alphaspirit - Fotolia

Can Amazon Simple AD replace Active Directory?

How does Amazon's Simple AD differ from Microsoft's Active Directory, and what security issues should be considered before creating a Simple AD? Expert Dan Sullivan explains.

I've heard a lot about Amazon Simple AD. How does this differ from Microsoft's Active Directory security-wise?...

Are there security caveats enterprises should be aware of before creating a Simple AD?

Simple AD is an Amazon service based on Samba, an established open source application designed for file and print services in Windows and Linux environments. Although Samba has similar functionality to Active Directory, there are some capabilities of Active Directory not found in Samba, such as the latest schema updates. You might find similar issues going forward with Simple AD.

When Amazon uses the term "Simple" in one of its service offerings, it means it. The Simple Queue Service and the Simple Workflow Service, for example, do not have feature parity with comparable open source or commercial message queuing and workflow services, respectively.

Enterprises should consider how they will migrate contents of their Active Directory to Simple AD.  Amazon uses a command-line tool called csvde, provided by Microsoft. This tool uses comma-separated values (CSV) files to import to and export data from Active Directory. Because of the obvious security risk, passwords are not exported. New passwords have to be set in Simple AD after the CSV data is loaded.

By default, user accounts created with AWS identity and access management (IAM) service do not have privileges to access Simple AD. Consider creating a group to hold Simple AD administrators and grant that group necessary permissions. It is a best practice in general to assign permissions to groups and not directly to IAM users. Also, never use the root user for AWS for Simple AD or other administration tasks. It is better to create another user with administrative privileges and use that to perform common administrative functions.

Consider separation of duties with regards to Simple AD. In small organizations, it is often necessary to have a single person acting in multiple administrative roles, such as managing users and privileges and controlling access to logs. Larger organizations can, and should, mitigate the risk of malicious activity by separating security-sensitive duties, including managing users and privileges in Simple AD.

Next Steps

Refresh your understanding of the Amazon Web Services cloud platform.

Catch up on Microsoft Active Directory security basics.

Learn more about AWS Identity and Access Management.

Dig Deeper on Public Cloud Computing Security