In a multi-part blog series, we look at how and why to federate your Microsoft Active Directory or LDAP user accounts to Amazon Web Services (AWS). With the significant adoption of AWS cloud infrastructure, IT organizations are struggling with how to control user access to their cloud servers. Specifically, the cloud doesn’t make controlling user access with on-premise with AD or LDAP exactly straightforward or easy. In fact, a whole new industry of solutions in the cloud identity management space have popped up to help address issues like this.
Therefore, this blog series addresses how businesses can go about federating AD or LDAP user access to AWS servers.
Spinning up a server instance at AWS is a snap. With the click of a button, or the call of an API, hundreds of AWS instances can be delivering mission critical applications. Unfortunately, one of the most critical tasks of managing a server is creating, managing, monitoring, and auditing user accounts; and, that isn’t a snap, nor generally secure. The challenge that DevOps and IT admins face around centralized user management is two-fold: operational efficiency and security. Managing access and permissions to cloud servers is time consuming, tedious, and insecure. Add in auditing of user logins and command activity and very few DevOps and IT admins are able to find the time to effectively and systematically handle this critical task.
To date, DevOps and IT pros have manually provisioned users, leveraging a cloud AD instance, installing LDAP, or utilizing configuration automation solutions such as Chef or Puppet. While each of these solutions is a potential path, they are not ideal. Directories are operationally less efficient, and security is put at higher risk. Federating access to your AWS servers via your existing AD or LDAP is an optimal approach to this problem. If you are not using AD or LDAP, then leveraging a SaaS-based directory service solution is efficient and secure.
Read on to learn best practices in centralized user management on AWS servers including discussing the full life cycle of provisioning, managing, monitoring, de-provisioning, and auditing accounts. New, innovative solutions in the Identity-as-a-Service space are helping address these issues.