AWS® Authentication using LDAP and IAM

By Ryan Squires Posted February 17, 2019

AWS® Authentication using LDAP and IAM

AWS® cloud infrastructure has been replacing traditional data centers for many years now. While many IT organizations have moved their on-prem and collocated data center infrastructure to AWS, a significant number of organizations are undergoing the shift now. The reason for doing so is that shifting to AWS can save organizations a tremendous amount of time and money. Despite these savings, there are headaches that await the shift. The challenge surrounding these cloud transformations has been in controlling the infrastructure remotely and integrating it into the central identity management tool set. In particular, one area of interest is AWS authentication using LDAP and IAM (identity and access management).

AWS and Traditional IAM

Because there are a lot of different parts to this problem, we should step back and understand what exactly organizations are trying to do with this setup. Resulting from the shift to AWS cloud infrastructure, many organizations are experiencing hangups with actually managing the cloud infrastructure and the identities used to access it. The problem is that many of the traditional tools that have generally been used to manage network infrastructure on-prem or within the data center break down when cloud infrastructure is added in to the equation. These older, legacy solutions were simply not made to manage the innovations that the cloud era has brought to IT. So, what tools are IT admins using now, and how are they imagining better scenarios to overcome the challenges they’re facing?

IAM, Active Directory®, AWS Cloud Servers, and LDAP

Ideally, admins could manage those components into a common set of IT management tools. A core area where this issue occurs is in identity and access management. Traditionally, IT admins have leveraged Microsoft® Active® Directory® (AD) to act as their identity provider (IdP) of choice. That system worked great when everything was Windows®-based and on-prem, but AWS servers are remote and they typically run Linux®.

The result is that with AWS, on-prem AD is painful to connect to. One workaround that IT admins and DevOps engineers have employed is setting up their own OpenLDAP platform at AWS. With OpenLDAP set up, IT admins have been able to leverage AWS authentication through LDAP. The biggest challenge with this setup is that it adds a great deal of work and overhead, not to mention it creates two disparate identity providers within one organization. That sounds like a lot of hassle. So, what do IT admins and DevOps engineers want?

AWS Authentication Plus More

Ideally, there would be a way to have one identity for a user and leverage that identity across on-prem resources such as their system whether it is a Windows, macOS®, or Linux. That identity would also work for WiFi. In conjunction with on-prem resources, that single identity should also connect to AWS cloud servers via SSH keys and multi-factor authentication (MFA). Using MFA ensures that even stolen credentials are less impactful because the hacker would need the six-digit time-based one-time token (TOTP) code as well to gain access to the server.

In addition to SSH keys and MFA, this identity provider would of course be an AWS authentication source via LDAP and other IAM protocols such as SAML for web applications, RADIUS for network infrastructure, and more. Further, this directory services solution would be delivered from the cloud for cloud resources, on-prem tools, and remote users and the resources they require. Directory services beamed down from the cloud gives IT admins time back to focus on more high-value ventures instead of needing to continually maintain OpenLDAP and Active Directory instances. One way admins are utilizing AWS authentication via LDAP is with JumpCloud® Directory-as-a-Service®.

Learn More about JumpCloud®

AWS Authentication using LDAP and IAM is no longer a far-fetched idea. In fact, it’s possible to implement today. See for yourself by signing up for a JumpCloud account. It’s free, and it provides you the ability to manage up to 10 users forever. Additionally, you can schedule a demo to see the product in action. Finally, visit our Knowledge Base and/or YouTube channel for additional information about moving your directory services solution to the cloud.

Ryan Squires

Ryan Squires is a content writer at JumpCloud, a company dedicated to connecting users to the IT resources they need securely and efficiently. He has a degree in Journalism and Media Communication from Colorado State University.

Recent Posts