Remove Amazon EC2 entries in the same AWS account from AWS Managed Microsoft AD by using AWS Lambda automation - AWS Prescriptive Guidance

Remove Amazon EC2 entries in the same AWS account from AWS Managed Microsoft AD by using AWS Lambda automation

Created by Dr. Rahul Sharad Gaikwad (AWS) and Tamilselvan P (AWS)

Code repository: terraform-aws-lambda-ad-cleanup

Environment: PoC or pilot

Technologies: DevOps; Infrastructure; Storage & backup; Management & governance

Workload: All other workloads; Microsoft

AWS services: AWS Managed Microsoft AD; AWS Lambda; Amazon EC2; AWS Identity and Access Management; AWS Directory Service; AWS Systems Manager; Amazon EventBridge; AWS Auto Scaling

Summary

Active Directory (AD) is a Microsoft scripting tool that manages domain information and user interactions with network services. It’s widely used among managed services providers (MSPs) to manage employee credentials and access permissions. Because AD attackers can use inactive accounts to try and hack into an organization, it’s important to find inactive accounts and disable them on a routine maintenance schedule. With AWS Directory Service for Microsoft Active Directory, you can run Microsoft Active Directory as a managed service.

This pattern can help you to configure AWS Lambda automation to quickly find and remove inactive accounts. When you use this pattern, you can get the following benefits:

  • Improve database and server performance, and fix vulnerabilities in your security from inactive accounts.

  • If your AD server is hosted in the cloud, removing inactive accounts can also reduce storage costs while improving performance. Your monthly bills might decrease because bandwidth charges and compute resources can both drop.

  • Keep potential attackers at bay with a clean Active Directory.

Prerequisites and limitations

Prerequisites 

  • An active AWS account.

  • Git installed and configured on a local workstation.

  • Terraform installed and configured on a local workstation.

  • Windows computer with Active Directory modules (ActiveDirectory).

  • A directory in AWS Managed Microsoft AD and credentials stored in a parameter in AWS Systems Manager Parameter Store.

  • AWS Identity and Access Management (IAM) role with permissions to the AWS services listed in Tools For more information about IAM, see Related resources.

Limitations

  • This pattern doesn’t support cross-account setup.

  • Some AWS services aren’t available in all AWS Regions. For Region availability, see AWS services by Region. For specific endpoints, see Service endpoints and quotas, and choose the link for the service.

Product versions

Architecture

The following diagram shows the workflow and architecture components for this pattern.

Process to use Lambda automation to remove EC2 entries from Managed Microsoft AD.

The diagram shows the following workflow:

  1. Amazon EventBridge triggers the AWS Lambda function based on a cron expression. (For this pattern, the cron expression schedule is once per day.)

  2. The required IAM role and policy are created and attached to AWS Lambda through Terraform.

  3. The AWS Lambda function is executed and calls to Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling Groups by using the Python boto module. The Lambda function gets the random instance id. The instance id is used to execute AWS Systems Manager commands.

  4. AWS Lambda makes another call to Amazon EC2 using the boto module and gets the private IP addresses of the running Windows servers and stores the addresses in a temporary variable.

  5. AWS Lambda makes another call to Systems Manager to get the computer information that is connected to AWS Directory Service.

  6. An AWS Systems Manager document helps to execute the PowerShell script on Amazon EC2 Windows servers to get the private IP addresses of the computers which are connected with AD.

  7. The AD domain username and passwords are stored in the AWS Systems Manager Parameter Store. AWS Lambda and Systems Manager make a call to Parameter Store and get the username and password values to use to connect AD.

  8. Using the Systems Manager document, the PowerShell script is executed on the Amazon EC2 Windows server using the instance id obtained earlier in step 3.

  9. Amazon EC2 connects AWS Directory Service by using PowerShell commands and removes the computers which are not in use or inactive.

Tools

AWS services

  • AWS Directory Service provides multiple ways to use Microsoft Active Directory (AD) with other AWS services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (Amazon RDS) for SQL Server, and Amazon FSx for Windows File Server.

  • AWS Directory Service for Microsoft Active Directory enables your directory-aware workloads and AWS resources to use Microsoft Active Directory in the AWS Cloud.

  • Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the AWS Cloud. You can launch as many virtual servers as you need and quickly scale them up or down.

  • Amazon EventBridge is a serverless event bus service that that helps you connect your applications with real-time data from a variety of sources. For example, AWS Lambda functions, HTTP invocation endpoints using API destinations, or event buses in other AWS accounts.

  • AWS Identity and Access Management (IAM) helps you securely manage access to your AWSresources by controlling who is authenticated and authorized to use them. With IAM, you can specify who or what can access services and resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions across AWS.

  • AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.

  • AWS Systems Manager helps you manage your applications and infrastructure running in the AWS Cloud. It simplifies application and resource management, shortens the time to detect and resolve operational problems, and helps you manage your AWS resources securely at scale.

  • AWS Systems Manager documents define the actions that Systems Manager performs on your managed instances. Systems Manager includes more than 100 pre-configured documents that you can use by specifying parameters at runtime.

  • AWS Systems Manager Parameter Store is a capability of AWS Systems Manager and provides secure, hierarchical storage for configuration data management and secrets management.

Other tools

  • HashiCorp Terraform is an open source infrastructure as code (IaC) tool that helps you use code to provision and manage cloud infrastructure and resources.

  • PowerShell is a Microsoft automation and configuration management program that runs on Windows, Linux, and macOS.

  • Python is a general-purpose computer programming language.

Code repository

The code for this pattern is available in the GitHub Custom AD Cleanup Automation solution repository.

Best practices

  • Automatically join domains. When you launch a Windows instance that’s to be part of an AWS Directory Service domain, join the domain during the instance creation process instead of manually adding the instance later. To automatically join a domain, select the correct directory from the Domain join directory dropdown list when launching a new instance. For more details, see Seamlessly join an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory in the AWS Directory Service Administration Guide.

  • Delete unused accounts. It’s common to find accounts in AD that have never been used. Like disabled or inactive accounts that remain in the system, neglected unused accounts can slow down your AD system or make your organization vulnerable to data breaches.

  • Automate Active Directory cleanups. To help mitigate security risks and prevent obsolete accounts from impacting AD performance, conduct AD cleanups should at regular intervals. You can accomplish most AD management and cleanup tasks by writing scripts. Example tasks include removing disabled and inactive accounts, deleting empty and inactive groups, and locating expired user accounts and passwords.

Epics

TaskDescriptionSkills required

Create a project folder, and add the files.

To clone the repository and create a project folder, do the following:

  1. Open this pattern’s GitHub repository.

  2. Choose the Code button to see the options to clone in the Clone dropdown.

  3. On the HTTPS tab, copy the URL provided in Clone using the web URL.

  4. Create a folder on your machine, and name it with your project name.

  5. Open a terminal in your local machine, and navigate to this folder.

  6. To clone the git repository, use the following command.

    git clone <repository-URL>.git

  7. After the repository has been cloned, use the following command to go to the cloned directory.

    cd <directory name>

  8. In the cloned repository, open this project in an integrated development environment (IDE) of your choice.

DevOps engineer
TaskDescriptionSkills required

Initialize the Terraform configuration.

To initialize your working directory that contains the Terraform files, run the following command.

terraform init

DevOps engineer

Preview changes.

You can preview the changes that Terraform will make to the infrastructure before your infrastructure is deployed. To validate that Terraform will make the changes as required, run the following command.

terraform plan

DevOps engineer

Execute the proposed actions.

To verify that the results from the terraform plan command are as expected, do the following:

  1. Run the following command.

    terraform apply

  2. Sign in to the AWS Management Console, and verify that the resources are present.

DevOps engineer

Clean up the infrastructure.

To clean up the infrastructure that you created, use the following command.

terraform destroy

To confirm the destroy command, type yes.

DevOps engineer
TaskDescriptionSkills required

Execute and test the Lambda function.

To verify that the deployment occurred successfully, do the following:

  1. Sign in to the AWS Management Console and open the console. Open the Functions page, and select the function name that begins with ADcleanup-Lambda-*.

  2. On the function overview page, choose Test on the Code tab in the Code source section.

  3. To save the test event, provide a name for the event and choose Save. Then to test the event, choose Test again.

The execution results show the output of the function.

DevOps engineer

View the results of the Lambda function.

In this pattern, an EventBridge rule executes the Lambda function once per day. To view the results of the Lambda function, do the following:

  1. Sign in to the AWS Management Console and open the AWS Lambda console. Open the Functions page and select the function name that begins with ADcleanup-Lambda-*.

  2. Choose the Monitor tab and choose View CloudWatch logs.

In the CloudWatch console, the Log groups page shows the results of the Lambda function.

DevOps engineer
TaskDescriptionSkills required

Clean up infrastructure.

To clean up the infrastructure that you created, use the following command.

terraform destroy

To confirm the destroy command, type yes.

DevOps engineer

Verify after cleanup.

Verify that the resources are successfully removed.

DevOps engineer

Troubleshooting

IssueSolution

If you try to remove the AD computer, you get an ”Access Denied” message. The AD computer can’t be removed because, by default, the action tries to remove two private IP addresses which are connected as a part of the AD services.

To avoid this error, use the following Python operation to ignore the first two computers when you list the differences between an AD computer output and the output of your machine running Windows.

Difference = Difference[2:]

When Lambda executes a PowerShell script on a Windows server, it expects Active Directory modules to be available by default. If the modules are not available, a Lambda function creates an error that states “Get-AdComputer is not installed on instance”.

To avoid this error, install the required modules by using the user data of the EC2 instances. Use the EC2WindowsUserdata script that’s in this pattern’s GitHub repository.

Related resources

AWS documentation

Other resources