Traditional solutions for using Microsoft Active Directory across on-premises and AWS Cloud Windows workloads can require complex networking or synching identities across multiple systems. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed AD, offers you actual Microsoft Active Directory on the AWS Cloud as a managed service. In this session, you learn how Capital One uses AWS Managed AD to provide highly available authentication and authorization services for its Windows workloads, such as Amazon RDS for SQL Server. We detail how Capital One uses Lambda, Python, and PowerShell with cross-account AWS Identity and Access Management (IAM) roles to automate directory deployment across AWS accounts. We also cover best practices for integrating AWS Managed AD with your on-premises domain securely, and show you how to automate the joining of AWS resources to your managed domain.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
D e e p D i v e o n H o w C a p i t a l O n e A u t o m a t e s t h e
D e l i v e r y o f D i r e c t o r y S e r v i c e s a c r o s s A W S A c c o u n t s
K e n n y H i l l - C a p i t a l O n e
K u n t a l M i t r a - C a p i t a l O n e
P e t e r O ’ D o n n e l l - A m a z o n W e b S e r v i c e s
S I D 2 0 2
N o v e m b e r 2 7 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introduction
AWS/Capital One collaboration

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Capital One Deployment Architecture
Secure AWS Account
Cloud Resource
Management
How do we create, secure,
and administer AWS
Microsoft AD given
segregation of duties?
AD AWS Account
Identity
Management
LOB Account
LOB Account
LOB Account
RDS
for
SQL
Customer

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Capital One Deployment Architecture
Invoke
2
Assume Role
Discover
Directory
4
Create
Incoming Trust
7
Configure
Groups
8 Validate
3
5
6
1
Create &
Configure
Directory
Add DNS A
Records
Complete
Directory
Trust
Rename
Default Site
EC2
PowerShell
AD
Secure AWS Account
AD AWS Account
LOB Account
LOB Account
LOB Account
How do we create, secure,
and administer AWS
Microsoft AD given
segregation of duties?
Cloud Resource
Management
Identity
Management
RDS
for
SQL
Customer

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Capital One Deployment Architecture
EC2
PowerShell
AD

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Start from AD Account (PowerShell)
EC2
PowerShell
AD
AD Account
Amazon EC2 IAM Role
• Secure Cross Account Role
• Invoke AWS Step Functions
• Invoke AWS Lambda
Invoke PowerShell Script
• Set-AWSCredentials
• Use-STSRole
Secure AWS Account
Assume Role

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create and Configure Directory
Secure AWS Account
• Start Build
• Start-SFNExecution
• Create AWS Directory
• create_microsoft_ad
• Configure Monitoring
• create_topic
• subscribe
• register_event_topic
• Discover and Update Security Group
• describe_security_groups
• revoke_security_group_egress
• revoke_security_group_ingress
• authorize_security_group_ingress
• authorize_security_group_egress
• Increase Domain Controllers
• update_number_of_domain_controllers
• Create DNS SRV and A records
• describe_domain_controllers
• change_resource_record_sets
EC2
PowerShell
AD
Initiate BuildAssume Role

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Discover Directory in LOB Account
Secure AWS Account
• Assume LOB Account Role
• Read Directory Services
• Read VPC and Subnets
• Get Domain Controller IPs and hostnames
• Get-DSDirectory
• Get-DSDomainControllerList
• Resolve-DNSName
EC2
PowerShell
AD
Initiate Build
LOB Account
Assume Role

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create A Records in Route 53
• Call Lambda Function
• Invoke-LMFunction
• Create DNS A Records
• change_resource_record_sets
EC2
PowerShell
AD
LOB Account
Assume Role
Secure AWS Account
Assume Role

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create Trust from AWS to Capital One AD
• Create Incoming Trust
• DirectoryServices
• Create Outgoing Trust
• create_trust
EC2
PowerShell
AD
Secure AWS Account
Assume Role
AD Account
AD
Secure AWS Account
Assume Role

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD
Create Trust from AWS to Capital One AD
• Create Incoming Trust
• DirectoryServices
• Create Outgoing Trust
• create_trust
EC2
PowerShell
Secure AWS Account
Assume Role
AD Account Secure AWS AccountAD Forest Trust LOB Account

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rename Default Site
• Create Incoming Trust
• DirectoryServices
• Create Outgoing Trust
• create_trust
EC2
PowerShell
AD Account AD Forest Trust LOB Account LOB Account
Remote PowerShell via VPC Peer
ADAD

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rename Default Site
• Get LOB VPC CIDR Block
• Get-EC2Vpc
• Get AD Site for peer to VPC
• Get-ADReplicationSubnet
• Rename Default Site to match AD Site
• Rename-ADObject
• Add Directory Support Groups
• Add-ADPrincipalGroupMembership
• Validation
• Get-DSDomainControllerList
• Get-DSTrust
• Get-DSDirectory
• Get-ADTrust
EC2
PowerShell
AD Account
LOB Account
Remote PowerShell via VPC Peer
AD

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recap

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
D e e p D i v e o n H o w C a p i t a l O n e A u t o m a t e s t h e D e l i v e r y o f D i r e c t o r y
S e r v i c e s a c r o s s A W S A c c o u n t s
S I D 2 0 2