Chloe McAree (McAteer)
Published on

AWS Active Directory


This is part of a blog series giving a high level overview of the different services examined on the AWS Solution Architect Associate exam, to view the whole series click here.

Managed Microsoft Active Directory

  • Also known as AWS Directory Service

  • Allows you to administer all of your users and devices

  • Allows your directory aware AWS resources to use managed active directory in AWS

  • Easily migrate on-premise workloads as it is built on actual Microsoft AD, so does not require any replication of existing directory to the cloud.

  • Allows you to use features like Group Policy and Single-Sign-On

  • Highly available as directories are deployed across multiple Availability Zones and failovers are detected automatically.

  • A common use case would be to extend your on-premise using AD Trust with AWS Managed Microsoft AD so that both your on-premises and cloud directories remain separated, but it allows your users access AWS as needed.

Simple Active Directory

  • Standalone managed directory powered by Sambda 4 Active Directory

  • Enables a subset of the features Managed Mircosoft AD offers for example: managing user accounts, group permissions, connecting to EC2 instances stc.

  • Comes in small (up to 500 users) or large (up to 5000 users)

  • Easier to manage EC2 and deploy windows applications to the cloud

  • Takes daily automated snapshots, so can enable point in time recovery.

  • Can be used for Linux workloads that need LDAP

  • However, some features it does not support include multi-factor authentication, trusts with on-premises or group managed service accounts.

Active Directory Connector

  • A directory gateway for directing requests to your on-premise, without caching information in the cloud.

  • Allows on premise users to log into AWS

  • Can use multiple AD Connectors to spread the load to match performance needs

  • Cannot be used across different AWS accounts

Cloud Directory

  • Hierarchical data store fully managed by AWS

  • Can have multiple hierarchies with hundreds/millions of objects

  • Some common use cases include: directories for organisational charts, course catalogs, and device registries.

  • Integrated with CloudTrail and resource tagging

Amazon Cognito

  • Enables user sign-up and sign-in to web/mobile applications

  • Can scale to millions of users

  • Works with social identity providers like Apple, Facebook, Google etc.

  • Cognito user pools are secure directories for users and are fully managed


  • Services that are compatible with Active Directory are: Managed Microsoft AD, AD Connector and Simple AD.

  • Services that are not compatible with Active Directory are: Cloud Directory and Cognito user pools.