Limitations
AD Connector is not compatible with Amazon RDS for SQL Server or with Amazon FSx for Windows File Server.
When to Use It
AD Connector is recommended when you want to use your existing on-premises directory with compatible AWS services.
Managed Microsoft AD essentially lets you run Microsoft AD as a managed service on AWS. A fully featured AD, it supports Microsoft SharePoint, Microsoft SQL Server, Always On availability groups, and numerous .NET applications. Some AWS-managed applications and services are also supported, among which are Amazon WorkSpaces, Amazon QuickSight, Amazon Connect, Amazon RDS for Microsoft SQL Server, and Amazon FSx for Windows File Server.
Managed Microsoft AD is provided as a single-tenant solution; you do not share it or its components with any other AWS customer. It comes by default with two domain controllers deployed in separate Availability Zones (AZs) for increased resiliency.
You can leverage user credentials stored in AWS Managed Microsoft AD to work with compatible applications. Alternatively, you can also establish trust with your existing AD infrastructure and use credentials whether they are stored on an AD running on-premises or on Amazon EC2. By joining your EC2 instances to AWS Managed Microsoft AD, users can access Windows workloads on AWS with the same Windows SSO experience as on-premises.
AWS Managed Microsoft AD lets you sign in to the AWS Management Console. Leveraging AWS SSO, you can further obtain short-term credentials that you can use with the AWS SDK and CLI. It also gives you access, through integration with SAML, to sign in to various cloud applications. It also offers built-in integrations with Microsoft Office 365 and other business applications (for example, Salesforce) with credentials stored in AWS Managed Microsoft AD. You can further reinforce security by enabling MFA.
When to Use It
AWS Managed Microsoft AD is the recommended option when you need genuine AD features to support AWS applications or Windows workloads. That includes Amazon RDS for Microsoft SQL Server and Amazon FSx for Windows File Server. Similarly, it remains your best option if you require access to business applications such as Office 365, Salesforce, and more.
In this first chapter, you have reviewed the core IAM concepts of AWS. You then investigated cross-account access control and user federation, which are essential elements for supporting complex organizations. Finally, you looked at the various flavors offered by AWS Directory Service. All these functionalities are core for securing access to AWS resources for complex organizations. So, do make sure these elements are crystal clear in your mind before moving on and, especially if that is not the case, have a look at the additional resources provided in the next section.
The next chapter of this book will take you through the AWS networking capabilities you need to know about to select and configure the optimal network topology for your organization.
For more information, please refer the following resources: