AWS Cost-Effective Directory Authentication Solution for Startups

The unfortunate advent of COVID-19 has compelled all companies  in particular startups and small organizations to embrace work from home policy. Although this is among one of the most effective strategies to fight coronavirus, companies are also concerned about maintaining basic authentication framework and granting seamless and secured access to different applications on the principle of least privilege.

In this light, AWS cloud offers many security and authentication services that can be quite helpful for companies that are in the transforming phase. AWS directory service is one of the offerings; however, the budgetary constraints may refrain small companies and startups from availing AWS directory service.

 We (Sify) propose a solution for Active Directory on AWS with Azure AD Connect to prepare a seamless integration among AWS, Azure and MS O365.

 Let’s assume there is a startup company whose entire product has been running on AWS and associated infrastructure; however, their email solution is on Microsoft O365.

 Problem Statement

The CEO of a company wants to deploy authentication process for the existing employees to use a single employee ID and authentication credentials to log into both AWS and O365.  Further, the CEO also needs  IT team to can enable AD Group Policy and password policy.

Now, the challenge is budget and security. Initially, company’s IT team proposed AWS AD directory services but it seemed to be expensive. The current employee strength is 35, and it would be hardly 40 within the next 12 months. Moreover, security is also a concern for the entire roll out and they did not have enough office setup where physical server can be deployed.

 Challenges

• Budget constraint
• Insufficient on-premise setup to deploy AD 
• Security

 Considering the situation, Sify Public Cloud Team came up with an apt solution to support startups.

 Proposed Solution

•  Instead of AWS AD managed directory service, companies should promote a Domain Controller on an less expensive general family EC2 in private subnet. Another small EC2 should be deployed to where Azure AD Connect was to be installed. This EC2 should be launched in public subnet as a proxy. Considering the number of employees, medium server is enough to meet the requirement.
• On the other hand, company has Azure tenant where Default AD directory is provisioned. Once the required synchronization setup is completed, all the user objects will get synced with Azure AD.
• Since CTO is very much concerned about security, the entire AD connect setup is dependent on a security pass, through authentication.

[Users are able to sign into Microsoft cloud services, such as Office 365, using the same password they use in their AWS AD. The user’s password is passed through to the AWS Active Directory domain controller to be validated. ]

• Another technical consideration is AD authentication protocol (Kerberos) could not work over internet. Therefore, remote users and Office network must use P2P and S2S VPN respectively.

 Architecture Diagram

Author: Debajit Chandra

Solution Architect

Sify Technologies Limited