Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SID202_Deep Dive on How Capital One Automates the Delivery of Directory Services across AWS Accounts

1,154 views

Published on

Traditional solutions for using Microsoft Active Directory across on-premises and AWS Cloud Windows workloads can require complex networking or synching identities across multiple systems. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed AD, offers you actual Microsoft Active Directory on the AWS Cloud as a managed service. In this session, you learn how Capital One uses AWS Managed AD to provide highly available authentication and authorization services for its Windows workloads, such as Amazon RDS for SQL Server. We detail how Capital One uses Lambda, Python, and PowerShell with cross-account AWS Identity and Access Management (IAM) roles to automate directory deployment across AWS accounts. We also cover best practices for integrating AWS Managed AD with your on-premises domain securely, and show you how to automate the joining of AWS resources to your managed domain.

  • Be the first to comment

SID202_Deep Dive on How Capital One Automates the Delivery of Directory Services across AWS Accounts

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT D e e p D i v e o n H o w C a p i t a l O n e A u t o m a t e s t h e D e l i v e r y o f D i r e c t o r y S e r v i c e s a c r o s s A W S A c c o u n t s K e n n y H i l l - C a p i t a l O n e K u n t a l M i t r a - C a p i t a l O n e P e t e r O ’ D o n n e l l - A m a z o n W e b S e r v i c e s S I D 2 0 2 N o v e m b e r 2 7 , 2 0 1 7
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introduction AWS/Capital One collaboration
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Capital One Deployment Architecture Secure AWS Account Cloud Resource Management How do we create, secure, and administer AWS Microsoft AD given segregation of duties? AD AWS Account Identity Management LOB Account LOB Account LOB Account RDS for SQL Customer
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Capital One Deployment Architecture Invoke 2 Assume Role Discover Directory 4 Create Incoming Trust 7 Configure Groups 8 Validate 3 5 6 1 Create & Configure Directory Add DNS A Records Complete Directory Trust Rename Default Site EC2 PowerShell AD Secure AWS Account AD AWS Account LOB Account LOB Account LOB Account How do we create, secure, and administer AWS Microsoft AD given segregation of duties? Cloud Resource Management Identity Management RDS for SQL Customer
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Capital One Deployment Architecture EC2 PowerShell AD
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start from AD Account (PowerShell) EC2 PowerShell AD AD Account Amazon EC2 IAM Role • Secure Cross Account Role • Invoke AWS Step Functions • Invoke AWS Lambda Invoke PowerShell Script • Set-AWSCredentials • Use-STSRole Secure AWS Account Assume Role
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create and Configure Directory Secure AWS Account • Start Build • Start-SFNExecution • Create AWS Directory • create_microsoft_ad • Configure Monitoring • create_topic • subscribe • register_event_topic • Discover and Update Security Group • describe_security_groups • revoke_security_group_egress • revoke_security_group_ingress • authorize_security_group_ingress • authorize_security_group_egress • Increase Domain Controllers • update_number_of_domain_controllers • Create DNS SRV and A records • describe_domain_controllers • change_resource_record_sets EC2 PowerShell AD Initiate BuildAssume Role
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Discover Directory in LOB Account Secure AWS Account • Assume LOB Account Role • Read Directory Services • Read VPC and Subnets • Get Domain Controller IPs and hostnames • Get-DSDirectory • Get-DSDomainControllerList • Resolve-DNSName EC2 PowerShell AD Initiate Build LOB Account Assume Role
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create A Records in Route 53 • Call Lambda Function • Invoke-LMFunction • Create DNS A Records • change_resource_record_sets EC2 PowerShell AD LOB Account Assume Role Secure AWS Account Assume Role
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create Trust from AWS to Capital One AD • Create Incoming Trust • DirectoryServices • Create Outgoing Trust • create_trust EC2 PowerShell AD Secure AWS Account Assume Role AD Account AD Secure AWS Account Assume Role
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AD Create Trust from AWS to Capital One AD • Create Incoming Trust • DirectoryServices • Create Outgoing Trust • create_trust EC2 PowerShell Secure AWS Account Assume Role AD Account Secure AWS AccountAD Forest Trust LOB Account
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rename Default Site • Create Incoming Trust • DirectoryServices • Create Outgoing Trust • create_trust EC2 PowerShell AD Account AD Forest Trust LOB Account LOB Account Remote PowerShell via VPC Peer ADAD
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rename Default Site • Get LOB VPC CIDR Block • Get-EC2Vpc • Get AD Site for peer to VPC • Get-ADReplicationSubnet • Rename Default Site to match AD Site • Rename-ADObject • Add Directory Support Groups • Add-ADPrincipalGroupMembership • Validation • Get-DSDomainControllerList • Get-DSTrust • Get-DSDirectory • Get-ADTrust EC2 PowerShell AD Account LOB Account Remote PowerShell via VPC Peer AD
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! D e e p D i v e o n H o w C a p i t a l O n e A u t o m a t e s t h e D e l i v e r y o f D i r e c t o r y S e r v i c e s a c r o s s A W S A c c o u n t s S I D 2 0 2

×