Posted On: Mar 2, 2020

Amazon Directory Service for Microsoft Active Directory (Amazon Managed Microsoft AD) and AD Connector now communicate more securely with self-managed Active Directory when using the Lightweight Directory Access Protocol (LDAP). With support for client-side LDAP signing and client-side secure LDAP (LDAPS), customers using Amazon Directory Service-enabled applications like Amazon WorkSpaces can now better protect their organization’s identity data and meet security requirements. 

Client-side LDAP signing provides built-in LDAP security that protects data integrity — data received at the destination is exactly what was sent at the origin. With LDAP signing support, Amazon Directory Service customers meet the current recommendations described in Microsoft Security Advisory ADV190023 with no additional client-side configuration. 

Client-side LDAPS provides additional LDAP security for customers using certificate infrastructure. LDAPS provides data integrity and confidentiality — data is only readable by the intended recipient. To enable client-side LDAPS, administrators import a certificate authority (CA) certificate into Amazon Managed Microsoft AD or AD Connector using the Amazon Directory Service Console or Amazon Directory Service API. 

Client-side LDAP signing and client-side LDAPS support are available today in the Amazon Web Services China (Beijing) region, operated by Sinnet and the Amazon Web Services China (Ningxia) region, operated by NWCD. To learn more, see how to enable client-side LDAPS in Amazon Managed Microsoft AD or AD Connector