Introduction to Amazon Directory Services, Amazon WorkSpaces,

Amazon WorkMail, and Amazon WorkDocs

Justin Bradley,

AWS Solutions Architect

Agenda

1. Amazon Directory Services

2. Amazon WorkSpaces

3. Amazon WorkMail

4. Amazon WorkDocs

Amazon Directory Services Overview

• “Directory as a Service”

– Windows 2008 R2 compatible forest/domain

– Amazon EC2 instances can join the domain at launch

– Deploy AD-dependent applications on Windows in Amazon EC2

– Enables single sign-on to AWS Management Console and services

• Alleviates the pain of deploying, configuring, and

maintaining directory infrastructure in Amazon EC2

Amazon Directory Services ModesAmazon Directory Services operates in 1 of 2 modes

– Simple Active Directory

– Active Directory Connector

*Does not support EC2 Classic network*

Simple AD Directory Mode

Simple AD Directory mode

– Samba 4 as the backend

– Resides only in the AWS cloud, cannot extend to on-premises

– Limited to VPC EC2 instances

– Supports Applications such as SQL and SharePoint

– Supports Kerberos

– Group Policies

– Manage Directory via common LDAP Tools or Microsoft Directory Services MMC

– Supports ADSIedit

– Windows Event Viewer compatible logs

– Windows CLI tools such as dsadd, dsmod and the csvde import tool

Simple AD Pre-requisites

Simple AD Directory for use with VPC instances

– A VPC

– At least 2 subnets in different Availability Zones

– Amazon DS creates two ENIs in your VPC to be used as DNS servers

– Amazon DS creates security group to allow you to control access to your

directory

Simple AD Directory Services PortsTCP/UDP 53 – DNS

TCP/UDP 88 - Kerberos authentication

UDP 123 – NTP

TCP 135 – RPC

UDP 137-138 – Netlogon

TCP 139 – Netlogon

TCP/UDP 389 – LDAP

TCP/UDP 445 – SMB

TCP 873 – FRS

TCP 3268 - Global Catalog

TCP/UDP 1024-65535 - Ephemeral ports for RPC

Amazon Directory Services BackupsAbility to backup directory data by creating snapshots

– Manual

– Auto

Restore the Directory from snapshots

Amazon Directory Services AD Connector

AD Connector mode

– Enables use of existing AD credentials on on-premises Active Directory domain

– Connects your on-premises directory to AWS Apps and Services such as

Workspaces, WorkDocs, and WorkMail

– Allows single sign-on to the AWS Console

– On-premises data is not stored on AWS

– Forwards requests (ie. authentication, query/search) and sends them to the on-

premises domain

– Choice of small or large connector type

– Support for Multi Factor Authentication (MFA) – Radius

Amazon Directory Services AD ConnectorAD Connector Directory Requirements

– Requires VPC with VPN connection (software or hardware based)

– IP address of on-premises DNS servers

– Credentials of Domain privileged user (required by connector account)

• Read all user information

• Join a computer to the domain

– AWS DS creates a Connect SecurityGroup which is used on the customer side

Customer

Corp Network

10.31.0.0/16 VPC 172.16.0.0/16AD

Connector

ENI

ENI

VPN

ConnectionActive

Directory

EC2 Instances

Amazon Directory Services Access URL

• Globally unique ‘friendly’ identifier for a directory, example:

mobyapp.awsapps.com

• One unique access URL per Directory

• Used by Amazon WorkMail and Amazon WorkDocs to access the

service and/or access to the AWS Management Console

AWS Console Access– Ability to use your on-premise AD or simple AD directory credentials to login into AWS

management console.

– Map users or groups to Amazon IAM roles (new or existing).

– Use access URL of directory followed by /console (ie.

https://mobyapp.awsapps.com/console).

Amazon WorkSpaces Availability

6 Regions

• Oregon

• Northern Virginia

• Ireland

• Tokyo

• Singapore

• Sydney

Amazon WorkSpaces Key Service Features

• Secure Cloud workspace accessible from any

device

• Persistent, secure cloud based storage

• Amazon WorkSpaces can joined to your Active

Directory

• Integration with customer VPC/VPN to provide

access to on-premises resources

Amazon WorkSpaces Devices

• iPad

• Kindle Fire HDX (Keyboard & Mouse)

• Android Tablet

• Microsoft Windows

• Mac

• Zero clients

• Cromebook

Keep Data Secure and Available

• No data stored on end-user device

• Only Pixels delivered to users (PCoIP)

• User volume backed by Amazon S3

• Multi-factor authentication (MFA)

• Encrypted Storage Volumes Using KMS

Getting Started – What are the steps?

• Integrate VPC with Corporate Active Directory (or use Simple Directory)

• Choose Amazon WorkSpaces Bundle

• Select Users to receive Amazon WorkSpaces

• Launch Amazon WorkSpaces

• Users receive email when provisioned

• Users connect to Amazon WorkSpaces

eth0 serves WorkSpace pixels back to the client

device

eth1 serves traffic to:• Internet • resources in VPC• resources on-prem

eth0eth1

Corp On-Prem

Network

Corp VPC

eni

Internet Gateway

Internet

AWS Direct Connect

Amazon WorkSpaces are dual-homed Windows Server 2008 R2 instances

with Windows 7 experience

eth1 = Corp VPC

Amazon WorkSpaces connect into two VPCs

Amazon

Client connects to a “WorkSpaces Gateway” between your device and your WorkSpaces

PCoIP

tcp and udp 4172

Amazon WorkMail Overview

Secure email and calendaring service

Integrates with an existing corporate directory

Control both the keys that encrypt data and the

location in which the data is stored

• Native compatibility with Microsoft Outlook on

Windows and Mac

• Shared calendars and shared mailboxes

• Global address book

• Support for resource booking

• Advanced permissions and delegation

• Server side rules

WorkMail: Fully featured enterprise email and calendar

Amazon WorkMail AccessMicrosoft Outlook clients (Windows & OSX)

Exchange ActiveSync protocol enabled devices

– iPhone, iPad

– Kindle Fire, Fire Phone

– Android

– Windows Phone

– BlackBerry 10

Web Browser

Amazon WorkMail Limits

Up to 25 users for a 30-day free trial

Mailbox size is 50GB

Maximum in/out message size is 25 MB

Maximum number of recipients per email is 500

Each user can send mail up to 3,000 recipients every

24 hours

AdminsLogins / AD

Mailbox

Access

Encryption using customer managed keys

Amazon WorkMail encrypts customer data using customer managed keysby integrating with AWS Key Management Service (KMS).

Regional data control

Customers select the region in which their mailbox data will be stored,allowing them to take advantage of lower latency and regionalcompliance rules.

Simple to use

Amazon WorkMail makes it easy to manage your corporate email infrastructure and securely integrates with your existing directory service.

WorkMail: Managed & Secure

Amazon WorkMail FAQs

Mailbox’s data at-rest is encrypted

Data in-transit is encrypted

Mail is scanned for spam, malware, viruses

Integrates with Amazon Simple Directory and on-premises Active Directory

Supports @corpname.com email suffix

Supports Active Directory Distribution Groups

Mailboxes managed via AWS Console

Supports Mobile Policies

Integrates with Amazon WorkDocs*

Amazon WorkMail Regions (as of June 25, 2015)

US-East-1

EU-West-2

Amazon WorkDocsFully managed secure enterprise storage and sharing service.

Amazon WorkDocs users can:

– Comment on files

– Send documents to others for feedback

– Upload new versions

– Sync files between PC/MAC and Amazon WorkDocs

Eliminates the need to email and track changes to documents

Amazon WorkDocs Administration & Control

• Simple user management

• Delegated administration

• Fine-grained quota controls

• Employee content migration

• Viral invite option

• Audit logs

• Multi-factor authentication

Amazon WorkDocs Supported Platforms

Supported Platforms

– PCs

– Macs

– Tablets

– Phones

Integrates with existing Corporate Directory (via AD connector)

Has flexible sharing policies, audit logs, and provides control of the location where data is stored

Amazon WorkDocs

Sync Client for Mac and Windows– Download client from Amazon Web Services

– Register Client

– Provide credentials (AD username/password)

– Choose files to Sync and Folders to Sync

Amazon WorkDocs Sync Excluded Files

.lock or .~doctor.ppt

hello.txt~ or ~hello.txt

ppt.C407.tmp or ~WRD000.tmp

Microsoft User Data or Outlook file

*/:<>?\|

Files over 5TB

Amazon WorkDocs

• Supports MFA with Radius

• Single sign-on available from an Amazon

WorkSpaces Session

Questions?

aws.amazon.com/de/activate

Everything and Anything Startups

Need to Get Started on AWS