Setting up an AWS managed Active Directory and AWS Identity Center.

This post will describe configuring the AWS Identity Center with a managed AD. The first section will describe how to configure the managed active directory, whilst the second section will describe how to configure the AWS Identity Centre, and the last part will verify the configuration and the actual authentication process with the AWS Identity Center.

There are three options for setting up a managed directory which are

  • Simple AD
  • AWS Managed Microsoft AD
  • AD Connector

Simple AD is a standalone managed directory using Samba-based Active Directory-compatible directory services. The AD connector is a proxy for an existing Active Directory and any requests done from AWS services are proxied through the AD connector to the existing Active Directory. Two types are available for AD connectors, small or large, depending on the number of requests made.

A VPC with the appropriate subnets across multiple availability zones is required to set up an AWS-managed Active directory. In our case, two public subnets and two private subnets were deployed already, as shown below.

To start the configuration of the managed AD, choose Directory Service from the services menu

Choose the appropriate region (in this case N.Virginia is used) and choose the directory type as AWS Managed Microsoft AD and click Set up Directory

Select and choose AWS Managed Microsoft AD and click Next

Choose the edition type required in this case Standard Edition will be used

The next steps are to enter the Directory DNS name, the Directory Netbios Name if needed and an optional description

Enter a strong password for the administrative account for the managed AD and click next. A strong password should include Uppercase and lowercase letters, numbers and special characters with a minimum length of 25

Choose the previously created VPC and private subnet and click Next

Verify the options and click Create directory

Verify the status, and after a few minutes, the status will change from Creating to Active

Click on the directory ID

Click on the Actions button, then choose the Launch directory administration EC2 instance, and click Submit if you don’t have a machine to use to administer the AWS-managed active directory. Once the machine is provisioned, you can manage the newly provisioned AD

The next step is to start configuring the AWS IAM identity centre. It is assumed that AWS Organizations is already configured. Go to the required region (in this use case, N. Virginia) and access the IAM Identity Center from the services menu

and Click the Enable button

Click on the Customize button

Enter a user friendly UNIQUE subdomain and retype the same subdomain to confirm and click Save

Once done the AWS access portal is accessible using your user-friendly url

Click the Settings option from the IAM Identity Center

Click the Management Tab and click Register account under the delegated administrator. It is highly recommended to have the IAM identity Center administrator delegate to a separate AWS account within the organization to be used for authentication.

It is important to have all users access to the delegated account first as per the warning below.

Choose the appropriate account from the Organizational Structure and click Register account

Click the Identity Source and click Change Identity source

In this case, choose Active Directory and click Next

Select the previously created Active directory and click Next (Note that both the Active directory and the identity centre needs to be in the same region)

Type Accept and click Change identity source

The next step is to add users and groups to the sync scope by clicking the Start guided setup

Check the settings and click Next

The next step is to Configure sync scope. Choose between Users or Groups (in this case groups will be used). Add the groups required

The two groups, called aws-readonly and aws-readwrite configured in the Active directory as shown below

and each group contain a user

Once all the groups or users are assigned Click Resume Sync

The next step is to create the permission sets by selecting the Permission sets from the Multi-account permissions menu

Choose the Create permission set button

and choose the Predefine permission set

First the Readonly Access will be configured by selecting the ReadOnlyAccess and click Next

Enter a description for the permission set if needed and change the session duration from the default of 1 hour if needed and click Next

Verify the settings and click Create

Repeat the same process for Administrator Access by click Create Permission set and choosing AdministratorAccess. Once both permission sets are created a similar output should be visible

The next step is to assign the newly created permission sets with the appropriate Organization OU or AWS Accounts by clicking on the AWS accounts under the multi-account permissions

Choose the relevant Organizational Unit or AWS Account

and click Assign users or groups

Select groups and aws-readonly group (in this case) and click Next

Check the ReadonlyAccess and click Next

Review the settings and click Submit

Repeat the same process for Administrator Access and once ready, a similar output should be visible with both permission sets assigned to the AWS account

The next step is to test the access by using the AWS access portal URL defined before. Once loaded enter the user name (awsro for mydemo)

Enter the password and click Sign in

Once logged in, choose the AWS Account button and select the appropriate account and rights required.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.