By Rajat Bhargava Posted October 27, 2014
A common theme that we hear often from our user base is “how do you connect your AWS servers to Microsoft Active Directory (AD)?” System admins are jumping through all kinds of hoops to manage their users on their AWS cloud servers. Some do it manually. Others use Chef or Puppet. Still others deploy Active Directory through an AMI in VPC and have two Active Directory instances. All of these end up being challenging to manage. There ends up being a great deal of manual work including setup, configuration, and on-going management.
There’s a better way. You can connect your AWS Linux and Windows servers to AD by bridging them through a 3rd party Directory-as-a-Service® (DaaS) platform from JumpCloud. Here’s how it works:
- You install a lightweight agent on your on-premise Active Directory server.
- That agent securely connects to a cloud-based directory that becomes the “bridge” to AD.
- Once AD is securely connected to your cloud directory service, you can specify which users are synced with the cloud-based service.
- Those users are created and kept in sync with your authoritative on-premise Active Directory user store.
So, in the case that you terminate an employee their access will be deleted simultaneously across all your user platforms. A new hire works the same way—you add the user in AD and then he or she can appear in your cloud directory, instantly, if desired.
Now, you are ready to connect your AWS cloud servers to the cloud directory. Whether Linux or Windows, you simply install an agent on your servers. That creates a secure connection back to the Identity-as-a-Service platform in the cloud. When a user attempts to login to your AWS servers, they’re authenticated via the SaaS cloud directory. The cloud directory service is an extension / mirror of your central Active Directory. Users go through the same process they normally would to login. Nothing different.
The benefits of Directory-as-a-Service are tremendous:
- Users are always kept in sync with the core user store.
- IT admins can provision, de-provision and modify users from one spot. There’s no need to remember which servers an individual has access to or whether that user has been terminated from all servers. This effectively provides single sign-on to your AWS infrastructure—and users get to leverage their existing AD credentials—from anywhere.
- No need to set up a secondary domain controller, or worry about messy VPNs to handle replication.
Another critical benefit to a DaaS approach is that it increases security dramatically. In the past, manual methods of centralized user management were subject to any number of security issues including passing of credentials, forgotten or missed users and servers, misunderstanding of where users have been authenticated, and reuse of weak or old passwords. IT admins also realized that trying to connect cloud servers to the AD infrastructure required a lot of networking to ensure that everything could connect to each other securely. The DaaS approach simplifies this process tremendously, while keeping confidential information intact and secure. Passwords, user access, and other control factors are all managed and defined by one single point of truth. A DaaS solution that connects AWS servers to your Active Directory instance avoids the common pitfalls of manual approaches. It’s simple, elegant, and cost-effective. If you are interested in AD with AWS, drop us a note and we’d be happy to help.