1. AWS Directory ServiceAWS Black Belt Tech Webinar 2014 ()

2. Agenda Active Directory on AWS Active Directory Active Directory on AWS ADFSIAMID AWS Directory Service MFA 3. Active Directory on AWS 4. LDAPActive DirectoryOpenLDAP 5. Active Directory Windows Windows 2000 NT Security Account ManagerSAM40MB 6. Active Directory ID Exchange/SharePoint/SQL Server WindowsActive Directory 7. Active Directory Active Directory AD DS Active Directory ADFS Active Directory AD CS Active Directory AD LDS Active Directory Rights ManagementAD RMS 8. Active DirectoryAD DS DNS LDAP Kerberos5 SMB: 9. DNS1 DNSLAN OU 10. Active Directory domain.localjp.domain.local us.domain.localdomain.localjp.domain.local us.domain.local 11. OU OU Active Directory OU OUMember 001Member 002Member 003Member 004Member 101Member 102Member 103Member 104 12. Flexible Single Master OperationFSMO Active DirectoryDCFSMO Active Directory / RID SIDRID PDC NT 13. DC Active Directory EC2 Active DirectoryAWS 14. AWS DC Active Directory Availability Zone Availability ZoneDirect ConnectVPN ConnectionDC(FSMO1)DC(FSMO2)AZ 15. DC Active DirectoryAWSDC(FSMO)DCDCAvailability Zone Availability ZoneDirect ConnectVPN Connection(FSMO)AZ FSMO AWS 16. DNS DNSDNSDNSAvailability Zone Availability ZoneDirect ConnectVPN ConnectionDC(FSMO)DCDC(FSMO) DNS DC 17. DNS NIC TCP/IP DNS DC DNS AWS DNS DNS DC DC DC DNS AWS DNS AWS DNS 18. TCP/IP DNS DNS AWS ap-northeast-1.ec2-utilities.amazonaws.com us-east-1.ec2-utilities.amazonaws.com ec2-utilities.amazonaws.com ec2.internal ap-northeast-1.compute.internal 19. DHCP Options Set FQDN DC DNS NTP PDC WINS WINS 2 20. VSS (Volume Shadow Copy Service Windows Server Wbadmin.exe Tombstone Lifetime EC2 DC 21. DC USN DC http://technet.microsoft.com/ja-jp/library/dd363545%28v=ws.10%29.aspx 22. Active DirectoryADFS IDWebSSO AD DS/AD LDSSAML 1.1/2.0 Office 365Google AppsSSO http://community.office365.com/ja-jp/b/office_365_community_blog/archive/2012/01/14/adfs-in-office-365.aspx 23. IAM Active Directory AWS IAM SAML 2.0 Active Directory SAML2.0 ID Active Directory Active Directory Enabling Federation to AWS using Windows Active Directory, ADFS, and SAML 2.0http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0 24. AWS IAM AWS IAM (AD) IAM 25. AWS Directory Service 26. AWS Directory Service AWS AWS(Amazon WorkSpaces,Amazon Zocalo) IAMAWS Management Console 27. Simple AD Samba 4 Active Directory AWS AD Connecter VPC MFA 28. Simple AD Small:1,000 Large:10,000 AD Connector Small:10,000 Large:100,000 29. Simple AD Samba 4 Active Directory AWSAmazon WorkSpaces/Amazon Zocalo Active Directory //EC2 Windows/KerberosSSO/ Active Directory Microsoft MMCActive Directory Services Interface(ADSI)ADSIEdit dsadd dsmod 30. Simple AD Directory DNS NetBIOS Name Administrator Password Directory Size VPC VPC Availability Zone Subnet 31. 1. 2. [Asia Pacific (Tokyo)] 3. [Get Started Now] 32. Create a Simple AD[Create Simple AD] 33. Simple AD1/21. [Directory DNS] 2. [NetBIOS name] 3. [Administrator password] 4. [Small] 34. Simple AD2/2 VPCVPCSubnet1. [VPC] 2.2 [Subnets] 3. [Next Step] 35. [Create Simple AD] 36. Simple AD1/2 [Status][Active] 37. Simple AD2/2 [Directory ID][Directory Details] 38. Simple AD Multi-AZSubnet EC2 Active Directory Active DirectoryDomainControllerDomainControllerAvailability Zone Availability ZoneVirtual Private Cloud 39. EC2ActiveDirectory %SystemRoot%system32dsa.msc 40. 5 [Create Snapshot] 41. Access URL Access URLAWS URL 1. Access URL2. [Create Access URL] 42. AWS Management Console Access URLAWSManagement Console1. Manage Access2. [Enable Access] 43. /IAM /IAM EC2ReadOnlyPowerUser[New Role] 44. AWS Management ConsoleSSO https://access_url.awsapps.com/console/Management ConsoleWebSSO 45. AD Connector Active Directory VPNAWS Direct Connect AWS Amazon WorkSpaces/Amazon Zocalo AWS IdentityAccess Management IAMAWS Management Console MFA 46. AD Connector Active Directory Directory DNS NetBIOS Name Account username Account Password DNS Address VPC VPC Availability Zone Subnet 47. AD Connector VPC AD Connector AD ConnectorAvailability Zone Availability ZoneVirtual Private CloudVPNGatewayCustomerGateway Domain ControllerCorporate Data center 48. Multi-FactorAuthenticationMFA AD Connector RADIUSMFA Symantec Validation and ID Protection Service (VIP) Microsoft RADIUS Server 49. () Google Authenticator Google Authenticator FreeRADIUSGoogle AuthenticatorPAMPluggable AuthenticationModule http://aws.typepad.com/sajp/2014/10/google-authenticator.htmlGUI 50. MFA [Multi-Factor Authentication]RADIUS[Update Directory]RADIUSIP[Update Directory] 51. AWS Directory Service AD ConnectorSmall0.08 USD58.40 USD/*AD ConnectorLarge0.24 USD175.20 USD/*Simple ADSmall0.08 USD58.40 USD/*Simple ADLarge0.24 USD175.20 USD/** 1 730 52. 750SmallSimple ADAD Connector 30 Amazon WorkSpacesAmazon Zocalo Small1Large100AWS Directory Service 53. AWS: US East (N.Virginia) US West (Oregon) EU (Ireland) Asia Pacific (Sydney) Asia Pacific (Tokyo) 54. Active DirectoryWindowsID Active DirectoryAWS AWS Directory ServiceActive Directory AWSAmazon WorkSpacesAmazon ZocaloAWS Management Console 55. AWS Directory Service Administration Guide http://docs.aws.amazon.com/directoryservice/latest/adminguide/what_is.html AWS Directory Service http://aws.amazon.com/jp/directoryservice/faqs/ http://aws.amazon.com/jp/directoryservice/pricing/