This document provides an overview and introduction to several Amazon Directory Services, including Amazon WorkSpaces, Amazon WorkMail, and Amazon WorkDocs. It summarizes the key features and capabilities of each service. Amazon Directory Services provides directory functionality in the cloud and enables single sign-on to AWS services. Amazon WorkSpaces is a fully managed secure cloud-based workspace. Amazon WorkMail provides enterprise email and calendaring. Amazon WorkDocs is a managed file storage and sharing service.
3. Amazon Directory Services Overview
• “Directory as a Service”
– Windows 2008 R2 compatible forest/domain
– Amazon EC2 instances can join the domain at launch
– Deploy AD-dependent applications on Windows in Amazon EC2
– Enables single sign-on to AWS Management Console and services
• Alleviates the pain of deploying, configuring, and
maintaining directory infrastructure in Amazon EC2
4. Amazon Directory Services Modes
Amazon Directory Services operates in 1 of 2 modes
– Simple Active Directory
– Active Directory Connector
*Does not support EC2 Classic network*
5. Simple AD Directory Mode
Simple AD Directory mode
– Samba 4 as the backend
– Resides only in the AWS cloud, cannot extend to on-premises
– Limited to VPC EC2 instances
– Supports Applications such as SQL and SharePoint
– Supports Kerberos
– Group Policies
– Manage Directory via common LDAP Tools or Microsoft Directory Services MMC
– Supports ADSIedit
– Windows Event Viewer compatible logs
– Windows CLI tools such as dsadd, dsmod and the csvde import tool
6. Simple AD Pre-requisites
Simple AD Directory for use with VPC instances
– A VPC
– At least 2 subnets in different Availability Zones
– Amazon DS creates two ENIs in your VPC to be used as DNS servers
– Amazon DS creates security group to allow you to control access to your
directory
8. Amazon Directory Services Backups
Ability to backup directory data by creating snapshots
– Manual
– Auto
Restore the Directory from snapshots
9. Amazon Directory Services AD Connector
AD Connector mode
– Enables use of existing AD credentials on on-premises Active Directory domain
– Connects your on-premises directory to AWS Apps and Services such as
Workspaces, WorkDocs, and WorkMail
– Allows single sign-on to the AWS Console
– On-premises data is not stored on AWS
– Forwards requests (ie. authentication, query/search) and sends them to the on-
premises domain
– Choice of small or large connector type
– Support for Multi Factor Authentication (MFA) – Radius
10. Amazon Directory Services AD Connector
AD Connector Directory Requirements
– Requires VPC with VPN connection (software or hardware based)
– IP address of on-premises DNS servers
– Credentials of Domain privileged user (required by connector account)
• Read all user information
• Join a computer to the domain
– AWS DS creates a Connect SecurityGroup which is used on the customer side
Customer
Corp Network
10.31.0.0/16 VPC 172.16.0.0/16
AD
Connector
ENI
ENI
VPN
Connection
Active
Directory
EC2 Instances
11. Amazon Directory Services Access URL
• Globally unique ‘friendly’ identifier for a directory, example:
mobyapp.awsapps.com
• One unique access URL per Directory
• Used by Amazon WorkMail and Amazon WorkDocs to access the
service and/or access to the AWS Management Console
12. AWS Console Access
– Ability to use your on-premise AD or simple AD directory credentials to login into AWS
management console.
– Map users or groups to Amazon IAM roles (new or existing).
– Use access URL of directory followed by /console (ie.
https://mobyapp.awsapps.com/console).
14. Amazon WorkSpaces Key Service Features
• Secure Cloud workspace accessible from any
device
• Persistent, secure cloud based storage
• Amazon WorkSpaces can joined to your Active
Directory
• Integration with customer VPC/VPN to provide
access to on-premises resources
15. Amazon WorkSpaces Devices
• iPad
• Kindle Fire HDX (Keyboard & Mouse)
• Android Tablet
• Microsoft Windows
• Mac
• Zero clients
• Cromebook
16. Keep Data Secure and Available
• No data stored on end-user device
• Only Pixels delivered to users (PCoIP)
• User volume backed by Amazon S3
• Multi-factor authentication (MFA)
• Encrypted Storage Volumes Using KMS
17. Getting Started – What are the steps?
• Integrate VPC with Corporate Active Directory
(or use Simple Directory)
• Choose Amazon WorkSpaces Bundle
• Select Users to receive Amazon WorkSpaces
• Launch Amazon WorkSpaces
• Users receive email when provisioned
• Users connect to Amazon WorkSpaces
18. eth0 serves WorkSpace
pixels back to the client
device
eth1 serves traffic to:
• Internet
• resources in VPC
• resources on-prem
eth0
eth1
Corp On-Prem
Network
Corp VPC
eni
Internet Gateway
Internet
AWS Direct Connect
Amazon WorkSpaces are dual-homed
Windows Server 2008 R2 instances
with Windows 7 experience
eth1 = Corp VPC
Amazon WorkSpaces connect into two VPCs
Amazon
Client connects to a “WorkSpaces Gateway”
between your device and your WorkSpaces
PCoIP
tcp and udp 4172
19. Amazon WorkMail Overview
Secure email and calendaring service
Integrates with an existing corporate directory
Control both the keys that encrypt data and the
location in which the data is stored
20. • Native compatibility with Microsoft Outlook on
Windows and Mac
• Shared calendars and shared mailboxes
• Global address book
• Support for resource booking
• Advanced permissions and delegation
• Server side rules
WorkMail: Fully featured enterprise email and
calendar
21. Amazon WorkMail Access
Microsoft Outlook clients (Windows & OSX)
Exchange ActiveSync protocol enabled devices
– iPhone, iPad
– Kindle Fire, Fire Phone
– Android
– Windows Phone
– BlackBerry 10
Web Browser
22. Amazon WorkMail Limits
Up to 25 users for a 30-day free trial
Mailbox size is 50GB
Maximum in/out message size is 25 MB
Maximum number of recipients per email is 500
Each user can send mail up to 3,000 recipients every
24 hours
23. Admins
Logins / AD
Mailbox
Access
Encryption using customer managed keys
Amazon WorkMail encrypts customer data using customer managed keys
by integrating with AWS Key Management Service (KMS).
Regional data control
Customers select the region in which their mailbox data will be stored,
allowing them to take advantage of lower latency and regional
compliance rules.
Simple to use
Amazon WorkMail makes it easy to manage your corporate email
infrastructure and securely integrates with your existing directory service.
WorkMail: Managed & Secure
24. Amazon WorkMail FAQs
Mailbox’s data at-rest is encrypted
Data in-transit is encrypted
Mail is scanned for spam, malware, viruses
Integrates with Amazon Simple Directory and on-premises
Active Directory
Supports @corpname.com email suffix
Supports Active Directory Distribution Groups
Mailboxes managed via AWS Console
Supports Mobile Policies
Integrates with Amazon WorkDocs*
26. Amazon WorkDocs
Fully managed secure enterprise storage and sharing service.
Amazon WorkDocs users can:
– Comment on files
– Send documents to others for feedback
– Upload new versions
– Sync files between PC/MAC and Amazon WorkDocs
Eliminates the need to email and track changes to documents
28. Amazon WorkDocs Supported Platforms
Supported Platforms
– PCs
– Macs
– Tablets
– Phones
Integrates with existing Corporate Directory (via AD
connector)
Has flexible sharing policies, audit logs, and provides control
of the location where data is stored
29. Amazon WorkDocs
Sync Client for Mac and Windows
– Download client from Amazon Web Services
– Register Client
– Provide credentials (AD username/password)
– Choose files to Sync and Folders to Sync
30. Amazon WorkDocs Sync Excluded Files
.lock or .~doctor.ppt
hello.txt~ or ~hello.txt
ppt.C407.tmp or ~WRD000.tmp
Microsoft User Data or Outlook file
*/:<>?|
Files over 5TB