Get Hands-on with Amazon EKS - Workshop Event Series

Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!

How can I grant access to the AWS Management Console for on-premises Active Directory users?

2 minute read

I want to grant access to the AWS Management Console using my Active Directory domain credentials.

Short description

Manage Amazon Web Services (AWS) resources with AWS Identity and Access Management (IAM) role-based access to the AWS Management Console. Use either AD Connector or AWS Directory Service for Microsoft Active Directory. The IAM role defines the services, resources, and level of access that your Active Directory users have.

Resolution

Choose either AD Connector or AWS Managed Microsoft AD

Create a VPN connection and configure an AD Connector between your on-premises domain with the following minimum port requirements:
TCP/UDP 53 for DNS
TCP/UDP 88 for Kerberos authentication
TCP/UDP 389 for LDAP authentication
For more information, see AD Connector prerequisites.

- or -

Use an existing trust relationship between your on-premises domain and AWS Managed Microsoft AD with the following minimum port requirements:
TCP/UDP 53 for DNS
TCP/UDP 88 for Kerberos authentication
TCP/UDP 389 for LDAP authentication
TCP 445 for SMB
For more information, see Create a trust relationship between your AWS Managed Microsoft AD and your self-managed Active Directory domain.

Set up authentication

Create an access URL for the directory.
Activate AWS Management Console access for your AD Connector or AWS Managed Microsoft AD.
Create an IAM role that grants access to the AWS Management Console for services that you want your Active Directory users to have access to.
Note: Be sure that the IAM role has a trust relationship with AWS Directory Service.
Assign Active Directory users or groups to the IAM role.
Verify that users can access the AWS Management Console. Open the directory access URL in a private browsing session and sign in with a user account that's assigned to the IAM role. Then, check the AWS service consoles to confirm that you're permitted or denied access to services as specified by the IAM role.

Related information

Creating a role to delegate permissions to an IAM user

Topics: Security, Identity, & Compliance
Tags: AWS Directory Service
Language: English

AWS OFFICIALUpdated 3 years ago

No comments

Relevant content

Listing users/groups with delegated console access from AD Connector
Accepted Answer
joe
asked 9 months ago
Does granting a user AWSSupportAccess implicitly grant that user an ability to make changes to the AWS account via and AWS support agent?
rePost-User-0001457
asked 4 years ago
How to grant a user permission to push to a specific git branch in the management console?
rePost-User-4240421
asked 2 years ago
AWS SSO + Azure AD, no way to access AWS Console?
Accepted Answer
AWS-User-1435086
asked 4 years ago
How to grant Cloud9 access to IAM user without console login enabled
Zhang, Zen
asked 2 years ago
How do I grant my Active Directory users access to the API or AWS CLI with AD FS?
AWS OFFICIALUpdated a year ago
How do I grant access to Cost Explorer for an IAM user with a member account of an AWS Organizations?
AWS OFFICIALUpdated 2 months ago
How do I use group policy in AWS Managed Microsoft AD or Simple AD to allow domain users RDP access to an EC2 Windows instance?
AWS OFFICIALUpdated 2 years ago
How do I grant an IAM user access to submit support cases?
AWS OFFICIALUpdated 5 months ago
Unable to access the S3 bucket after the IAM user was recreated
EXPERT
Tyler
published 2 years ago