Authentication & Authorization in AWS Networking

This guide covers the critical mechanisms used to manage identities and access within AWS networking architectures, focusing on SAML 2.0 integration and AWS Directory Service options.

Learning Objectives

By the end of this module, you should be able to:

• Explain how SAML 2.0 facilitates Single Sign-On (SSO) between external identity providers and AWS.
• Differentiate between the four primary AWS Directory Service offerings.
• Evaluate the Shared Responsibility Model as it applies to AWS Managed Microsoft AD.
• Identify the appropriate connectivity tool (e.g., AD Connector vs. Simple AD) for specific hybrid networking use cases.

Key Terms & Glossary

• IdP (Identity Provider): An external system (like Okta or AD FS) that manages user identities and provides authentication services.
• SAML Assertion: An XML-based document sent by the IdP to AWS that contains user attributes and authorization claims.
• Trust Relationship: A logical link established between AWS and an external IdP to allow federated access.
• Domain Controller: A server that responds to security authentication requests and stores the Active Directory database.
• Global Catalog: A domain controller that stores a searchable index of every object in an AD forest.

The "Big Idea"

In modern enterprise networking, managing local IAM users for every individual is unscalable and insecure. The "Big Idea" is Identity Federation: instead of creating new credentials, we trust an existing, authoritative source (like an on-premises Active Directory). By using SAML or AD Connectors, AWS becomes a "service provider" that consumes identities managed elsewhere, ensuring that when an employee leaves the company, their access to AWS is revoked automatically at the source.

Formula / Concept Box

Hierarchical Outline

1. SAML 2.0 & Federation
   • Single Sign-On (SSO): Users authenticate once with the IdP and gain access to AWS without re-entering credentials.
   • IAM Identity Provider: An entity in AWS IAM that describes the external IdP (metadata exchange).
   • Authentication Flow: User → IdP → SAML Assertion → AWS STS → Temporary Credentials.
2. AWS Directory Service Options
   • AWS Managed Microsoft AD: Real Windows Server AD managed by AWS; supports Group Policies and Trusts.
   • Simple AD: Lightweight, low-cost Samba 4-compatible directory; best for basic LDAP needs.
   • AD Connector: A proxy gateway that redirects requests to on-premises AD; does not cache credentials.
   • AD on EC2: Customer-managed; maximum control but full administrative overhead.
3. Active Directory Networking
   • AD Sites: Logical objects representing physical locations; used by clients to find the nearest Domain Controller.
   • Shared Responsibility: AWS manages hardware/patching; the customer manages users/groups/GPOs.

Visual Anchors

SAML Authentication Flow

AD Connector Architecture

Definition-Example Pairs

• SAML Assertion: The digital "passport" issued by your company's login page.
  • Example: When you log into the AWS Console via Okta, Okta sends a signed XML document to AWS saying "This is Jane, and she has the Admin role."
• AD Connector: A "phone operator" that passes messages without keeping notes.
  • Example: A user logs into Amazon Chime; the request hits the AD Connector, which asks the on-premise AD server "is this password correct?" and simply passes the "Yes" or "No" back.
• Simple AD: A "budget-friendly mimic" of Active Directory.
  • Example: A small Linux-based dev shop needs basic LDAP for their apps but doesn't want the cost or complexity of a full Windows Server license.

Worked Examples

Scenario: Integrating On-Premises Users with AWS WorkSpaces

Goal: Allow 1,000 corporate employees to use their existing Windows passwords to log into AWS WorkSpaces.

1. Selection: Since we want to use existing credentials and avoid syncing data to the cloud, we select AD Connector.
2. Connectivity: Ensure a Site-to-Site VPN or Direct Connect is established between the VPC and the on-premises data center.
3. Setup: Create the AD Connector in the AWS Directory Service console, pointing to the IP addresses of the on-premises Domain Controllers.
4. Verification: Assign a user from the on-premises AD to a WorkSpace. The user logs in; the AD Connector proxies the request to the on-prem DC, which validates the password.

Checkpoint Questions

1. Which AWS Directory Service option does NOT store or cache any user credentials in the AWS Cloud?
2. True or False: SAML 2.0 requires the creation of individual IAM users for every federated employee.
3. Which edition of AWS Managed Microsoft AD is required if you need to replicate your directory across multiple AWS Regions?
4. In the SAML flow, what is the role of the AWS Security Token Service (STS)?

[!TIP] Answers: 1. AD Connector. 2. False (it uses IAM Roles). 3. Enterprise Edition. 4. It exchanges the SAML assertion for temporary security credentials.

Muddy Points & Cross-Refs

• AD Connector vs. Managed AD Trust: Students often confuse these. Use AD Connector for simple proxying of AWS application logins. Use Managed AD with a Trust if you need to manage AWS resources (like EC2 instances) using on-prem credentials or if you need a resource forest model.
• SAML vs. OIDC: SAML is XML-based and typically used for enterprise employee SSO. OpenID Connect (OIDC) is JSON/REST-based and usually used for web/mobile apps (e.g., "Login with Google").

Comparison Tables

Directory Service Decision Matrix