Flowchart for Choosing AWS Identity Integration with Active Directory

  1. Do you need to manage authentication for your users with Active Directory (AD) on AWS?

    • If YesGo to Step 2
    • If NoConsider AWS IAM-only for standalone user management (AWS IAM allows you to create users and groups directly in AWS without AD or SSO).

  2. Do you need users to access only Windows-based AWS resources (e.g., EC2 for Windows, RDS SQL Server, FSx) and have no need for other AWS services?

    • If YesChoose AWS Managed AD or AWS AD Connector

      • Summary: These options are focused on Windows authentication for Microsoft services on AWS. They are suitable if your AD users only need access to Windows-based resources and do not need to access other AWS services (e.g., S3, Lex).
      • Comparison:
        • AWS Managed AD is a fully managed directory service in AWS that can integrate with on-prem AD via a trust relationship.
        • AWS AD Connector acts as a bridge, connecting AWS to on-prem AD directly without storing directory data in AWS.
      • Choose AWS Managed AD if you need AWS-hosted AD with integration for Windows services.
      • Choose AWS AD Connector if you want direct, lightweight AD passthrough without a managed AD instance in AWS.

    • If NoGo to Step 3

  3. Do you need users to access a variety of AWS services (not limited to Windows-based services) through single sign-on (SSO) using their AD credentials?

    • If YesGo to Step 4
    • If NoConsider other options based on your exact needs (e.g., AWS IAM roles and policies for external users without AD integration).

  4. Do you need to manage access through IAM roles with permissions for specific AWS resources and enable AD-based groups to access AWS via SSO?

    • If YesChoose ADFS

      • Summary: ADFS with SAML allows you to federate AD with AWS IAM, letting users log in with AD credentials and assume AWS IAM roles. This solution is ideal when you need role-based access control across AWS resources (e.g., S3, Lambda, EC2) without syncing or provisioning users in AWS.
      • Why Choose ADFS over Managed AD/AD Connector: ADFS offers broader access control beyond Windows services by mapping AD groups to AWS IAM roles, making it flexible for environments that need SSO across a range of AWS services.
      • Limitations: ADFS does not provide user synchronization, so users and groups are not created in AWS IAM; instead, they receive temporary credentials based on role assumptions.

    • If NoGo to Step 5

  5. Do you need full user provisioning (syncing) of AD users into AWS IAM Identity Center, allowing you to assign specific applications and roles directly to individual users?

    • If YesChoose a Third-Party Identity Provider (IdP) with AWS IAM Identity Center (e.g., Azure AD, Okta)

      • Summary: Third-party IdPs like Azure AD or Okta can provision users via SCIM into AWS IAM Identity Center, making users visible and manageable within AWS. This allows you to assign specific AWS applications and permission sets to individual users and groups in AWS IAM Identity Center.
      • Why Choose a Third-Party IdP over ADFS: A third-party IdP with SCIM enables user lifecycle management, creating, updating, and deleting user accounts in AWS IAM Identity Center based on changes in the IdP. This provides a centralized, synchronized user directory within AWS, which is especially useful for complex environments where AD users need direct, ongoing access to AWS applications.
      • Limitations: This approach typically involves more configuration and may require licensing for the third-party IdP. It also depends on AWS IAM Identity Center, which might be overkill if simple SSO is sufficient.

    • If NoEvaluate if Basic SSO with Minimal User Management Fits (in which case, ADFS might be a simpler solution)

Summary of Options

Requirement Best Option Summary When to Consider Alternative
Windows-only AWS services (e.g., RDS SQL Server, FSx) AWS Managed AD or AD Connector Provides direct authentication for AD users to Windows-based AWS resources without full IAM integration Consider ADFS or a third-party IdP if you need access beyond Windows services
Broad AWS access with role-based permissions, without full user provisioning ADFS Allows AD users to sign in via SAML SSO and assume IAM roles, granting temporary access based on SAML claims Consider a third-party IdP with IAM Identity Center if user provisioning and management are required
Full AWS IAM Identity Center access with user synchronization, application assignment, and permission sets Third-Party IdP with AWS IAM Identity Center (e.g., Azure AD, Okta) Supports SCIM-based provisioning, full user visibility in AWS, and assignment of applications and roles in IAM Identity Center Only needed if detailed user and application management within AWS IAM Identity Center is a requirement

Quick Decision Guide

  1. For Windows-only resources in AWS: Choose AWS Managed AD or AD Connector.
  2. For SSO to AWS services beyond Windows, using AD group mappings to AWS IAM roles: Choose ADFS for SAML-based federation.
  3. For full provisioning and detailed IAM Identity Center access with application-specific assignments: Choose a third-party IdP (Azure AD or Okta) with SCIM integration for IAM Identity Center.

Each option has distinct strengths:

  • AWS Managed AD/AD Connector is best for Windows service integration without broader AWS access.
  • ADFS is ideal for SSO with federated access to IAM roles across all AWS services, without needing user synchronization.
  • A third-party IdP with IAM Identity Center is best for environments requiring synchronized user accounts, app assignments, and role management directly within AWS IAM Identity Center.