This post will describe configuring the AWS Identity Center with a managed AD. The first section will describe how to configure the managed active directory, whilst the second section will describe how to configure the AWS Identity Centre, and the last part will verify the configuration and the actual authentication process with the AWS Identity Center.
There are three options for setting up a managed directory which are
- Simple AD
- AWS Managed Microsoft AD
- AD Connector
Simple AD is a standalone managed directory using Samba-based Active Directory-compatible directory services. The AD connector is a proxy for an existing Active Directory and any requests done from AWS services are proxied through the AD connector to the existing Active Directory. Two types are available for AD connectors, small or large, depending on the number of requests made.
A VPC with the appropriate subnets across multiple availability zones is required to set up an AWS-managed Active directory. In our case, two public subnets and two private subnets were deployed already, as shown below.
To start the configuration of the managed AD, choose Directory Service from the services menu
Choose the appropriate region (in this case N.Virginia is used) and choose the directory type as AWS Managed Microsoft AD and click Set up Directory
Select and choose AWS Managed Microsoft AD and click Next
Choose the edition type required in this case Standard Edition will be used
The next steps are to enter the Directory DNS name, the Directory Netbios Name if needed and an optional description
Enter a strong password for the administrative account for the managed AD and click next. A strong password should include Uppercase and lowercase letters, numbers and special characters with a minimum length of 25
Choose the previously created VPC and private subnet and click Next
Verify the options and click Create directory
Verify the status, and after a few minutes, the status will change from Creating to Active
Click on the directory ID
Click on the Actions button, then choose the Launch directory administration EC2 instance, and click Submit if you don’t have a machine to use to administer the AWS-managed active directory. Once the machine is provisioned, you can manage the newly provisioned AD
The next step is to start configuring the AWS IAM identity centre. It is assumed that AWS Organizations is already configured. Go to the required region (in this use case, N. Virginia) and access the IAM Identity Center from the services menu
and Click the Enable button
Click on the Customize button
Enter a user friendly UNIQUE subdomain and retype the same subdomain to confirm and click Save
Once done the AWS access portal is accessible using your user-friendly url
Click the Settings option from the IAM Identity Center
Click the Management Tab and click Register account under the delegated administrator. It is highly recommended to have the IAM identity Center administrator delegate to a separate AWS account within the organization to be used for authentication.
It is important to have all users access to the delegated account first as per the warning below.
Choose the appropriate account from the Organizational Structure and click Register account
Click the Identity Source and click Change Identity source
In this case, choose Active Directory and click Next
Select the previously created Active directory and click Next (Note that both the Active directory and the identity centre needs to be in the same region)
Type Accept and click Change identity source
The next step is to add users and groups to the sync scope by clicking the Start guided setup
Check the settings and click Next
The next step is to Configure sync scope. Choose between Users or Groups (in this case groups will be used). Add the groups required
The two groups, called aws-readonly and aws-readwrite configured in the Active directory as shown below
and each group contain a user
Once all the groups or users are assigned Click Resume Sync
The next step is to create the permission sets by selecting the Permission sets from the Multi-account permissions menu
Choose the Create permission set button
and choose the Predefine permission set
First the Readonly Access will be configured by selecting the ReadOnlyAccess and click Next
Enter a description for the permission set if needed and change the session duration from the default of 1 hour if needed and click Next
Verify the settings and click Create
Repeat the same process for Administrator Access by click Create Permission set and choosing AdministratorAccess. Once both permission sets are created a similar output should be visible
The next step is to assign the newly created permission sets with the appropriate Organization OU or AWS Accounts by clicking on the AWS accounts under the multi-account permissions
Choose the relevant Organizational Unit or AWS Account
and click Assign users or groups
Select groups and aws-readonly group (in this case) and click Next
Check the ReadonlyAccess and click Next
Review the settings and click Submit
Repeat the same process for Administrator Access and once ready, a similar output should be visible with both permission sets assigned to the AWS account
The next step is to test the access by using the AWS access portal URL defined before. Once loaded enter the user name (awsro for mydemo)
Enter the password and click Sign in
Once logged in, choose the AWS Account button and select the appropriate account and rights required.