Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rob Moncur, AWS Senior Product Manager
Sonya Ryh...
What to expect from this session
• How can I use AWS Directory Service?
• Demo: Setting up a directory quickly and easily
...
Managing servers at scale is difficult
New directory in AWS
What is AWS Directory Service?
Connect existing directory to AWS
Simple AD AD Connector
Based on Samb...
Demo 1: Setting up a new directory
Simple AD
Demo 2: Joining instances to a directory
Simple AD
EC2 Windows
EC2 Linux
Joining your Linux instance
#Step 1 - Log in to the instance
ssh -i "tuesday-demo.pem" ec2-user@xxx.xxx.xxx.xxx
#Step 2 - ...
Managing federation to AWS
• Set up and manage SAML infrastructure
• Assign roles to users manually
• Now it is easier to ...
Sonya Ryherd, Sr. Systems Engineer
Who is Cox Automotive?
Our account hierarchy
Virtual private cloud (VPC)
AWS application accounts
AWS account – shared services
Billing account M...
Account access nightmare
• No centralized access management
• Multiple IAM users required to manage each application
• Use...
3 – AssumeRole into
the AWS
Management
Console
1) Assign IAM roles to AD users
AD Connector federation
2) AD users log in ...
Cross-account access
Cross Account Access Demo - Video
AD Connector
AD
CAA-AdministratorAccessRole
CAA-NetworkAccessRole
CAA-CloudEngineerRole
CAA-ReadOnlyAccessRole
NetworkAcce...
Directory Services / Cross Account Access Demo - Video
Retrieving tokens for API access with ALKS
ALKS
Windows Active Directory
Browser interface
2
1
4
User
browses to
a URL
3
R...
ALKS Demonstration
ALKS Demo - Video
https://github.com/AirLiftKeyServices/ALKS
AWS Applications integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Simple AD/AD Connector
AWS Applications integration
Access URL
https://mycompany.awsapps.com
Demo 5: WorkSpaces and WorkDocs SSO
Simple AD
EC2 Windows
EC2 Linux
WorkSpace
WorkDocs site
Things to keep in mind
Samba 4 compatibility
• Users: 500 (small) / 5,000 (large)
• ADUC compatibility – Use Windows Server 2008 R2
• Windows Pow...
AD Connector
• A federation mechanism to AWS
• A pure proxy – No information is cached
• Not a way around your firewall
• ...
APIs + AWS CloudTrail
• Create and configure via API
• API calls logged in CloudTrail
Demo 6: Create directory via AWS CLI
Regional availability
Get started today!
Visit our website
aws.amazon.com/directoryservice
30-day free trial
for small directories
Remember to complete
your evaluations!
Thank you!
Q&A in the AWS Security Booth
Related Sessions
Demo 1: Create a new Simple AD
Demo 2: EC2 Windows
Seamless Domain Join
Demo 2: Domain Join EC2 Linux Instance
#Step 1 - Log in to the instance
ssh -i "tuesday-demo.pem" ec2-user@xxx.xxx.xxx.xxx...
Demo 5: WorkSpaces + WorkDocs SSO
Demo 6: Create a directory via CLI
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
Upcoming SlideShare
Loading in …5
×

(SEC315) AWS Directory Service Deep Dive

7,672 views

Published on

AWS Directory Service enables you to create a new Active Directory domain in AWS with Simple AD or to connect your existing Active Directory domain with AD Connector. Learn how to use these offerings to domain join and enable single sign-on (SSO) to your Amazon EC2 Windows and Linux instances, set up federated access to the AWS Management Console, and use Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail.

Published in: Technology

(SEC315) AWS Directory Service Deep Dive

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rob Moncur, AWS Senior Product Manager Sonya Ryherd, Cox Automotive Senior Systems Engineer October 2015 SEC315 AWS Directory Service Deep Dive
  2. 2. What to expect from this session • How can I use AWS Directory Service? • Demo: Setting up a directory quickly and easily • Demo: Domain join Windows and Linux • Federation with Directory Service • Discussion and demo with Sonya Ryherd from Cox Automotive • WorkSpaces, WorkDocs, WorkMail integration • Demo: Login and SSO with WorkSpaces and WorkDocs • A few things to keep in mind • Q&A in the AWS Security Booth
  3. 3. Managing servers at scale is difficult
  4. 4. New directory in AWS What is AWS Directory Service? Connect existing directory to AWS Simple AD AD Connector Based on Samba 4 Custom federation proxy On-premises
  5. 5. Demo 1: Setting up a new directory Simple AD
  6. 6. Demo 2: Joining instances to a directory Simple AD EC2 Windows EC2 Linux
  7. 7. Joining your Linux instance #Step 1 - Log in to the instance ssh -i "tuesday-demo.pem" ec2-user@xxx.xxx.xxx.xxx #Step 2 - Make any updates, install SSSD sudo yum -y update sudo yum -y install sssd realmd krb5-workstation #Step 3 - Join the instance to the directory sudo realm join -U administrator@tuesday.mydirectory.com tuesday.mydirectory.com --verbose #Step 4 - Edit the config file sudo vi /etc/ssh/sshd_config PasswordAuthentication yes #Start SSSD sudo service sssd start #Step 5 - Restart the instance - from the AWS Console. Log back in. #Step 6 - Add the domain administrators group from the example.com domain. sudo visudo -f /etc/sudoers %Domain Admins@tuesday.mydirectory.com ALL=(ALL:ALL) ALL #Step 7 - approve a login sudo realm permit administrator@tuesday.mydirectory.com sudo realm permit casey@tuesday.mydirectory.com #Step 8 - login using a linux user ssh casey@tuesday.mydirectory.com@xxx.xxx.xxx.xxx
  8. 8. Managing federation to AWS • Set up and manage SAML infrastructure • Assign roles to users manually • Now it is easier to set up federation AD
  9. 9. Sonya Ryherd, Sr. Systems Engineer
  10. 10. Who is Cox Automotive?
  11. 11. Our account hierarchy Virtual private cloud (VPC) AWS application accounts AWS account – shared services Billing account Master billing account Production management Application #1 VPC #1 VPC #2 Application #2 VPC #1 Nonproduction management Application #1 VPC #1 VPC #2 VPC #3 Application #2 VPC #1 VPC #2
  12. 12. Account access nightmare • No centralized access management • Multiple IAM users required to manage each application • Users confused – What account/role/URL do I use to manage Application X? AWS account 2 AWS account 3 AWS account 4AWS account 1 IAM IAM IAM IAM AWS account 5 IAM AWS account 6 IAM AWS account 7 IAM AWS account 8 IAM
  13. 13. 3 – AssumeRole into the AWS Management Console 1) Assign IAM roles to AD users AD Connector federation 2) AD users log in via access URL 2 – LDAP and Kerberos requests proxied over VPN AD 1 – Log in using AD credentials AD User1 User2 Group1 ReadOnly Admin S3-Access via AWS Directory Service console mycompany.awsapps.com/console
  14. 14. Cross-account access
  15. 15. Cross Account Access Demo - Video
  16. 16. AD Connector AD CAA-AdministratorAccessRole CAA-NetworkAccessRole CAA-CloudEngineerRole CAA-ReadOnlyAccessRole NetworkAccessRole - “Action”:[stsAssumeRole], “Resource”: “arn:aws:iam::[account1-id]:role/IAM-1-NetworkAccessRole-* “Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-* “Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-* Management account 1 2 3 Application account 4 Switch role AdministratorAccessRole NetworkAccessRole CloudEngineerRole ReadOnlyAccessRole Trusted entities: Assume role policy document “Principal”: “AWS”:“arn:aws:iam::[management-account-id]:role/CAA-NetworkAccessRole” “Action”: “sts:AssumeRole” mycompany.awsapps.com/console
  17. 17. Directory Services / Cross Account Access Demo - Video
  18. 18. Retrieving tokens for API access with ALKS ALKS Windows Active Directory Browser interface 2 1 4 User browses to a URL 3 Redirect to AWS Management Console 7 Pop-up showing keys 6 5 8 GetFederatedTokens Request tokens
  19. 19. ALKS Demonstration ALKS Demo - Video
  20. 20. https://github.com/AirLiftKeyServices/ALKS
  21. 21. AWS Applications integration
  22. 22. AWS Applications integration WorkSpaces WorkDocs WorkMail Simple AD/AD Connector
  23. 23. AWS Applications integration Access URL https://mycompany.awsapps.com
  24. 24. Demo 5: WorkSpaces and WorkDocs SSO Simple AD EC2 Windows EC2 Linux WorkSpace WorkDocs site
  25. 25. Things to keep in mind
  26. 26. Samba 4 compatibility • Users: 500 (small) / 5,000 (large) • ADUC compatibility – Use Windows Server 2008 R2 • Windows PowerShell cmdlets not supported • Schema extensions not supported • Domain forest/trust not supported • Only 2 domain controllers • No LDAP-S • No MFA
  27. 27. AD Connector • A federation mechanism to AWS • A pure proxy – No information is cached • Not a way around your firewall • Availability is tied to your on-premises network • Set up a domain controller in your VPC
  28. 28. APIs + AWS CloudTrail • Create and configure via API • API calls logged in CloudTrail
  29. 29. Demo 6: Create directory via AWS CLI
  30. 30. Regional availability
  31. 31. Get started today! Visit our website aws.amazon.com/directoryservice 30-day free trial for small directories
  32. 32. Remember to complete your evaluations!
  33. 33. Thank you! Q&A in the AWS Security Booth
  34. 34. Related Sessions
  35. 35. Demo 1: Create a new Simple AD
  36. 36. Demo 2: EC2 Windows Seamless Domain Join
  37. 37. Demo 2: Domain Join EC2 Linux Instance #Step 1 - Log in to the instance ssh -i "tuesday-demo.pem" ec2-user@xxx.xxx.xxx.xxx #Step 2 - Make any updates, install SSSD sudo yum -y update sudo yum -y install sssd realmd krb5-workstation #Step 3 - Join the instance to the directory sudo realm join -U administrator@tuesday.mydirectory.com tuesday.mydirectory.com --verbose #Step 4 - Edit the config file sudo vi /etc/ssh/sshd_config PasswordAuthentication yes #Start SSSD sudo service sssd start #Step 5 - Restart the instance - from the AWS Console. Log back in. #Step 6 - Add the domain administrators group from the example.com domain. sudo visudo -f /etc/sudoers %Domain Admins@tuesday.mydirectory.com ALL=(ALL:ALL) ALL #Step 7 - approve a login sudo realm permit administrator@tuesday.mydirectory.com sudo realm permit casey@tuesday.mydirectory.com #Step 8 - login using a linux user ssh casey@tuesday.mydirectory.com@xxx.xxx.xxx.xxx
  38. 38. Demo 5: WorkSpaces + WorkDocs SSO
  39. 39. Demo 6: Create a directory via CLI

×