Google have had something similar for their Google Apps products for years, I believe.
The problem is not that you couldn't do this yourself. It's that you wouldn't want to be handing off AD traffic outside your own controlled networks. And certainly not handing Amazon (or some Amazon-hosted Internet-based outside machine) some AD credentials enough to log into your network and join domains etc.
VPN's have existed for years, and Samba is more than able to do anything you might reasonably want on the client side (I've been using Samba SSO for years with my Linux-based helpdesks, fax-to-email, web filters and other stuff on Windows networks). But running samba on something openly sitting on the net? Eek. The scary side of the cloud. Hell, I don't even trust Terminal Services further than I can throw it.