Amazon WorkSpaces can integrate with your organization’s self-managed, on-premises Active Directory. This is understandable, on-premises Active Directory stores the organizational identity source and Group Policies, which establish the functional and security baselines. This integration requires frequent communication for user entitlement and authentication. To facilitate this integration, AWS Directory Services offers AD Connectors, a non-caching proxy used by Amazon WorkSpaces, to facilitate that connection.
Until recently, AD Connectors were only able to use LDAP when communicating with Active Directory. During a security audit, unencrypted traffic such as LDAP are commonly identified and require remediation to pass the audit. To minimize this exposure, we guide customers to optimize the path from AD Connectors and Amazon WorkSpace to remote cloud-based AD Domain Controllers in a Virtual Private Cloud (VPC), confining the traffic to private subnets and VPN connections.
We work with customers to ensure these remote cloud-based AD Domain Controllers have a Security Group attached that limit the scope of traffic to only what is required for on-premises AD, AD Connectors, and Amazon WorkSpaces. We also work with customers to optimize routing for performance and an additional layer of security.
In November 2019, Microsoft announced a March 2020 update that will enforce hardening of LDAP. One of the suggested methods of hardening LDAP is to enable encryption by using Secure LDAP (LDAPS). Regardless of this announcement, it has always been in every organization’s best interest to enable LDAPS. With this pending Microsoft update approaching, Amazon WorkSpaces administrators wondered how this would impact their DaaS environments.
Earlier this month, AWS announced support for LDAPS was added to AWS Directory Service AD Connectors. Please take a moment to read this important announcement:
Once your organization’s CA is imported into the Directory, and enabled, AD Connectors will use LDAPS to connect to your organizations on-premises Active Directory. You must separately ensure that remote cloud-based AD Domain Controllers have TCP Port 636 inbound allowed in their assigned Security Group, as well as any firewall exceptions to on-premises AD Domain Controllers. AWS will ensure during the creation of Amazon WorkSpaces, the CA is trusted when joining the on-premises Active Directory Domain.
To further encrypt identity traffic, a VPN can optionally be created over the AWS Direct Connect from on-premises network to your VPC. We recommend reviewing the how-to guide here if additional encryption for traffic across your connectivity provider is required.