AWS® has gained popularity as one of the best Infrastructure-as-a-Service (IaaS) providers in the world, allowing many companies to replace their on-prem data centers. Oftentimes, though, Microsoft® Active Directory® (AD) remains the preferred tool for identity and access management.
Many organizations are looking for ways to extend their AD identities to AWS as a result. Connecting AD to cloud resources is a constant headache, however. Fortunately, there’s a more efficient way to do so.
Rooted in Active Directory
When on-prem infrastructures and Windows® computers were standard, Active Directory was the best tool for identity and access management (IAM). It consolidated users’ identities into one set of credentials so that no matter what on-prem Windows applications they used, they could access it with one login.
This was a blessing for IT admins because it meant they didn’t need to manage multiple identities for one user anymore. Soon, AD became the core resource for managing Windows users and access permissions. However, that blissful time came to an end as “the cloud” accumulated. Organizations started to realize they could benefit from cloud infrastructure and applications more than on-prem resources, in many instances.
This is where the headaches began. While organizations shifted their infrastructures to the cloud, they continued to rely on AD for IAM. However, AD only managed user access to on-prem Windows applications via on-prem Windows devices (as it still does today). Other tools were needed to connect AD to cloud-hosted services.
Previously, data centers were connected via VPN to the on-prem AD instance to access their servers, but the preference for cloud providers (like AWS) to replace internal data centers led to a challenge for how to connect AD to these now public cloud servers. As such, alternative solutions were called for.
AWS Directory Service for Active Directory
Today, admins may use AWS Directory Service to sync on-prem Active Directory identities with AWS. The good news is that AWS handles the cloud Active Directory maintenance, but the bad news is that you still need to put in all of the plumbing to connect on-prem AD with the AWS managed AD service. Further, you’ll need to manage all of the users as you normally do without the benefit of automation.
For organizations that have a mixed-platform IT environment, you will still struggle to manage non-Windows systems (e.g. Linux) using AWS Directory Service. Other drawbacks of AWS Directory Service are that it doesn’t include automation features, multi-factor authentication (MFA), or end user password and SSH key management.
Essentially, AWS Directory Service will extend AD to Windows-based AWS infrastructure, but you’ll struggle with other IT resources (e.g. Linux, technical applications, web apps for DevOps, etc.). You will need additional tools — sometimes referred to as add-ons — to connect to any other cloud resources your organization uses, as well as to enforce cybersecurity procedures. This can quickly get expensive, as most add-ons have their own monthly costs and implementation challenges.
Cloud Identity Bridge
A different, more elegant approach to extending Active Directory to the AWS infrastructure is through a cloud identity bridge.
A cloud identity bridge integrates AD identities with systems, protocols, and applications, both on- and off-prem. Rather than set up users and groups separately, this method syncs AD identities with AWS — and any other cloud services you may use — automatically. You can manage both Mac® and Linux® devices, too. Linux-based applications hosted at AWS are also an ideal candidate to be integrated through the on-board LDAP server.
Plus, because it’s a cloud-hosted service, this method requires no additional on-prem servers to upkeep. You’re also paying less for more because it consolidates the functions of many add-ons into one, maximizing your productivity while getting the most out of your investments. And, you only pay for what you need through the per user pricing model.