Posted On: Mar 2, 2020

AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) and AD Connector now communicate more securely with self-managed Active Directory when using the Lightweight Directory Access Protocol (LDAP). With support for client-side LDAP signing and client-side secure LDAP (LDAPS), customers using AWS Directory Service-enabled applications like Amazon WorkSpaces can now better protect their organization’s identity data and meet security requirements. 

Client-side LDAP signing provides built-in LDAP security that protects data integrity — data received at the destination is exactly what was sent at the origin. With LDAP signing support, AWS Directory Service customers meet the current recommendations described in Microsoft Security Advisory ADV190023 with no additional client-side configuration. 

Client-side LDAPS provides additional LDAP security for customers using certificate infrastructure. LDAPS provides data integrity and confidentiality — data is only readable by the intended recipient. To enable client-side LDAPS, administrators import a certificate authority (CA) certificate into AWS Managed Microsoft AD or AD Connector using the AWS Directory Service Console or AWS Directory Service API. 

Client-side LDAP signing and client-side LDAPS support are available today in the AWS China (Beijing) region, operated by Sinnet and the AWS China (Ningxia) region, operated by NWCD. To learn more, see how to enable client-side LDAPS in AWS Managed Microsoft AD or AD Connector