Step-by-Step Guide to Creating AWS Microsoft AD and Configuring for Single Sign-On

AWS Directory Service

In this blog post I’m going to provide a step-by-step guide to create an AWS Microsoft AD and then configure it to enable access for single sign-on to the AWS Management Console.  As part of this I’ll only allow Full Access to Amazon S3 for the Admin user account.

Create the AWS Microsoft AD

  • Log in to the AWS Management Console.
  • Navigate to Security, Identity & Compliance.
  • Click on “Directory Service”.
  • Click “Setup Directory” and then Click “Microsoft AD”.
  • Specify the Fully Qualified Domain Name (FQDN) for the Active Directory Domain e.g. ‘corp.local’.
  • Specify the NetBIOS Domain Name for the Active Directory Domain e.g. ‘CORP’.
  • Specify the Password for the Admin User and then Confirm the Password.

Microsoft AD Directory Details

  • Select the “VPC” that the Microsoft AD will be built in.
  • Specify the “Subnets” within the VPC that was just selected.

Note – You have to select Subnets that are located in different Availability Zones for High Availability.

  • Click “Next Step”.

Review the details to make sure that the configuration is correct.

  • Click “Create Microsoft AD”.

This will take approximately 20 minutes to deploy the Microsoft AD.

Configure the AWS Microsoft AD for Single Sign-On

  • Navigate to Security, Identity & Compliance.
  • Click on “Directory Service”.
  • Click on the “Microsoft AD” that was previously created.On the Apps & Services Tab, Configure an Access URL.
  • Specify the Access Name e.g. ‘corpaccess’.
  • Click “Apply”.

This will then configure the Access URL as,

  • Navigate to the AWS Apps & Services Section.
  • Click “AWS Management Console”.
  • Click “Enable Access”.

This will then load a new internet browser tab directly in AWS Identity and Access Management (IAM) Roles.  Now we need to add some users or groups to an IAM Role to integrate it properly. For the purpose of this I’m just going to grant the Admin user Full Access to Amazon S3 and nothing else.

  • Under the Add Users and Groups to Roles, Click ‘click here’ (as shown below).

Add Users to Roles

  • Click “Create new role”.
  • Under the AWS Service Role, Navigate to AWS Directory Service.
  • Click “Select”.

Select Role

  • Select the checkbox for “AmazonS3FullAccess”.
  • Click “Next Step”.
  • Specify the Role Name e.g. ‘AD-S3-FullAccess’.
  • Click “Create role”.
  • Click “AD-S3-FullAccess”.
  • Click “Add”.
  • In the Search for textbox, type ‘Admin’.
  • Click “Add”.

This will now show that the Admin user within the Microsoft AD is added to the Role.

Assign Users and Groups

Testing Single Sign-On to the AWS Management Console

  • Open a Web Browser.

The URL that we actually need to access specifically for the AWS Management Console is

  • Navigate to the Access URL as noted above.
  • Log in using the Admin User and Password.
  • Navigate to Compute.
  • Click on “EC2”.

As you’ll notice that it says “You’re not authorized” against all functions as the Admin user doesn’t have any access rights to EC2EC2.

  • Return to the AWS Management Console.
  • Navigate to Storage.
  • Click on “S3”.

You’ll now notice that you don’t get any errors when you try to create an S3 Bucket as this is what we gave the IAM Role permissions to access.

If we’re looking at combining this with the best practices of Active Directory itself, we should assign the IAM Roles to the Microsoft AD Groups (that are within the Active Directory).  We would then add the users within the Active Directory to the groups within Active Directory.  This way you can utilise Role Based Access Control (RBAC) for the principal of least privilege.

If you have any questions, please let me know.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s