Security and Identity
The course is part of this learning path
Welcome to the Security Fundamentals of AWS for Cloud Practitioner course. Roughly one quarter of the AWS Certified Cloud Practitioner exam focuses on AWS security concepts, as well as security services, so we've included a course covering the basic services, and how they protect AWS cloud solutions.
This course covers a range of different services, including:
- AWS Identity and Access Management
- AWS Directory Services
- AWS Web Application Firewall
- Amazon Inspector
- AWS Organizations
This course also covers a fundamental AWS concept, the Shared Responsibility Model.
- Describe the basic functions that each security service performs within a cloud solution
- Recognize basic components and features of each service
- Understand how each offers a layer of security to the AWS cloud
- Summarize the Shared Responsibility Model is
- Apply the Shared Responsibility Model to different components of the AWS cloud
This course is designed for:
- Anyone preparing for the AWS Certified Cloud Practitioner
- Managers, sales professionals and other non-technical roles
Before taking this course, you should have a general understanding of basic cloud computing concepts.
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
- [Instructor] Hello, in this lecture, we introduce and explore the directory services available in Amazon Web Services. Following this lecture, you'll be able to recognize and explain the directory services available to you in Amazon Web Services and be able to recognize which use cases match the various directory services available in Amazon Web Services. The AWS directory services allows you to manage directories in the cloud.
Let's first just ensure we understand what we mean by a directory. A directory is, in essence, a database, or in other words, a collection of records organized and grouped by unique identifiers. This database is used to store data that does not change much, so the data is described as static. The data in the directory is read more than it's written to. The most common use case for a directory service is a company directory. Not only are employee names, user account, and password information stored, but also key attributes, such as what department they're in, their email address, their phone extension, and so on.
A directory service is often used to identify resources. These resources are called objects and they can be anything in a network, like users, groups, computers, or printers. The greatest advantage of a directory service is that you have a single point of management, meaning that you can, for example, store the password of a user in the directory and this user will be able to be authenticated in all connected systems in a given network. Also, you can add attributes to your objects, like an email of a user, what building they reside in, the location of a computer, and so on. A directory generally needs to be available to different devices in many different places on a network.
To ensure any read of a record and directory is as fast as possible, directory data is usually replicated across a network to reduce the read time or latency. Amazon currently offers two flavors of directory service for AWS customers, the Amazon Cloud Directory and the AWS Directory Service. They sound familiar, don't they? So, let's explore each and understand the difference. The Amazon Cloud Directory is a highly available, multi-tenant directory-based store in AWS.
The Amazon Cloud Directory is cloud native and can scale quickly and store millions of records, so it's a good choice when you need to build application directories, such as device registries, catalogs, social networks, organization structures, and network topologies. You should consider Amazon Cloud Directory if you're building social networks, device registries, or Internet of Things, IoT, applications. Amazon Cloud Directory would be a good way to manage vehicle registration for fleet management systems, for example.
In that use case, we might want to track the number and type of vehicles assigned to a location. It could also suit managing users for a file sharing application or creating organizational charts for a human resources application. Amazon Cloud Directory suits these use cases because it enables you to create hierarchies along multiple dimensions to store arrays of data within a single directory. Each of these use cases typically needs to organize data hierarchically to be able to perform high-volume and low-latency lookups and scale quickly to millions of objects that can be accessed globally.
As a cloud native service, the Amazon Cloud Directory meets these requirements well, so generally, if you're building cloud native services, think Amazon Cloud Directory. The Amazon Cloud Directory is not, however, going to be a good directory service for an IT administrator who wants to manage or migrate their directory infrastructure. That use case is better suited to the AWS Directory Service. The AWS Directory Service is a good match for user management in Windows. Built on the Microsoft Active Directory products and offers free services, Microsoft AD, Simple AD, and the AD Connector.
Microsoft AD runs the Enterprise Edition of the Microsoft Active Directory product. It enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. The Microsoft AD service doesn't require you to synchronize or replicate data from your existing Active Directory to the cloud. That means by using a virtual private network, VPN, or AWS Direct Connect from your Amazon Virtual Private Cloud, VPC, to your network, you can use the cloud-based AWS Microsoft AD as the Active Directory for your on-premises environment. You can join computers to your domain, administer users, groups, and manage policies without the usual effort required to implement a highly available Active Directory.
Microsoft AD is a good choice if you have more than 5,000 users and you need a trust relationship set up between your AWS hosted directory and your on-premises directories. The Simple AD directory is a simply directory powered by a Samba for Active Directory-compatible server. It provides a subset of the functionality offered by Microsoft AD and supports common used features, such as Kerberos-based single sign-on, user accounts, group memberships and policies. Simple AD is generally your best choice if you have 5,000 or less users and don't need all the Microsoft Active Directory features.
Both Microsoft AD and Simple AD provide directory services, but what if we just want to connect to an existing directory? That can be achieved by using the AD Connector. The AD Connector is a directory gateway which can be set up to redirect directory requests from your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large. A small AD Connector is designed for smaller organizations, up to 500 users. A large AD Connector can support larger organizations of up to 5,000 users. AD Connector is your best choice when you want to use your existing on-premises directory with AWS services.
Both the Amazon Cloud Directory and the AWS Directory Services have their own merits and use cases. One thing to keep in mind is both the Amazon Cloud Directory and the AWS Directory Services are managed services, which means you don't need to worry about the platform or where the service is running. Another common point is that you only pay for what you use. There's no upfront investment required and you can cancel either service any time. For the AWS Directory Service, you're billed on an hourly basis, depending on the size of your directory. For Amazon Cloud Directory, you're billed based on storage and access.
AWS has passed on over 50 price cuts to customers since launching in 2006, so always check the product websites for the latest service pricing and availability. Let's summarize what we've learned. AWS provides two suites of directory services. First, we have the Amazon Cloud Directory. The Amazon Cloud Directory is a highly available, multi-tenant directory-based store in AWS. It suits applications such as Internet of Things applications, device registries, social networks, network configurations, and user directories. Second, we have the AWS Directory Service. The AWS Directory Service is built around the Microsoft directory service and suits users looking to run and connect to Microsoft-based directories.
The AWS Directory Service offers three services, Microsoft AD, Simple AD, and the AD Connector. A few things to keep in mind. Choosing the right directory service is important, so always consider your future use cases as well as the current requirements and that your user numbers won't exceed the service limits. If you need to set up trust relationships, you'll need the Microsoft AD service. If you need to implement federated identity, also consider Amazon Cognito user pools as a possible identity solution. Having your network, VPC, and subnetting set up correctly is a prerequisite for success with all directory services. Ensure you don't have conflicting CIDR blocks.
Simple AD domains do not currently support dynamic DNS updates. Okay, that concludes this lecture. Thank you for your attention. Please contact us at email@example.com with any questions or feedback.
About the Author
Andrew is an AWS certified professional who is passionate about helping others learn how to use and gain benefit from AWS technologies. Andrew has worked for AWS and for AWS technology partners Ooyala and Adobe. His favorite Amazon leadership principle is "Customer Obsession" as everything AWS starts with the customer. Passions around work are cycling and surfing, and having a laugh about the lessons learnt trying to launch two daughters and a few start ups.