connect Corp AD.
Here are step by step building AWS Management Active Directory service and integrate with AWS IAM.
Login to your AWS Console with Administrator permission
Under Security, Identity & Compliance service select Directory Service.
Click Set up Directory
Select AWS Managed Microsoft AD and click Next
Select Standard unless require to setup larger business
Give any name at Directory DNS name (Not Public DNS, inside your VPC) See example from below screenshot
Enter Directory NetBIOS name (See example from below screenshot)
Enter Admin password and make sure write down somewhere safe because it will require. Click next
Choose VPC you want and select at least two different Subnets. Click Next
Review and Create Directory (~ 86 dollars per month and 30 days free trial) This step will take around 45 minutes.
Creating
*Let's setup IAM Role and policy *
Under Security, Identity & Compliance service select IAM
Click "Role" from left under Access Management and click 'Create Role'
At next page select AWS Service and EC2 then click Next
At next page search AmazonSSM and select AmazonSSMDirectoryServiceAccesss & AmazonSSMManagedInstanceCore then click Next
At Role detail page give meaningful Role name and description. Then click Create Role.
Create another role for this blog/demo purpose only. In reality you will need to create multiple roles.
Click "Role" from left under Access Management and click 'Create Role'
At next page select AWS Service and EC2 then click Next
At next page search ViewOnlyAccess and select ViewOnlyAccess policy
Click Next and give meaningful name and create role.
Back to Directory Service page
Verify AD service
It is HA at two subnets (Same Region)
Under Add a trust relationship you can add external / Corporate AD
*Provision Windows base for add/join Domain and manage users
*
At EC2 console launch Windows 2019 base (Not Core Base) t2.micro with IAM role "EC2DomainJoin" earlier created. Also select AD you created. See below screenshot as example
Login (Remote Desktop) with Domain Users & Domain Admin password created above. (Hint: Domain\User)
You can verify with Open Terminal windows and run "whoami" & "set" commands
Go to Windows "Server Manager" Dashboard and click "Add roles and features" link click Next until 'Features" is selected.
Expand "Remote Server Administration Tools" and select 'AD DS and AD LDS Tools'
Click Next and Install. (It will take 2 to 3 minutes)
Click Close
Go to Windows Administrative Tools and Open "Active Directory Users and Computer and select Users
Create new user(s)
Give permission to users
Go back to AWS AD service and select Directory Service you created and select again "Application and Management"
Go to AWS Management Console session and under action select enable.
Go to next session "Delegate console access" click AD-ViewOnlyUser (or whichever permission you created earlier)
Click the group you want to add user(s)and add
Copy the Console url from AWS Apps and Services session and go to different browser or private browser and login
That way users can login with permission you give at AD Service. No need to add at AWS IAM page.
Now you are successfully created AWS Managed AD and integrated with AWS Console login.
Top comments (1)
I have created directory using cloudformation and don't have any user what will be my domain users