52. Directory Service

AWS Directory Service:
i. Its not a single service. Its a family of managed services.
ii. These allow to connect AWS resources with existing on-premises active directory.
iii. This is a standalone directory in the cloud
iv. It allows users to access AWS resources & applications with existing corporate credentials.
v. Enables single sign on (SSO) to any domain joined EC2 instance.

Active Directory:
i. On premise directory service.
ii. It is a hierarchical DB of users, groups & computers organized in trees and forests.
iii. We can apply group policies to manage users & devices on a network.
iv. Active directory is based on two protocols – LDAP (Light weight Directory Access Protocol) and DNS (Domain Name Service)
v. It supports Kerberos, LDAP & NTLM authentication
vi. An AD is intended to be configured in a highly available configuration requiring multiple servers.

AWS Managed Microsoft AD
i. This provides AD domain controllers (DCs) running on windows server. By default we get two DCs for high availability, each of those in its own AZ.
ii. DCs are reachable by applications in VPC
iii. We can add additional DCs for HA, performance, to increase availability or transaction rates.
iv. We have exclusive access to DCs
v. We can extend existing AD to on-premises using AD trust

AWS Managed Customer Managed
Multi AZ deployment Users, gropus, GPOs
Patch, Monitor, Recover Standard AD tools
Instance Rotation Scale out DCs
Snapshot & Restore Trusts (resource forest)
Certificate authorities using LDAPs
Federation
Simple AD:
i. We use simple AD as a standalone directory in the cloud to support windows workload that need basic AD features.
ii. Two sizes. Small <= 500; Large <= 5000 users
iii. Easier to manage EC2 instances
iv. Linux workloads that need LDAP
v. Does not support trusts (cant join on-premises AD)

AD Connector:
i. Directory gateway (proxy) for on premises AD
ii. Avoids caching information in the cloud
iii. Allow on-premises users to log into AWS cloud using AD
iv. Join EC2 instances to existing AD domain
v. Scale across multiple AD connectors

The three Microsoft compatible services are:
i. Microsoft managed AD
ii. Simple AD
iii. AD Connectors

Cloud Directory:
i. Directory based store for developers
ii. Multiple hierarchies with hundreds of millions of objects.
iii. Use cases: Org charts, Course catalogs, device registries
iv. Fully managed service

Amazon Cognito User Pools:
i. Managed user directory for SAAS applications
ii. Sign up & Sign in for web & mobile
iii. Works with social media identities

AD Compatible Non-AD Compatible
Managed Microsoft AD Cloud directory
AD connector Cognito user pools
Simple AD