Skip to main content

Use case: Synchronizing Active Directory users and groups with AWS

This series covers various use cases that I've had to implement throughout the various contracts I was a part of. Dendory Capital, my firm, offers all sorts of cloud and DevOps services to organizations from around the world, and sometimes we come up with unusual challenges. I document the challenges in these blog posts to show some of the solutions we came up with. This week, I'm going to describe a use case where a client wanted to synchronize their employee directory from on-premise to the AWS cloud and assign specific permissions to groups of users.

A lot of companies use Active Directory as their source of truth for users and group membership. It's a popular system, and one that most organizations use. It makes sense that, if you're already setup with AD as your core directory, you don't want to start managing users and groups in all sorts of cloud apps on top of your own network. This is where single sign-on or SSO comes in. With SSO, you can easily link your AD structure with third party applications, including cloud environments. While AWS offers their AD Connector to do it, this particular client decided to use Azure AD instead, for several reasons. First, the client was already using some Microsoft cloud apps like Office 365 and was likely to add other Azure apps in the future. Also, Azure offers an easy to use MFA solution, so every user could sign-on to their cloud apps using two factor authentication with the Azure portal. Finally, Azure SSO offers an easy way to integrate not only with AWS, but many other applications.

So the way to create this entire integration is as follows. First, we installed the Azure AD Connect package on their on-premise domain controllers. This allows users and groups to be synchronized within the Azure cloud environment. Then, MFA was setup within Azure so all users would have to sign in using their phone as well as their passwords. The next step was to go to the Enterprise Applications page on the Azure portal, where a lot of different third party apps are already available. On that page you can add your AWS account to sync with it, along with many other cloud apps.

The last step was to configure AWS permissions. Because both users and groups are synchronized with this system, it's easy to use your existing AD groups to assign permissions. This is called Permission Sets and they are configured in the SSO page on the AWS console. So by leveraging all of these cloud solutions, we had a fully functional synchronization and authentication system between on-premise servers, Azure and AWS. And going forward, we can add more enterprise apps like Snowflake, Okta and so on by using the already available Enterprise Apps.

The entire exercise took less than a week to setup, and has been running robustly ever since.