The ABCs of Managing Access to Cloud Resources Like an Enterprise

When you create new resources in the cloud or migrate the existing ones, you also have to manage the access.

What’s the good of keeping resources in the cloud if you’re not able to use them? On the other hand, security is an essential factor, so you don’t want to allow too much freedom. This forces you to search for the best way to authenticate the users and authorize them to work with your cloud resources.

Let’s see a few basic options for managing cloud access on the enterprise level of security and control.

A: Secure cloud access control with AWS IAM

First of all, you can manage cloud access in a secure way thanks to the AWS service called Identity and Access Management, or IAM for short.

AWS IAM is a web service that helps you control access to your resources in the cloud. More specifically, it lets you decide who can access particular resources and on what terms.

With IAM, you can, for instance:

• share access to your AWS account,
• grant different, granular permissions to use various resources with groups and policies,
• use roles to provide EC2-hosted applications secure access to other AWS resources,
• leverage multi-factor authentication to deliver another layer of security,
• create identity federations.

The above features enable you to add users to your account, create access policies, and assign them to these users. You can also assign policies to groups and ascribe users to them, which gives you more flexibility.

B: Delegated access thanks to identity federations

From the enterprise perspective, one of the most useful features mentioned above can be the last one, i.e., identity federations.

By creating federations with external identity providers, you’re able to use identities managed outside of AWS instead of creating users in your AWS account. This means that you can allow users to sign to the AWS Management Console and AWS Command Line Interface using credentials from your corporate directory. The users gain temporary permissions to use AWS resources in your account.

As an example, this feature may be useful when your organization already has an identity system, such as a corporate user directory. If you don’t want to, you don’t have to maintain your own identity provider, but you can go for an external one instead, such as Facebook or Google.

Using federations enables you to manage access to your AWS account centrally from your corporate directory.

To use an Identity Provider, you have to configure one in IAM and establish a trust relationship between it and your AWS account. IAM currently supports Identity Providers compatible with SAML 2.0 (Security Assertion Markup Language 2.0) or OpenID Connect (OIDC).

C: Using managed ADs with AWS Directory Service

Looking at identity federation, you may think it’s a nice-to-have feature. Sure it is. It enables you to use your existing Microsoft Active Directory to manage access to the cloud. Almost every enterprise uses AD, so it seems just what you need. But what if I told you that there might be still some better options?

Apart from federations with Identity Providers, AWS provides a bunch of services that allow the use of the existing MS Active Directory to manage cloud access. Sounds like a real enterprise use case, doesn’t it?

AWS Directory Service provides multiple services:

• Amazon Cloud Directory – a directory store for your application’s hierarchical data. It’s not related to access management so beyond the scope of this article.
• Amazon Cognito – a user directory that adds sign-up and sign-in options to your mobile and web applications. We’re also not going to focus on that service here.
• AWS Directory Service for Microsoft Active Directory (Enterprise Edition) – a managed Microsoft Active Directory hosted in the cloud. It provides numerous Microsoft Active Directory features as well as AWS integration applications.
• AD Connector – a proxy service connecting your on-premises Microsoft Active Directory to the AWS cloud. The important thing is that it does not require directory synchronization or hosting a federation infrastructure.
• Simple AD – a directory compatible with Microsoft Active Directory and powered by Samba 4. It supports Active Directory features such as user accounts, group membership, domain joining EC2 instances, Kerberos based single sign-on (SSO) and group policies.

AWS Directory Service for Microsoft Active Directory (Enterprise Edition)

With this option, also known as AWS Microsoft AD, you can extend your on-premises Microsoft Active Directory domain to AWS and establish a trust relationship with AWS Microsoft AD domain in the cloud.

When extending the domains, you can also extend your existing group policies to your cloud resources and let the users log into the AWS Management Console, AWS Command Line Interface and your Windows-based resources like Amazon EC2 for Windows Server, Amazon RDS for SQL Server and Amazon WorkSpaces with the existing enterprise credentials. You can also integrate AWS Microsoft AD with your existing RADIUS-based MFA infrastructure to provide multi-factor authentication.

It is the best choice if you have more than 5,000 users and need a trust relationship between an AWS hosted directory and your on-premises directories.

AWS Microsoft AD is by default deployed across two Availability Zones in a region and connected to the VPC. It uses EBS volumes, which are encrypted to ensure that your data is secured at rest. Automatic backups are performed once a day. If any of the domain controllers fails, it’s automatically replaced in the same Availability Zone with the same IP address. This enables a full disaster recovery with the latest backup.

You can manage Microsoft AD with the same tools you use to manage your existing domain. However, Microsoft AD does not allow direct access to the domain controllers.

AD Connector

AD Connector uses your existing on-premises Active Directory to authenticate users. It proxies LDAP or Kerberos sign-in requests from AWS applications and services to your directory, and it doesn’t cache any information, so there’s no data replication.

Your users can input their existing corporate credentials to log on to AWS applications and, with appropriate IAM permissions, to the AWS Management Console, and manage such AWS resources as EC2 instances or S3 buckets.

AD Connector can leverage MFA with your existing RADIUS-based infrastructure. This is the same for AWS Microsoft AD.

With AD Connector you continue to manage your Active Directory as usual, with the same tools on your on-premises directory.

AD Connector comes in two sizes, small and large. The small one provides for organizations of up to 500 users, while a large one can support up to 5,000 users.

Same as AWS Microsoft AD, AD Connector is created in two Availability Zones within a VPC. That ensures high availability and guarantees that your directory will be reachable only by your instances.

AD Connector is the best choice if you want to use your existing on-premises Active Directory and don’t want to establish a trust relationship between your AD and the cloud directory.

Simple AD

Simple AD is a directory compatible with Microsoft Active Directory, hosted in the cloud, and powered by Samba 4 Active Directory Compatible Server. It supports a subset of Microsoft AD features, but does not provide the support for trust relationships, Active Directory Administrative Center, PowerShell, Active Directory recycle bin, the group managed service accounts and schema extensions for POSIX and Microsoft applications.

The directory can handle up to 500 users, which corresponds to approx. 2000 objects. You can use the directory to manage AWS resources through IAM role-based access to the AWS Management Console or to manage Amazon EC2 instances running Windows and Linux.

Simple AD leverages two Availability Zones per region for high availability. It creates two directory servers and a DNS. Daily automated snapshots make it possible to execute a point-in-time recovery. This feature guarantees that Simple AD remains accessible even if a failure occurs.

It’s the least expensive option and your best choice if you have a few users and don’t require advanced Active Directory features.

Access control – the final decision…

In the end, the choice of the tool for managing access to your cloud resources comes down to two factors:

• How many users and objects do you have?
• What features and functionalities do you need?

In general, the lower your requirements, the broader the choice you have. If you need advanced features, AD connector won’t be any good. Same if you have to support thousands of users or manage access to the RDS SQL Server.

To find the best solution, follow the AWS Directory Services documentation, answer the above questions, and choose accordingly. Once you make the decision, you’ll be able to manage your access to the cloud at the enterprise level of security and control.