Skip to main content

Active Directory on AWS with CDK

This guide walks you through deploying the SlashID Collector on AWS using the AWS CDK and the @slashid/agent-cdk construct library. For more details and full source code, see the GitHub repository.

Prerequisites

  • Node.js (v18+) and npm
  • AWS CLI configured with credentials (aws configure)
  • AWS CDK CLI: npm install -g aws-cdk
  • CDK bootstrapped in your AWS account (one-time): cdk bootstrap
  • An AWS account with permissions to deploy CDK applications (IAM, EC2, VPC, Secrets Manager)
  • Network connectivity between your AWS VPC and your Active Directory domain controllers

STEP 1: Create the connection on the SlashID Console

  1. In the SlashID Console > Configuration > Data sources > Add data source and select Active Directory from the list.

  2. Complete the following fields:

  • Name of the connection: an arbitrary name for your new connection
  • Authoritative status: whether this connection should be the primary source of truth to reconcile identities across providers
  1. Once the initial connector is created, it will appear in Configuration > Data sources. From this page, copy the Event streaming token and store it temporarily, as you will need it in the following step.

STEP 2: Store credentials in AWS Secrets Manager

Store your AD credentials and SlashID auth token as secrets:

# AD credentials as a JSON object
aws secretsmanager create-secret \
  --name slashid/ad-credentials \
  --secret-string '{"username": "admin.user", "password": "your-ad-password"}'

# SlashID auth token from STEP 1
aws secretsmanager create-secret \
  --name slashid/auth-token \
  --secret-string "your-slashid-token"

STEP 3: Set up a CDK project

If you don't have a CDK project yet, create one:

cdk init app --language typescript

Then install the @slashid/agent-cdk construct library:

npm install @slashid/agent-cdk

STEP 4: Define the stack

Edit your stack file (e.g., lib/<your-stack>.ts) to look like this template:

lib/ad-agent-stack.ts
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
import { Construct } from 'constructs';
import { SlashidAgent, credentialFromSecret } from '@slashid/agent-cdk';

export class ActiveDirectoryAgentStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = ec2.Vpc.fromLookup(this, 'VPC', { isDefault: true });

    const agent = new SlashidAgent(this, 'SlashidAgent', { vpc });

    // AD credentials stored in Secrets Manager as JSON: {"username": "...", "password": "..."}
    const adSecret = secretsmanager.Secret.fromSecretNameV2(this, 'AdSecret', 'slashid/ad-credentials');
    const adCredential = credentialFromSecret(adSecret, 'username', 'password');

    // SlashID auth token from STEP 1
    const slashidAuthToken = secretsmanager.Secret.fromSecretNameV2(this, 'SlashidAuthToken', 'slashid/auth-token');

    agent.addActiveDirectory({
      domain: 'corp.example.com',               // Replace with your AD domain
      domainControllers: [                      // Replace with your AD Domain Controllers
        { host: 'dc1.corp.example.com', port: 389, use_ssl: false },  
        { host: 'dc2.corp.example.com', port: 389, use_ssl: false },
      ],
      dnsServers: ['10.0.0.10', '10.0.0.11'],   // Replace with your AD DNS servers
    }, {
      slashid_auth_token: slashidAuthToken,
      snapshot: {
        credential: adCredential,
      },
      wmi: {
        credential: adCredential,
      },
    });
  }
}

Replace the following values:

  • corp.example.com — your AD domain
  • dc1.corp.example.com, dc2.corp.example.com — your domain controller FQDNs or IPs
  • 10.0.0.10, 10.0.0.11 — your AD DNS server IPs
  • Secret names — the names you used in STEP 2

STEP 5: Deploy

cdk deploy ActiveDirectoryAgentStack

The CDK will provision an EC2 instance running the SlashID Collector container, configured for both AD snapshot collection and WMI event streaming.

Using AWS Managed Microsoft AD

If you use AWS Managed Microsoft AD, you can pass the CfnMicrosoftAD construct directly instead of providing domain controller details manually. The library will automatically extract domain controllers and DNS servers:

import { CfnMicrosoftAD } from 'aws-cdk-lib/aws-directoryservice';

const managedAD = new CfnMicrosoftAD(this, 'ManagedAD', {
  name: 'corp.example.com',
  password: 'SuperSecretPassw0rd',
  vpcSettings: {
    vpcId: vpc.vpcId,
    subnetIds: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }).subnetIds,
  },
});

// If the AD is in a different VPC, set up peering first
agent.linkVpc(adVpc);

agent.addActiveDirectory(managedAD, {
  slashid_auth_token: authToken,
  snapshot: {
    credential: adCredential,
  },
  wmi: {
    credential: adCredential,
  },
});
tip

If the AD is in a different VPC from the agent, call agent.linkVpc(adVpc) before addActiveDirectory to set up VPC peering automatically.