Is the use of ldap a must for STIG compliant EC2/Tomcat

The requirement for LDAP (Lightweight Directory Access Protocol) in STIG (Security Technical Implementation Guide) compliance for EC2/Tomcat depends on your specific authentication needs and security requirements.

While STIG does recommend using secure LDAP (LDAPS) for Tomcat, this doesn't necessarily mean that every EC2 instance running Tomcat must join an LDAP directory. The recommendation is primarily focused on ensuring secure authentication methods when LDAP is used.

If your application requires user authentication and you choose to use LDAP for this purpose, then yes, you should configure Tomcat to use LDAPS to encrypt the communication between your application and the LDAP server. This helps protect sensitive information like usernames and passwords during transmission.

However, if your application doesn't require LDAP-based authentication or if you're using alternative authentication methods, joining an LDAP directory may not be necessary for STIG compliance. STIG guidelines are meant to enhance security, and the use of LDAPS is recommended when LDAP is implemented to ensure secure communication.

If you do decide to use LDAP, AWS provides options like AWS Directory Service, which includes features for setting up and managing Microsoft Active Directory in the AWS Cloud. This service supports LDAPS, allowing you to encrypt LDAP communications between your applications and the directory service.

Remember, STIG compliance involves many aspects of security beyond just authentication methods. It's important to review all relevant STIG guidelines for EC2 and Tomcat to ensure comprehensive security measures are in place.
Sources
Enable Secure LDAP or LDAPS - AWS Directory Service
Enabling server-side LDAPS using AWS Managed Microsoft AD - AWS Directory Service