Enable secure LDAP or LDAPS
Lightweight Directory Access Protocol (LDAP) is a standard communications protocol used to read and write data to and from Active Directory. Some applications use LDAP to add, remove, or search users and groups in Active Directory or to transport credentials for authenticating users in Active Directory. Every LDAP communication includes a client (such as an application) and a server (such as Active Directory).
By default, communications over LDAP are not encrypted. This makes it possible for a malicious user to use network monitoring software to view data packets over the wire. This is why many corporate security policies typically require that organizations encrypt all LDAP communication.
To mitigate this form of data exposure, Amazon Managed Microsoft AD provides an option: You can enable LDAP over Secure Sockets Layer (SSL)/Transport Layer Security (TLS), also known as LDAPS. With LDAPS, you can improve security across the wire. You can also meet compliance requirements by encrypting all communications between your LDAP-enabled applications and Amazon Managed Microsoft AD.
Amazon Managed Microsoft AD provides support for LDAPS in the following deployment scenarios:
Server-side LDAPS encrypts LDAP communications between your commercial or homegrown LDAP-aware applications (acting as LDAP clients) and Amazon Managed Microsoft AD (acting as an LDAP server). For more information, see Enable server-side LDAPS using Amazon Managed Microsoft AD.
Client-side LDAPS encrypts LDAP communications between Amazon applications such as WorkSpaces (acting as LDAP clients) and your self-managed (on-premises) Active Directory (acting as LDAP server). For more information, see Enable client-side LDAPS using Amazon Managed Microsoft AD.