Directory Service
- Managed service, create directories and let AWS experts manage HA, monitoring, backups, etc.
- Can use AD un/pw to log into AWS accounts and access AWS resources
- Microsoft AD
- Powered by actual Microsoft AD
- Standard (up to 5000 users) and Enterprise editions
- Simple AD
- Free, AD compatible, powered by Samba 4
- No federation
- Supports user accounts, groups, joining Linux and Windows instances, Kerberos SSO, and group policies
- Does not support trust relationships, DNS dynamic update, schema extensions, MFA, LDAPS communication, PowerShell AD cmdlets, or FSMO role transfer
- AD Connector
- Proxy to connect to on-premises Microsoft AD
- Users log in and AD Connector forwards request to on-premises AD domain controllers for authentication
- Small supports up to 500 users, large up to 5000
- In AD, domain to domain communication occurs through Trusts, secured authenticated communication channel between entities such as domains
- Allows granting access to resources to users, groups, and computers across entities
- Can be one or two-way
- Can use Trusts to migrate AD-aware workloads to AWS without synchronizing users, groups, or passwords
