SlideShare a Scribd company logo

How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inforce 2019

Amazon Web Services
Amazon Web Services

Many enterprises use Active Directory for authentication, server and workstation management, group policy management, and more. It’s also one of the first applications to be deployed on AWS by those building or migrating Windows applications at scale. There are two primary models for running Active Directory on AWS: AWS Managed Microsoft AD and self-managed Active Directory on Amazon EC2. We discuss best practices for securing Active Directory deployment on AWS and the shared responsibility model for running AWS Managed Microsoft AD. We also examine a reference architecture that follows these best practices. Services include AWS Managed Microsoft AD, Amazon EC2, Amazon EBS, Amazon VPC, and AWS KMS.

1 of 33
Download to read offline
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How to secure your Active Directory deployment on AWS Vinod Madabushi Enterprise Solutions Architect Amazon Web Services F N D 3 0 6
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Agenda • Active Directory basics • Typical deployment patterns • Securing Active Directory on Amazon EC2 • AWS Managed Microsoft AD security • Q&A
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. What we won’t cover in this session today • Best practices for organizing/managing Active Directory data • Design considerations for your Active Directory infrastructure • Comparison of features in AWS Managed Microsoft AD vs. AD on Amazon EC2
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. What is Active Directory? Organize users, groups, computers, and devices for administration Specify policies for user and computer configurations (group policy objects) Control user access to applications within the enterprise
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Why do customers deploy Active Directory on AWS? Support Windows workloads running on AWS Reduce latency for applications and improve resiliency Manage AWS services and resources
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Choices for running Active Directory on AWS Self-managed, Amazon EC2 AWS-managed Microsoft AD
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Extending on-premises AD domain to AWS on Amazon EC2 Corporate data center Region AD Domain controllers Remote users/adminsAuth/ LDAP VPN AWS Direct Connect Application Availability Zone Availability Zone Private subnet Private subnet Domain controllers Domain controllers AD AD AD replication Private subnet Web servers App servers Database Auth/LDAP Private subnet Web servers App servers Database Auth/LDAP
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Using AWS Managed AD as a resource domain Corporate data center Region AD Domain controllers Remote users/adminsAuth/ LDAP VPN AWS Direct Connect Application Availability Zone Availability Zone Private subnet Private subnet AWS Managed AD One-way trust Private subnet Web servers App servers Database Auth/LDAP Private subnet Web servers App servers Database AWS Managed AD
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How do customers choose between these options? Deploy AD to Amazon EC2 • Want to extend the existing forest/domain to AWS • Need for domain/enterprise admin privilege • Extend existing users, groups, OUs, and GPOs • Single unified environment between on-premises and AWS cloud
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How do customers choose between these options? Managed AD as resource domain • Want to minimize AD infrastructure operational management in the cloud • Allow delegation of cloud AD management to a separate team while maintaining control of user identity • Need delineation between on-premises and AWS environments • Need native integration with Amazon RDS, Amazon FSx, AWS Single Sign-On, etc.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Shared responsibility model
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Account structure framework AWS master account Log archive account Security accountShared services account Domain controllers AD AWS Organizations Amazon GuardDuty (master) Aggregate AWS CloudTrail and AWS Config logs
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Account security • Place all the domain controllers in a single AWS account • If there are multiple teams operating in a single account, consider using tag- based policies to restrict access • Restrict access to Amazon EC2 start/stop/terminate • Restrict access to Amazon EBS volumes/snapshots • Follow best practices to secure the AWS account’s root credentials
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Network security – Security groups AWS Region Shared services VPC Private subnet Availability Zone Availability Zone VPC 1 VPC 2 VPC 3 Domain controller 1 Domain controller 2 Domain members Domain members Domain members Source Protocol Ports VPC1 TCP UDP AD ports VPC2 TCP UDP AD ports VPC3 TCP UDP AD ports On- premises DCs TCP UDP Trust ports DC1 DC2 All All Inbound security group rules
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Active Directory ports Port and protocol Purpose Type of traffic TCP and UDP 389 Directory, replication, user and computer authentication, group policy, trusts LDAP TCP 636 Directory, replication, user and computer authentication, group policy, trusts LDAP SSL TCP 3268, 3269 Directory, replication, user and computer authentication, group policy, trusts LDAP GC, LDAP GC SSL TCP and UDP 88 User and computer authentication, forest level trusts Kerberos TCP and UDP 464 Replication, user and computer authentication, trusts Kerberos change/set password TCP 445 Replication, user and computer authentication, group policy, trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP and UDP 53 User and computer authentication, name resolution, trusts DNS UDP 123 Windows time, trusts NTP TCP 135 Replication RPC, EPM UDP 138 DFS, group policy DFSN, NetLogon, NetBIOS datagram service TCP 139 User and computer authentication, replication DFSN, NetBIOS session service, NetLogon TCP 49152 - 65535 Replication, user and computer authentication, group policy, trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS Restricting AD ports: https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Network security – Other considerations • Avoid using NACLS to filter Active Directory ports except when absolutely necessary (ephemeral ports can be tricky) • Place domain controllers in the private subnets • Place domain controllers in multiple AZs for availability • Routing table can be utilized as network control mechanism
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Internet name resolution from the DCs AWS Region Shared services VPC Private subnet Availability Zone Availability Zone VPC 1 VPC 2 VPC 3 Domain controller Domain controller Domain members Domain members Domain members Public subnet DNS server Internet gateway NAT gateway DNS server NAT gateway Amazon Route 53 .2 resolver
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Data Security – Encryption • Enable LDAPS in the domain controllers for secure authentication. Active Directory Certificate Services (ADCS) can be used for this purpose. • Encrypt Amazon EBS volumes (including C:) attached to DCs. Easiest way is by using AWS Key Management Service (KMS). • Consider using a separate customer master key (CMK) for Active Directory and restrict access appropriately. • If you want to use AWS CloudHSM to store your CMK, consider the custom key store.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Private subnetPrivate subnet Encryption – Using CloudHSM KMS default key store AWS KMS KMS HSM fleet AWS services Custom key store connector Existing KMS APIsHSM VPC Active Directory VPC Amazon EBS volume Domain controller CloudHSM cluster
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Logging, monitoring, and alerting • Security logs are the best source of information for activities occurring on your identity store. Monitor security logs for anomalies. • Enable and monitor VPC Flow Logs for troubleshooting and security. • Consider setting up alerting for key security events in near real time. • Enable AWS CloudTrail logs in the AWS account and alert on key changes. • Monitor DCs for availability. Set up Amazon EC2 auto recovery to recover the EC2 instance from a hardware or other failure.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Other considerations • Restrict the number of users who have access to logging in to domain controllers • Perform AD administrative tasks from a management server • Perform regular backups of your Active Directory environment for recovery • Encrypt and secure your Active Directory backups
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD security • AWS Managed AD is single tenant. Your DCs only contain your data. • Most management tasks are done via automation. We have a process for operators when human touch is required. • AWS employees don’t have access to customer’s domain admin credentials. Those are under automated control. • Domain controller security logs are delivered to Amazon CloudWatch Logs. • Delegated admin access using predefined users, groups, and OUs.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. • Account security • Centralize AWS Managed Microsoft AD in a single AWS account • Restrict access to AWS Directory Service to limited users • Follow best practices to secure the AWS root credentials • Network security • Security group limits traffic to just AD ports and between domain controllers • Use management server for admin tasks; cannot RDP to domain controllers AWS Managed Microsoft AD security (cont’d)
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. • DNS – Internet name resolution • AWS Managed AD will use Route 53 (.2 resolver) for internet-bound queries • Encryption • EBS volumes are encrypted by default using AWS KMS • All snapshots are encrypted and stored securely • AWS Managed AD supports LDAPS. Refer to this documentation: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_ldap.html AWS Managed Microsoft AD security (cont’d)
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD shared responsibility AWS responsibility Customer responsibility Protect hardware, software, networking, and facilities that run AWS Managed AD Maintain and manage Active Directory data like users, groups, OUs, group policies, etc. Isolation of domain controllers between customers Configure and manage Active Directory trusts Protect enterprise/domain admin credential through automation Configure and manage network connectivity to AWS Managed AD VPC/subnets Apply updates and security patches to the domain controllers Providing compatible LDIF file for schema extensions Encrypt EBS volumes Manage security groups for AWS Managed AD Maintain availability of the directory Configure LDAPS to support applications Monitor and manage Active Directory replication Configure integration with RADIUS and MFA infrastructure Perform daily snapshots of the directory Adding more domain controllers based on performance requirements
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed AD compliance certifications
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD certifications
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Thank you! © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Vinod Madabushi vinodmb@amazon.com

Recommended

Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
[AWS Builders] AWS상의 보안 위협 탐지 및 대응
[AWS Builders] AWS상의 보안 위협 탐지 및 대응[AWS Builders] AWS상의 보안 위협 탐지 및 대응
[AWS Builders] AWS상의 보안 위협 탐지 및 대응Amazon Web Services Korea
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 

Recommended

Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
[AWS Builders] AWS상의 보안 위협 탐지 및 대응
[AWS Builders] AWS상의 보안 위협 탐지 및 대응[AWS Builders] AWS상의 보안 위협 탐지 및 대응
[AWS Builders] AWS상의 보안 위협 탐지 및 대응Amazon Web Services Korea
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Amazon Web Services
 
10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)
10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)
10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)Amazon Web Services Korea
 
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Amazon Web Services
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...Edureka!
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)Amazon Web Services Korea
 
Cognitoハンズオン
CognitoハンズオンCognitoハンズオン
CognitoハンズオンShinji Miyazato
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsShiva Narayanaswamy
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon InspectorAmazon Web Services
 
Transparency and Control with AWS CloudTrail and AWS Config
Transparency and Control with AWS CloudTrail and AWS ConfigTransparency and Control with AWS CloudTrail and AWS Config
Transparency and Control with AWS CloudTrail and AWS ConfigAmazon Web Services
 
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)Tejoy Vachhrajani
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
Amazon EC2 Instance Types.pptx
Amazon EC2 Instance Types.pptxAmazon EC2 Instance Types.pptx
Amazon EC2 Instance Types.pptxRomitSingh17
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Microsoft Active Directory Deep Dive
Microsoft Active Directory Deep DiveMicrosoft Active Directory Deep Dive
Microsoft Active Directory Deep DiveAmazon Web Services
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesAmazon Web Services
 

More Related Content

What's hot

Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Amazon Web Services
 
10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)
10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)
10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)Amazon Web Services Korea
 
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Amazon Web Services
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...Edureka!
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)Amazon Web Services Korea
 
Cognitoハンズオン
CognitoハンズオンCognitoハンズオン
CognitoハンズオンShinji Miyazato
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsShiva Narayanaswamy
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon InspectorAmazon Web Services
 
Transparency and Control with AWS CloudTrail and AWS Config
Transparency and Control with AWS CloudTrail and AWS ConfigTransparency and Control with AWS CloudTrail and AWS Config
Transparency and Control with AWS CloudTrail and AWS ConfigAmazon Web Services
 
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)Tejoy Vachhrajani
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
Amazon EC2 Instance Types.pptx
Amazon EC2 Instance Types.pptxAmazon EC2 Instance Types.pptx
Amazon EC2 Instance Types.pptxRomitSingh17
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 

What's hot (20)

AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
 
10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)
10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)
10월 웨비나 - AWS에서 Active Directory 구축 및 연동 옵션 살펴보기 (김용우 솔루션즈 아키텍트)
 
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
 
Cognitoハンズオン
CognitoハンズオンCognitoハンズオン
Cognitoハンズオン
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro Tips
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector
 
Transparency and Control with AWS CloudTrail and AWS Config
Transparency and Control with AWS CloudTrail and AWS ConfigTransparency and Control with AWS CloudTrail and AWS Config
Transparency and Control with AWS CloudTrail and AWS Config
 
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
Amazon EC2 Instance Types.pptx
Amazon EC2 Instance Types.pptxAmazon EC2 Instance Types.pptx
Amazon EC2 Instance Types.pptx
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 

Similar to How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inforce 2019

Microsoft Active Directory Deep Dive
Microsoft Active Directory Deep DiveMicrosoft Active Directory Deep Dive
Microsoft Active Directory Deep DiveAmazon Web Services
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesAmazon Web Services
 
Introduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptxIntroduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptxGauravSharma164138
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewEagleDream Technologies
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS RegionsWIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS RegionsAmazon Web Services
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfAmazon Web Services
 
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018Amazon Web Services
 
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...Modern Workplace Conference Paris
 
Best practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSBest practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSAmazon Web Services
 
ENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS ServicesENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS ServicesAmazon Web Services
 
Systems Operations for Windows Workloads
Systems Operations for Windows WorkloadsSystems Operations for Windows Workloads
Systems Operations for Windows WorkloadsAmazon Web Services
 
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...Amazon Web Services
 
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019Amazon Web Services
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
AWS Systems manager 2019
AWS Systems manager 2019AWS Systems manager 2019
AWS Systems manager 2019John Varghese
 

Similar to How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inforce 2019 (20)

Microsoft Active Directory Deep Dive
Microsoft Active Directory Deep DiveMicrosoft Active Directory Deep Dive
Microsoft Active Directory Deep Dive
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-Practices
 
Introduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptxIntroduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptx
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS RegionsWIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
 
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
 
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
 
Best practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSBest practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWS
 
ENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS ServicesENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS Services
 
Oracle on AWS
Oracle on AWSOracle on AWS
Oracle on AWS
 
Oracle on AWS
Oracle on AWSOracle on AWS
Oracle on AWS
 
Systems Operations for Windows Workloads
Systems Operations for Windows WorkloadsSystems Operations for Windows Workloads
Systems Operations for Windows Workloads
 
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
 
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
 
194325_EdgeatScale_NoNotes.pptx
194325_EdgeatScale_NoNotes.pptx194325_EdgeatScale_NoNotes.pptx
194325_EdgeatScale_NoNotes.pptx
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
AWS for VMware Admins
AWS for VMware AdminsAWS for VMware Admins
AWS for VMware Admins
 
AWS Systems manager 2019
AWS Systems manager 2019AWS Systems manager 2019
AWS Systems manager 2019
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inforce 2019

  • 1. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How to secure your Active Directory deployment on AWS Vinod Madabushi Enterprise Solutions Architect Amazon Web Services F N D 3 0 6
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Agenda • Active Directory basics • Typical deployment patterns • Securing Active Directory on Amazon EC2 • AWS Managed Microsoft AD security • Q&A
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. What we won’t cover in this session today • Best practices for organizing/managing Active Directory data • Design considerations for your Active Directory infrastructure • Comparison of features in AWS Managed Microsoft AD vs. AD on Amazon EC2
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. What is Active Directory? Organize users, groups, computers, and devices for administration Specify policies for user and computer configurations (group policy objects) Control user access to applications within the enterprise
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Why do customers deploy Active Directory on AWS? Support Windows workloads running on AWS Reduce latency for applications and improve resiliency Manage AWS services and resources
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Choices for running Active Directory on AWS Self-managed, Amazon EC2 AWS-managed Microsoft AD
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Extending on-premises AD domain to AWS on Amazon EC2 Corporate data center Region AD Domain controllers Remote users/adminsAuth/ LDAP VPN AWS Direct Connect Application Availability Zone Availability Zone Private subnet Private subnet Domain controllers Domain controllers AD AD AD replication Private subnet Web servers App servers Database Auth/LDAP Private subnet Web servers App servers Database Auth/LDAP
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Using AWS Managed AD as a resource domain Corporate data center Region AD Domain controllers Remote users/adminsAuth/ LDAP VPN AWS Direct Connect Application Availability Zone Availability Zone Private subnet Private subnet AWS Managed AD One-way trust Private subnet Web servers App servers Database Auth/LDAP Private subnet Web servers App servers Database AWS Managed AD
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How do customers choose between these options? Deploy AD to Amazon EC2 • Want to extend the existing forest/domain to AWS • Need for domain/enterprise admin privilege • Extend existing users, groups, OUs, and GPOs • Single unified environment between on-premises and AWS cloud
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How do customers choose between these options? Managed AD as resource domain • Want to minimize AD infrastructure operational management in the cloud • Allow delegation of cloud AD management to a separate team while maintaining control of user identity • Need delineation between on-premises and AWS environments • Need native integration with Amazon RDS, Amazon FSx, AWS Single Sign-On, etc.
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Shared responsibility model
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Account structure framework AWS master account Log archive account Security accountShared services account Domain controllers AD AWS Organizations Amazon GuardDuty (master) Aggregate AWS CloudTrail and AWS Config logs
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Account security • Place all the domain controllers in a single AWS account • If there are multiple teams operating in a single account, consider using tag- based policies to restrict access • Restrict access to Amazon EC2 start/stop/terminate • Restrict access to Amazon EBS volumes/snapshots • Follow best practices to secure the AWS account’s root credentials
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Network security – Security groups AWS Region Shared services VPC Private subnet Availability Zone Availability Zone VPC 1 VPC 2 VPC 3 Domain controller 1 Domain controller 2 Domain members Domain members Domain members Source Protocol Ports VPC1 TCP UDP AD ports VPC2 TCP UDP AD ports VPC3 TCP UDP AD ports On- premises DCs TCP UDP Trust ports DC1 DC2 All All Inbound security group rules
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Active Directory ports Port and protocol Purpose Type of traffic TCP and UDP 389 Directory, replication, user and computer authentication, group policy, trusts LDAP TCP 636 Directory, replication, user and computer authentication, group policy, trusts LDAP SSL TCP 3268, 3269 Directory, replication, user and computer authentication, group policy, trusts LDAP GC, LDAP GC SSL TCP and UDP 88 User and computer authentication, forest level trusts Kerberos TCP and UDP 464 Replication, user and computer authentication, trusts Kerberos change/set password TCP 445 Replication, user and computer authentication, group policy, trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP and UDP 53 User and computer authentication, name resolution, trusts DNS UDP 123 Windows time, trusts NTP TCP 135 Replication RPC, EPM UDP 138 DFS, group policy DFSN, NetLogon, NetBIOS datagram service TCP 139 User and computer authentication, replication DFSN, NetBIOS session service, NetLogon TCP 49152 - 65535 Replication, user and computer authentication, group policy, trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS Restricting AD ports: https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Network security – Other considerations • Avoid using NACLS to filter Active Directory ports except when absolutely necessary (ephemeral ports can be tricky) • Place domain controllers in the private subnets • Place domain controllers in multiple AZs for availability • Routing table can be utilized as network control mechanism
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Internet name resolution from the DCs AWS Region Shared services VPC Private subnet Availability Zone Availability Zone VPC 1 VPC 2 VPC 3 Domain controller Domain controller Domain members Domain members Domain members Public subnet DNS server Internet gateway NAT gateway DNS server NAT gateway Amazon Route 53 .2 resolver
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Data Security – Encryption • Enable LDAPS in the domain controllers for secure authentication. Active Directory Certificate Services (ADCS) can be used for this purpose. • Encrypt Amazon EBS volumes (including C:) attached to DCs. Easiest way is by using AWS Key Management Service (KMS). • Consider using a separate customer master key (CMK) for Active Directory and restrict access appropriately. • If you want to use AWS CloudHSM to store your CMK, consider the custom key store.
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Private subnetPrivate subnet Encryption – Using CloudHSM KMS default key store AWS KMS KMS HSM fleet AWS services Custom key store connector Existing KMS APIsHSM VPC Active Directory VPC Amazon EBS volume Domain controller CloudHSM cluster
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Logging, monitoring, and alerting • Security logs are the best source of information for activities occurring on your identity store. Monitor security logs for anomalies. • Enable and monitor VPC Flow Logs for troubleshooting and security. • Consider setting up alerting for key security events in near real time. • Enable AWS CloudTrail logs in the AWS account and alert on key changes. • Monitor DCs for availability. Set up Amazon EC2 auto recovery to recover the EC2 instance from a hardware or other failure.
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Other considerations • Restrict the number of users who have access to logging in to domain controllers • Perform AD administrative tasks from a management server • Perform regular backups of your Active Directory environment for recovery • Encrypt and secure your Active Directory backups
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD security • AWS Managed AD is single tenant. Your DCs only contain your data. • Most management tasks are done via automation. We have a process for operators when human touch is required. • AWS employees don’t have access to customer’s domain admin credentials. Those are under automated control. • Domain controller security logs are delivered to Amazon CloudWatch Logs. • Delegated admin access using predefined users, groups, and OUs.
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. • Account security • Centralize AWS Managed Microsoft AD in a single AWS account • Restrict access to AWS Directory Service to limited users • Follow best practices to secure the AWS root credentials • Network security • Security group limits traffic to just AD ports and between domain controllers • Use management server for admin tasks; cannot RDP to domain controllers AWS Managed Microsoft AD security (cont’d)
  • 28. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. • DNS – Internet name resolution • AWS Managed AD will use Route 53 (.2 resolver) for internet-bound queries • Encryption • EBS volumes are encrypted by default using AWS KMS • All snapshots are encrypted and stored securely • AWS Managed AD supports LDAPS. Refer to this documentation: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_ldap.html AWS Managed Microsoft AD security (cont’d)
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD shared responsibility AWS responsibility Customer responsibility Protect hardware, software, networking, and facilities that run AWS Managed AD Maintain and manage Active Directory data like users, groups, OUs, group policies, etc. Isolation of domain controllers between customers Configure and manage Active Directory trusts Protect enterprise/domain admin credential through automation Configure and manage network connectivity to AWS Managed AD VPC/subnets Apply updates and security patches to the domain controllers Providing compatible LDIF file for schema extensions Encrypt EBS volumes Manage security groups for AWS Managed AD Maintain availability of the directory Configure LDAPS to support applications Monitor and manage Active Directory replication Configure integration with RADIUS and MFA infrastructure Perform daily snapshots of the directory Adding more domain controllers based on performance requirements
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed AD compliance certifications
  • 31. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD certifications
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  • 33. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Vinod Madabushi vinodmb@amazon.com