AWS Managed Microsoft AD (Active Directory) & SSO

1. What means “single sign-on (SSO) across all accounts”?

• You have multiple AWS accounts under your AWS Organizations.
• Normally, you’d need to create separate IAM users in each account and log in multiple times. That’s messy.

• Single sign-on (SSO) means:

  • A user signs in once (for example, with their company username/password from Active Directory).
  • They can then switch between all AWS accounts (in the organization) without logging in again.
  • Their permissions are managed centrally (via groups/roles mapped from AD).

💡 Example:

• You have 3 accounts → Dev, Test, Prod.
• With SSO, your employee Alice logs in once with her company AD credentials.
• She sees a portal where she can click into Dev, Test, or Prod accounts — no need to re-enter credentials.

---

2. What means Microsoft Active Directory (AD)?

• Microsoft Active Directory (AD) is a directory service by Microsoft, usually running on Windows servers.
• It stores and manages users, groups, and computers in a company.
• It’s the central identity system many organizations already use for employee logins (Windows domain logins, shared drives, Exchange, etc.).
• AWS integrates with AD so companies can keep managing users on-premises but still allow them to access AWS resources.

💡 Think of AD as the company’s “phonebook + security system” for all employees and computers.

---

How it ties together

• On-premises AD: already manages your company’s users and passwords.
• AWS SSO / IAM Identity Center: integrates with AD.
• Result → users log in with their company credentials and get seamless access to all AWS accounts.

---

✅ So in short:

• SSO across accounts = log in once, use multiple AWS accounts.
• Microsoft AD = the company’s central user directory (your employees already use it to log into their work computers and apps).

Nice one 👍 — this is a classic AWS exam scenario about federation with on-prem Active Directory. Let’s carefully break it down.

---

The situation

• Multiple AWS accounts (managed via AWS Organizations).
• Need single sign-on (SSO) across all accounts.
• Must continue to manage users and groups in on-premises Microsoft AD.

So → we need AWS SSO (now called IAM Identity Center) integrated with self-managed AD.

---

Option A

Enable AWS SSO. Create a one-way forest trust or one-way domain trust to connect on-prem AD with AWS SSO via AWS Directory Service for Microsoft AD.

• Correct ✅ because:

  • With a one-way trust, AWS Managed Microsoft AD trusts the on-prem AD.
  • This means users are authenticated against on-prem AD, but can access AWS resources.
  • You keep centralized user/group management on-premises.
  • This is the recommended setup for AD federation with AWS SSO.

---

Option B

Enable AWS SSO. Create a two-way forest trust.

• ❌ Not needed.
• Two-way trust would allow AWS-managed AD to also authenticate users back into on-prem AD (not necessary and less secure).
• AWS docs recommend one-way trust for this scenario.

---

✅ Correct Answer: A. One-way trust with AWS Directory Service for Microsoft AD

---

• One-way trust = on-prem AD is authoritative, AWS uses it for authentication (common in hybrid).
• Two-way trust = unnecessary unless AWS AD also needs to authenticate resources back to on-prem.

   [ Employees / Users ]
             |
   (login with company username/password)
             |
      [ On-Prem Microsoft AD ]
             |
     (trust relationship / AD Connector)
             |
     [ AWS IAM Identity Center (SSO) ]
             |
   +-----------------------------+
   |        AWS Organizations    |
   +-----------------------------+
      /            |             \
 [ AWS Account A ] [ AWS Account B ] [ AWS Account C ]
   (Dev)              (Test)            (Prod)