Granting AWS Console Access to OnPrem Active Directory Users through AWS Single Sign-On

By August 22, 2019 May 18th, 2020 AWS, Cloud, Cloud Assessment

Written by Priyanka Sharma, DevOps Architect at Powerupcloud Technologies.

AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. This blog demonstrates how you can avoid the creation of an additional IAM user to grant AWS console access to a corporate user. This can be achieved through the use of AWS Single Sign-On service.

Few are the following benefits that you can achieve if you are following this article:

  • A centralized place to grant access to multiple accounts.
  • Reduced cost of maintenance of operating your own SSO infrastructure.
  • Ease of access for users who can access their assigned accounts through their corporate credentials.


  • Active Directory Configured on OnPrem.
  • One AWS Master Account with multiple organizations.
  • VPN Tunnel established between the OnPrem network and AWS. Configure the route tables accordingly. Ensure you are provisioning the RODC server in the same subnet which has the connectivity to the AD sitting OnPrem.
  • Ensure the following ports are allowed on AD: TCP 53/UDP 53/TCP 389/UDP 389/TCP 88/UDP 88

Problem Statement:

The OnPrem Active Directory contains huge data of Corporate Users. We had to provide AWS Console access to certain existing users/groups of AD.


One common and traditional way to provide console access is to create IAM users for each corporate user and share the access details with them. It requires human efforts to create multiple IAM users as well as the user has to remember his AWS credentials every time he logs into the console. Another solution is to go for AWS Single Sign-On service where the user can use his/her AD credentials to log into the AWS Console. If we are routing all the requests to go to the OnPrem AD, it might increase the load on the AD server. As a solution, we have created an RODC Domain Controller of the OnPrem AD on AWS Cloud.

Here’s the workflow:

  • AWS Organisations are created for multiple AWS accounts, for example, Prod/UAT/DR through a master account.
  • The Active Directory exists on OnPrem which already have a huge data of the corporate users. We are assuming two AD groups here: Admins group which requires Administrator privileges and ReadOnly group which requires only Read-Only privileges.
  • Create a ReadOnly Domain Controller (RODC) of the OnPrem Active Directory on AWS.
  • Create an AD Connector in the Master account using AWS Directory Service which connects to RODC on AWS but it also requires connectivity to the OnPrem AD since the Domain resolves to the primary DNS IP.
  • Configure SSO using AD Connector directory which fetches the AD Users/Groups from RODC. Assign the users/groups to the respective AWS Organisation and grant the required permissions to the users.
  • SSO creates a permission set in the master account and respective IAM roles with given privileges will be created in the target organization console.

Creating Read-Only Domain Controller of the OnPrem Active Directory on AWS

Get the following values of the existing Active Directory:

  • DNS Server IP
  • Directory Domain name
  • Domain Admin Credentials i.e. Username/Password

Launch a windows server i.e. Microsoft Windows Server 2019 Base on AWS. Login to the server once it’s available. Go to Server Manager and add adds roles n features of ADDS.

Now go to the Network sharing.

Ethernet→ Properties→ IPv4→ Update DNS Server IP → Provide DNS IP of the OnPrem AD.

Go to Server Manager → Workgroup → Under the “Computer Name” tab → Click on Change.

Provide the AD Domain Name. Input the AD user credentials.

Now for setting up RODC, go to Server Manager → You will get an option to “promote this server to a domain” on the right top corner. Change the current user to an AD Domain Admin user.

Select RODC and give a random DCRM password on the next screen.

Click Next and let the default settings unchanged. Review the settings once on the last screen.

Click Next and Install. At this point, the RODC is configured on the AWS server. Now you can log in to the RODC server by using Remote Desktop Protocol (RDP) connection through any one of the AD users.

Creating AD Connector in the Master account

Create an AD Connector through AWS Directory Service in the Master account where AWS Organizations are created.

Select the Directory size on the next screen.

Select VPC and subnets on the next page. Ensure these subnets are configured properly to have connectivity to the RODC DNS IP.

Provide the AD details such as DNS IP of the RODC (private IP of the RODC Server), AD Domain Name and any Service Account Credentials on the next page.

Wait till the directory is available.

Configuring AWS Single Sign ON for the AD Connector

Configure SSO for the AD Connector in the same region as of AD Connector. Switch to AWS SSO Console.

Click on “Manage your directory”. Select Microsoft AD and select the AD connector which we have created in the previous step.

Select the account for which you want to give access to the AD users.

Click Assign users and select the Groups/Users to whom you want to give access to the selected account.

Create a new permission set. For the admin’s group, we have created permission set with AdministratorAccess and For ReadOnly Group, we have created a permission set with ViewOnlyAccess. We can also create Custom permission set according to the requirement. Select the Administrator access for the Admins Groups.

Similarly, give ViewOnlyAccess to the ReadOnly Group in AD.

On the SSO Dashboard, note down the User Portal URL which is used for log in to the console.

Hit the URL in the browser. The URL will redirect you to provide the AD Credentials:

Once you log in, it gives the list of accounts for which the logged-in user has access. The below screenshot shows the logged-in user is User2. User2 is a member of the Read-Only group so it has ViewOnlyAccess to the assigned account.

Join the discussion One Comment

  • singaravelan says:

    Its good articles, but the thing is not integrated MFA(or) 2FA in this login method.
    As a viewer, if you are adding the 2FA Setup in this articals- it could be helpful for many IT workers.

Leave a Reply