0

AWS Transfer Family supports integration with AD Connector (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_app_compatibility.html). As far as I understand, connectors are deployed in vpn-linked subnets that allows them to proxy calls to an on-premise Active Directory.

What exactly happens (what resources are created/updated under the hood) when I select AD connector as the authenticator for AWS Transfer? I'm specifically curious as to what changes are made in VPC to allow this integration.

Amir Keibi
  • 1,991
  • 28
  • 45

1 Answers1

0

In relation to AWS Directory Service, AWS Transfer does not seem to mutate your VPC. If you create an AD and then associate it with AWS Transfer, and take a look at your VPC, there is no new networking resources of any kind. Similar to other applications (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_manage_apps_services.html), AWS Directory Services authorizes AWS Transfer to access your AD (in this case, connector) for Transfer logins.

Justin Schoeff
  • 26
  • 2
  • Thanks! But how does it do that? Is that something tangible like IAM roles? – Amir Keibi Jun 10 '21 at 16:55
  • Hmm, I’m not sure. They don’t seem to explain that beyond saying they give the service access to your directory users. There are no roles involved, outside of permissions required to give a service (Transfer in this case) authorization to access AD when creating the server. Those permissions are noted here: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html Are you curious/confused or concerned about something? – Justin Schoeff Jun 13 '21 at 15:38
  • I'm curious, but also a bit concern. Our security auditor might want an explanation about how this access is granted. – Amir Keibi Jun 15 '21 at 17:55
  • 1
    I see. Each step requires IAM permissions to configure. An IAM role would need ds:ConnectDirectory, ds:AuthorizeApplication and transfer:CreateDirectory at minimum, plus AD details. The connect call is what sets up an ENI in your VPC and seems how aws AD calls your on-prem AD. Beyond that, i think you are wondering how the AWS services communicate in that AD integration. You can always create a support case and they might be able to give more information if it becomes a serious concern. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_details_ad_connector.html – Justin Schoeff Jun 18 '21 at 13:47