AWS Security & Identity Services

AWS Directory Service

4 min read
Updated June 23, 2025
3,929 characters

AWS Directory Service Options

Choosing the right directory type is the most critical decision when using this service.

1. AWS Managed Microsoft AD

This option provides a fully managed, single-tenant directory running on actual Microsoft Active Directory on Windows Server, hosted in the AWS Cloud.

  • When to Use It:

    • You need full, real Active Directory features like Group Policy Objects (GPOs), Kerberos, schema extensions, and multi-factor authentication (MFA).

    • You want to establish a forest trust relationship between your cloud directory and your on-premises Active Directory.

    • You have more than 5,000 users or require the enterprise-grade features of a true Microsoft AD.

  • Key takeaway: It is Active Directory, managed by AWS.

2. AD Connector

AD Connector is a directory gateway or proxy. It does not store any directory information in the cloud. Instead, it redirects authentication requests from AWS services to your existing on-premises Active Directory domain controllers.

  • When to Use It:

    • You want to use your existing on-premises identities to access AWS services without creating a new directory or synchronizing passwords to the cloud.

    • You want a simple way to extend your current AD identity management into AWS.

  • Requirement: AD Connector requires a persistent network connection to your on-premises environment via AWS Direct Connect or a VPN connection.

  • Key takeaway: It's a proxy, not a directory. Identities stay on-premises.

3. Simple AD

This is a standalone, managed directory powered by Samba 4. It is compatible with Microsoft Active Directory at a basic level but does not offer the full feature set.

  • When to Use It:

    • You need basic Active Directory features (user accounts, group management) for a Windows environment.

    • You need a simple LDAP-compatible directory for Linux applications.

    • Your needs are simple, you have fewer than 5,000 users, and you do not need advanced features like GPOs or trust relationships.

  • Key takeaway: A basic, low-cost AD-compatible directory for simple use cases.

4. Amazon Cloud Directory

This is a highly scalable, cloud-native directory store for developers. It is not Active Directory-compatible and is used for different purposes.

  • When to Use It:

    • You are building an application that needs to store and manage hierarchical data for millions of objects.

    • Common examples include organizational charts, device registries, social networks, and course catalogs.

  • Key takeaway: A directory-as-a-backend for your applications, not for your IT infrastructure.

Quick Comparison: The Main Three

| Feature | AWS Managed Microsoft AD | AD Connector | Simple AD |

| :--------------------- | :----------------------------- | :-------------------------------- | :----------------------------- |

| Directory Type | Fully Managed Microsoft AD | Directory Proxy / Gateway | Samba 4 AD-Compatible |

| Identity Location | In the AWS Cloud | On-Premises | In the AWS Cloud |

| Trust Relationship?| Yes (Forest Trusts) | No | No |

| Group Policy (GPO)?| Yes | N/A (Uses On-Premises GPOs) | No |

| Requires VPN/DX? | Only for a trust relationship | Yes | No |

| Best For | Full AD features in the cloud | Extending your on-premises AD | Basic LDAP & simple AD needs |

Pricing

  • Pricing is generally charged on an hourly basis.

  • The cost varies depending on the directory type (e.g., Simple AD is cheaper than Managed Microsoft AD) and size you select.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All