Get started Bring yourself up to speed with our introductory content.

Can Amazon Simple AD replace Active Directory?

How does Amazon's Simple AD differ from Microsoft's Active Directory, and what security issues should be considered before creating a Simple AD? Expert Dan Sullivan explains.

I've heard a lot about Amazon Simple AD. How does this differ from Microsoft's Active Directory security-wise?...

Are there security caveats enterprises should be aware of before creating a Simple AD?

Simple AD is an Amazon service based on Samba, an established open source application designed for file and print services in Windows and Linux environments. Although Samba has similar functionality to Active Directory, there are some capabilities of Active Directory not found in Samba, such as the latest schema updates. You might find similar issues going forward with Simple AD.

When Amazon uses the term "Simple" in one of its service offerings, it means it. The Simple Queue Service and the Simple Workflow Service, for example, do not have feature parity with comparable open source or commercial message queuing and workflow services, respectively.

Enterprises should consider how they will migrate contents of their Active Directory to Simple AD.  Amazon uses a command-line tool called csvde, provided by Microsoft. This tool uses comma-separated values (CSV) files to import to and export data from Active Directory. Because of the obvious security risk, passwords are not exported. New passwords have to be set in Simple AD after the CSV data is loaded.

By default, user accounts created with AWS identity and access management (IAM) service do not have privileges to access Simple AD. Consider creating a group to hold Simple AD administrators and grant that group necessary permissions. It is a best practice in general to assign permissions to groups and not directly to IAM users. Also, never use the root user for AWS for Simple AD or other administration tasks. It is better to create another user with administrative privileges and use that to perform common administrative functions.

Consider separation of duties with regards to Simple AD. In small organizations, it is often necessary to have a single person acting in multiple administrative roles, such as managing users and privileges and controlling access to logs. Larger organizations can, and should, mitigate the risk of malicious activity by separating security-sensitive duties, including managing users and privileges in Simple AD.

Next Steps

Refresh your understanding of the Amazon Web Services cloud platform.

Catch up on Microsoft Active Directory security basics.

Learn more about AWS Identity and Access Management.

Dig Deeper on Public Cloud Computing Security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I would consider Simple AD if it supports to LDAPS. because i can save lot much money we are spending on buying MS CAL licenses, Microsoft OS's licenses cost for AD servers.
I'm considering to replace MS AD with Simple AD. Obviously, it helps saving money, avoiding licensing issues and providing the functionalities we need.

However, it will be great if I can have some more info about best practise to integrate it with Azure AD / LDAP and ADFS.

As per my knowledge I guess almost every Microsoft product requires security to integrate other directory services provider server with their products and as simple AD is not yet supports to SSL or i can say LDAPS you wont be able to integrate simple AD with Azure AD / LDAP and ADFS to be achived your goal.

You'll have to wait some more time unless amazon start providing support to simple AD for LDAP over SSL.

Let's wait and watch.