Introduction to Amazon Directory Services, Amazon WorkSpaces, Amazon WorkMail, and Amazon WorkDocs Justin Bradley, AWS Solutions Architect
Apr 15, 2017
Introduction to Amazon Directory Services, Amazon WorkSpaces,
Amazon WorkMail, and Amazon WorkDocs
Justin Bradley,
AWS Solutions Architect
Agenda
1. Amazon Directory Services
2. Amazon WorkSpaces
3. Amazon WorkMail
4. Amazon WorkDocs
Amazon Directory Services Overview
• “Directory as a Service”
– Windows 2008 R2 compatible forest/domain
– Amazon EC2 instances can join the domain at launch
– Deploy AD-dependent applications on Windows in Amazon EC2
– Enables single sign-on to AWS Management Console and services
• Alleviates the pain of deploying, configuring, and
maintaining directory infrastructure in Amazon EC2
Amazon Directory Services ModesAmazon Directory Services operates in 1 of 2 modes
– Simple Active Directory
– Active Directory Connector
*Does not support EC2 Classic network*
Simple AD Directory Mode
Simple AD Directory mode
– Samba 4 as the backend
– Resides only in the AWS cloud, cannot extend to on-premises
– Limited to VPC EC2 instances
– Supports Applications such as SQL and SharePoint
– Supports Kerberos
– Group Policies
– Manage Directory via common LDAP Tools or Microsoft Directory Services MMC
– Supports ADSIedit
– Windows Event Viewer compatible logs
– Windows CLI tools such as dsadd, dsmod and the csvde import tool
Simple AD Pre-requisites
Simple AD Directory for use with VPC instances
– A VPC
– At least 2 subnets in different Availability Zones
– Amazon DS creates two ENIs in your VPC to be used as DNS servers
– Amazon DS creates security group to allow you to control access to your
directory
Simple AD Directory Services PortsTCP/UDP 53 – DNS
TCP/UDP 88 - Kerberos authentication
UDP 123 – NTP
TCP 135 – RPC
UDP 137-138 – Netlogon
TCP 139 – Netlogon
TCP/UDP 389 – LDAP
TCP/UDP 445 – SMB
TCP 873 – FRS
TCP 3268 - Global Catalog
TCP/UDP 1024-65535 - Ephemeral ports for RPC
Amazon Directory Services BackupsAbility to backup directory data by creating snapshots
– Manual
– Auto
Restore the Directory from snapshots
Amazon Directory Services AD Connector
AD Connector mode
– Enables use of existing AD credentials on on-premises Active Directory domain
– Connects your on-premises directory to AWS Apps and Services such as
Workspaces, WorkDocs, and WorkMail
– Allows single sign-on to the AWS Console
– On-premises data is not stored on AWS
– Forwards requests (ie. authentication, query/search) and sends them to the on-
premises domain
– Choice of small or large connector type
– Support for Multi Factor Authentication (MFA) – Radius
Amazon Directory Services AD ConnectorAD Connector Directory Requirements
– Requires VPC with VPN connection (software or hardware based)
– IP address of on-premises DNS servers
– Credentials of Domain privileged user (required by connector account)
• Read all user information
• Join a computer to the domain
– AWS DS creates a Connect SecurityGroup which is used on the customer side
Customer
Corp Network
10.31.0.0/16 VPC 172.16.0.0/16AD
Connector
ENI
ENI
VPN
ConnectionActive
Directory
EC2 Instances
Amazon Directory Services Access URL
• Globally unique ‘friendly’ identifier for a directory, example:
mobyapp.awsapps.com
• One unique access URL per Directory
• Used by Amazon WorkMail and Amazon WorkDocs to access the
service and/or access to the AWS Management Console
AWS Console Access– Ability to use your on-premise AD or simple AD directory credentials to login into AWS
management console.
– Map users or groups to Amazon IAM roles (new or existing).
– Use access URL of directory followed by /console (ie.
https://mobyapp.awsapps.com/console).
Amazon WorkSpaces Availability
6 Regions
• Oregon
• Northern Virginia
• Ireland
• Tokyo
• Singapore
• Sydney
Amazon WorkSpaces Key Service Features
• Secure Cloud workspace accessible from any
device
• Persistent, secure cloud based storage
• Amazon WorkSpaces can joined to your Active
Directory
• Integration with customer VPC/VPN to provide
access to on-premises resources
Amazon WorkSpaces Devices
• iPad
• Kindle Fire HDX (Keyboard & Mouse)
• Android Tablet
• Microsoft Windows
• Mac
• Zero clients
• Cromebook
Keep Data Secure and Available
• No data stored on end-user device
• Only Pixels delivered to users (PCoIP)
• User volume backed by Amazon S3
• Multi-factor authentication (MFA)
• Encrypted Storage Volumes Using KMS
Getting Started – What are the steps?
• Integrate VPC with Corporate Active Directory (or use Simple Directory)
• Choose Amazon WorkSpaces Bundle
• Select Users to receive Amazon WorkSpaces
• Launch Amazon WorkSpaces
• Users receive email when provisioned
• Users connect to Amazon WorkSpaces
eth0 serves WorkSpace pixels back to the client
device
eth1 serves traffic to:• Internet • resources in VPC• resources on-prem
eth0eth1
Corp On-Prem
Network
Corp VPC
eni
Internet Gateway
Internet
AWS Direct Connect
Amazon WorkSpaces are dual-homed Windows Server 2008 R2 instances
with Windows 7 experience
eth1 = Corp VPC
Amazon WorkSpaces connect into two VPCs
Amazon
Client connects to a “WorkSpaces Gateway” between your device and your WorkSpaces
PCoIP
tcp and udp 4172
Amazon WorkMail Overview
Secure email and calendaring service
Integrates with an existing corporate directory
Control both the keys that encrypt data and the
location in which the data is stored
• Native compatibility with Microsoft Outlook on
Windows and Mac
• Shared calendars and shared mailboxes
• Global address book
• Support for resource booking
• Advanced permissions and delegation
• Server side rules
WorkMail: Fully featured enterprise email and calendar
Amazon WorkMail AccessMicrosoft Outlook clients (Windows & OSX)
Exchange ActiveSync protocol enabled devices
– iPhone, iPad
– Kindle Fire, Fire Phone
– Android
– Windows Phone
– BlackBerry 10
Web Browser
Amazon WorkMail Limits
Up to 25 users for a 30-day free trial
Mailbox size is 50GB
Maximum in/out message size is 25 MB
Maximum number of recipients per email is 500
Each user can send mail up to 3,000 recipients every
24 hours
AdminsLogins / AD
Mailbox
Access
Encryption using customer managed keys
Amazon WorkMail encrypts customer data using customer managed keysby integrating with AWS Key Management Service (KMS).
Regional data control
Customers select the region in which their mailbox data will be stored,allowing them to take advantage of lower latency and regionalcompliance rules.
Simple to use
Amazon WorkMail makes it easy to manage your corporate email infrastructure and securely integrates with your existing directory service.
WorkMail: Managed & Secure
Amazon WorkMail FAQs
Mailbox’s data at-rest is encrypted
Data in-transit is encrypted
Mail is scanned for spam, malware, viruses
Integrates with Amazon Simple Directory and on-premises Active Directory
Supports @corpname.com email suffix
Supports Active Directory Distribution Groups
Mailboxes managed via AWS Console
Supports Mobile Policies
Integrates with Amazon WorkDocs*
Amazon WorkMail Regions (as of June 25, 2015)
US-East-1
EU-West-2
Amazon WorkDocsFully managed secure enterprise storage and sharing service.
Amazon WorkDocs users can:
– Comment on files
– Send documents to others for feedback
– Upload new versions
– Sync files between PC/MAC and Amazon WorkDocs
Eliminates the need to email and track changes to documents
Amazon WorkDocs Administration & Control
• Simple user management
• Delegated administration
• Fine-grained quota controls
• Employee content migration
• Viral invite option
• Audit logs
• Multi-factor authentication
Amazon WorkDocs Supported Platforms
Supported Platforms
– PCs
– Macs
– Tablets
– Phones
Integrates with existing Corporate Directory (via AD connector)
Has flexible sharing policies, audit logs, and provides control of the location where data is stored
Amazon WorkDocs
Sync Client for Mac and Windows– Download client from Amazon Web Services
– Register Client
– Provide credentials (AD username/password)
– Choose files to Sync and Folders to Sync
Amazon WorkDocs Sync Excluded Files
.lock or .~doctor.ppt
hello.txt~ or ~hello.txt
ppt.C407.tmp or ~WRD000.tmp
Microsoft User Data or Outlook file
*/:<>?\|
Files over 5TB
Amazon WorkDocs
• Supports MFA with Radius
• Single sign-on available from an Amazon
WorkSpaces Session
Questions?
aws.amazon.com/de/activate
Everything and Anything Startups
Need to Get Started on AWS