Examples of Sharing AWS Managed AD with Multiple Accounts

Examples of Sharing AWS Managed AD with Multiple Accounts

0
89
Sharing AWS Managed AD with Multiple Accounts
Sharing AWS Managed AD with Multiple Accounts

Once you create a Managed AD in an AWS account, you can share this AD with other accounts.

This is a common use-case when you have AWS Managed Active Directory in a shared services account that needs to be shared with other workload accounts.

The following are few points to keep in mind:

  • Sharing to another account can happen only within the same region where the Managed AD resides
  • Shared directory will be visible to all the VPCs in the workload accounts
  • The shared directory on the workload account will get a directory id that is different than the original directory id in the shared services account.
  • If Managed AD directory is in an account where organization is enabled, then you also have the option of sharing it with all the accounts within the organization or with a specific account


This tutorial covers the following examples:

  1. Share Managed AD – AWS CLI
  2. View Current Managed AD Shares – AWS CLI
  3. Accept Directory Sharing – AWS CLI
  4. Unshare Directory – AWS CLI
  5. Reject Sharing – AWS CLI
  6. Share Managed AD – AWS Console
  7. Accept or Reject Directory Sharing – AWS Console
  8. Unshare Directory – AWS Console

1. Share Managed AD – AWS CLI

First, set the source directory id, and the destination AWS workload account number.

DIRECTORY_ID=d-123abc4567
WORKLOAD_ACCOUNT=222222222222

Execute the following command to share the directory to the workload account. Execute this command using the shared services account credentials.

aws ds share-directory --directory-id ${DIRECTORY_ID} \
  --share-notes "AD Directory for workload accounts" \
  --share-target "Id=${WORKLOAD_ACCOUNT},Type=ACCOUNT" \
  --share-method HANDSHAKE

I

n the above example:

  • DIRECTORY_ID – This is the Managed AD directory id that is in the shared services account
  • WORKLOAD_ACCOUNT – This is the AWS account number of the workload account to which you are sharing the Managed AD
  • share-method – Since we are specifically sharing with another account, use HANDSHAKE as the method

The following is the output of the above command, which displays the shared directory id.

{
    "SharedDirectoryId": "d-444efg5555"
}

2. View Current Managed AD Shares – AWS CLI

Once you’ve shared a directory, you can view the current status of the sharing, and also to get a list of all the existing shares as shown below.

DIRECTORY_ID=d-123abc4567

aws ds describe-shared-directories \
  --owner-directory-id ${DIRECTORY_ID}

The following is an example output:

{
  "SharedDirectories": [
    {
      "OwnerDirectoryId": "d-123abc4567",
      "ShareNotes": "AD Directory for workload accounts",
      "ShareMethod": "HANDSHAKE",
      "CreatedDateTime": 1558566663.171,
      "SharedAccountId": "222222222222",
      "SharedDirectoryId": "d-444efg5555",
      "ShareStatus": "PendingAcceptance",
      "OwnerAccountId": "111111111111",
      "LastUpdatedDateTime": 1558566663.171
    }
  ]
}

Note: In the above output, the ShareStatus is PendingAcceptance. This will change to “Shared” once the workload account accept the share request.

3. Accept Directory Sharing – AWS CLI

Use the workload account credentials to accept the directory sharing as shown below.

aws ds accept-shared-directory \
  --shared-directory-id d-444efg5555

In the above example, d-444efg5555 is the shared directory id (not the directory id of the Managed AD in the shared services account).

Few ways to get the shared directory id:

  • You’ll get this as an output from this CLI: aws ds share-directory
  • Login to the workload account, and get the directory id from the console
  • Use aws ds describe-shared-directories on the workload account, to get this id

4. Unshare Directory – AWS CLI

First, set the source directory id, and the destination AWS workload account number.

DIRECTORY_ID=d-123abc4567
WORKLOAD_ACCOUNT=222222222222

Execute the following command to share the directory to the workload account. Execute this command using the shared services account credentials.

aws ds unshare-directory --directory-id ${DIRECTORY_ID} \
  --unshare-target "Id=${WORKLOAD_ACCOUNT},Type=ACCOUNT"

5. Reject Sharing – AWS CLI

Use the workload account credentials to reject the directory sharing as shown below.

aws ds reject-shared-directory \
  --shared-directory-id d-444efg5555

In the above example, d-444efg5555 is the shared directory id (not the directory id of the Managed AD in the shared services account).

6. Share Managed AD – AWS Console

Login to your shared services account where Managed AD resides.

Go to Directory Service -> Directories -> Click on the directory id d-123abc4567 – Below the “Directory details”, click on “Scale & Share” tab.

[AWS Managed AD - Create Shared Directory]

From the action menu, click on “Create new shared directory”:

[AWS Managed AD Share Directory]
  • In the “Choose which AWS accounts to share with” section, select “Share this directory with other AWS accounts”
  • Enter the workload account number and click on Add
  • In the “Send a note” section, type a message that will be seen by the workload account. This is an optional field.
  • Click on “Share”

7. Accept or Reject Directory Sharing – AWS Console

Login to the workload account AWS console.

Go to Directory Service -> Directories shared with me.

On the top, you’ll see this message:
You have a pending invitation to use a shared directory hosted by another AWS account. An administrator in another AWS account has invited you to access their AWS Managed Microsoft AD directory.

Select this directory – Click on Review – Click on “Accept” (or) Click on “Reject”

[Managed AD Sharing Accept or Reject]

8. Unshare Directory – AWS Console

Login to your shared services account where Managed AD resides.

Go to Directory Service -> Directories -> Click on the directory id d-123abc4567 – Below the “Directory details”, click on “Scale & Share” tab.

From the action menu, click on “Unshare directory” – Click on “Unshare”

[Managed AD Unshare Directory]