AD Connector - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AD Connector

AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large. A small AD Connector is designed for smaller organizations and is intended to handle a low number of operations per second. A large AD Connector is designed for larger organizations and is intended to handle a moderate to high number of operations per second. You can spread application loads across multiple AD Connectors to scale to your performance needs. There are no enforced user or connection limits.

AD Connector does not support Active Directory transitive trusts. AD Connectors and your on-premises Active Directory domains have a 1-to-1 relationship. That is, for each on-premises domain, including child domains in an Active Directory forest that you want to authenticate against, you must create a unique AD Connector.


AD Connector cannot be shared with other Amazon accounts. If this is a requirement, consider using Amazon Managed Microsoft AD to Share your directory. AD Connector is also not multi-VPC aware, which means that Amazon applications like WorkSpaces are required to be provisioned into the same VPC as your AD Connector.

Once set up, AD Connector offers the following benefits:

  • Your end users and IT administrators can use their existing corporate credentials to log on to Amazon applications such as WorkSpaces, Amazon WorkDocs, or Amazon WorkMail.

  • You can manage Amazon resources like Amazon EC2 instances or Amazon S3 buckets through IAM role-based access to the Amazon Web Services Management Console.

  • You can consistently enforce existing security policies (such as password expiration, password history, and account lockouts) whether users or IT administrators are accessing resources in your on-premises infrastructure or in the Amazon Cloud.

  • You can use AD Connector to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access Amazon applications.

Continue reading the topics in this section to learn how to connect to a directory and make the most of AD Connector features.