aws directory service, amazon workspaces, amazon workmail, and amazon workdocs

AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015


AWS Directory Service, Amazon WorkSpaces, Amazon WorkMail, and Amazon WorkDocs

Jerry Rhoads

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.


Agenda

1. AWS Directory Service

2. Amazon WorkSpaces

3. Amazon WorkMail

4. Amazon WorkDocs


AWS Directory Service overview

• “Directory as a Service” – Windows 2008 R2 compatible forest/domain– Amazon EC2 instances can join the domain at launch– Deploy AD-dependent applications on Windows in Amazon EC2– Enables single sign-in to the AWS management console and

services

• Alleviates the pain of deploying, configuring, and maintaining directory infrastructure in Amazon EC2


AWS Directory Service modes

AWS Directory Service operates in one of two modes:

– Simple AD– AD Connector

*Does not support EC2 Classic network*


Simple AD directory mode

Simple AD directory mode:• Samba 4 as the backend• Resides only in the AWS cloud; cannot extend to on-premises • Limited to VPC EC2 instances• Supports applications such as SQL and SharePoint• Supports Kerberos• Group Policies• Manage directory via common LDAP tools or Microsoft Directory Services MMC• Supports ADSIedit• Windows Event Viewer compatible logs• Windows CLI tools such as dsadd, dsmod, and the csvde import tool


Simple AD prerequisites

Simple AD directory for use with VPC instances:• A VPC• At least two subnets in different Availability Zones• Directory Service creates two ENIs in your VPC to be

used as DNS servers• Directory Service creates a security group to allow

you to control access to your directory


Simple AD Directory Service ports

• TCP/UDP 53 – DNS• TCP/UDP 88 - Kerberos authentication• UDP 123 – NTP• TCP 135 – RPC• UDP 137-138 – Netlogon• TCP 139 – Netlogon• TCP/UDP 389 – LDAP• TCP/UDP 445 – SMB• TCP 873 – FRS• TCP 3268 - Global Catalog• TCP/UDP 1024-65535 - Ephemeral ports for RPC


AWS Directory Service backups

• Ability to backup directory data by creating snapshots:– Manual– Auto

• Restore the directory from snapshots


AWS Directory Service AD Connector

AD Connector mode:• Enables use of existing AD credentials on on-premises Active Directory domain• Connects your on-premises directory to AWS apps and services such as

WorkSpaces, WorkDocs, and WorkMail• Allows single sign-in to the AWS console• On-premises data is not stored on AWS• Forwards requests (i.e., authentication, query/search) and sends them to the on-

premises domain• Choice of small or large connector type • Support for Multi-Factor Authentication (MFA) – Radius


AWS Directory Service AD Connector

AD Connector directory requirements:

– Requires VPC with VPN connection (software-based or hardware-based)– IP address of on-premises DNS servers– Credentials of domain-privileged user (required by AD Connector account)

• Read all user information • Join a computer to the domain

– AWS Directory Service creates a Connect SecurityGroup that is used on the customer side


Amazon Directory Services access URL

• Globally unique, ‘friendly’ identifier for a directory, for example: mobyapp.awsapps.com

• One unique access URL per directory• Used by Amazon WorkMail and Amazon WorkDocs to access the

service and/or access the AWS management console


AWS console access

– Ability to use your on-premises AD or Simple AD directory credentials to log in to the AWS management console

– Map users or groups to Amazon IAM roles (new or existing)

– Use access URL of directory followed by /console (ie. https://mobyapp.awsapps.com/console)


Amazon WorkSpaces availability

Available in the following regions:• us-east-1 (N. Virginia)• us-west-2 (Oregon)• eu-west-1 (Ireland)• ap-southeast-2 (Sydney)• ap-northeast-1 (Tokyo)• ap-southeast-1 (Singapore)


Amazon WorkSpaces: key service features

• Highly secure cloud workspace accessible from any device

• Persistent, highly secure cloud-based storage• Amazon WorkSpaces can be joined to your

Active Directory• Integration with customer VPC/VPN to provide

access to on-premises resources


Amazon WorkSpaces devices

• iPad• Kindle Fire HDX (keyboard & mouse)• Android tablet• Microsoft Windows• Mac• Zero clients


Keep data highly secure and available

• No data stored on end-user device• Only pixels delivered to users (PCoIP)• User volume backed up by Amazon S3


Getting started – what are the steps?

• Integrate VPC with corporate Active Directory (or use Simple Directory)

• Choose Amazon WorkSpaces bundle• Select users to receive Amazon WorkSpaces• Launch Amazon WorkSpaces• Users receive email when provisioned• Users connect to Amazon WorkSpaces


eth0 serves WorkSpaces pixels back to the client

device

eth1 serves traffic to:• Internet • Resources in VPC• Resources on-prem

eth0 eth1

Corp on-prem network

Corp VPC

eni

Internet gateway

Internet

AWS Direct Connect

Amazon WorkSpaces are dual-homed Windows Server 2008 R2 instances

with Windows 7 experience

eth1 = Corp VPC

Amazon WorkSpaces connect into two VPCs

Amazon

Client connects to a “WorkSpaces gateway” between your device and your WorkSpaces

PCoIPtcp and udp 4172


How will authentication work?


Amazon WorkMail overview

• Provides a highly secure email and calendaring service

• Integrates with an existing corporate directory • Controls both the keys that encrypt data and

the location in which the data is stored


Amazon WorkMail access

• Microsoft Outlook clients (Windows & OS X)• Exchange ActiveSync protocol-enabled devices

– iPhone, iPad– Kindle Fire, Fire Phone – Android– Windows Phone – BlackBerry 10

• Web browser


Amazon WorkMail limits

• Up to 25 users for a 30-day free trial • Mailbox size: 50 GB • Maximum in/out message size: 25 MB • Maximum number of recipients per email: 500 • Each user can send mail to up to 3,000

recipients every 24 hours


Amazon WorkMail FAQs

• Mailbox’s data at-rest is encrypted• Data in-transit is encrypted • Mail is scanned for spam, malware, viruses• Integrates with Amazon Simple Directory and on-premises Active

Directory• Supports @corpname.com email suffix• Supports Active Directory distribution groups• Mailboxes managed via AWS console• Supports Mobile Policies• Integrates with Amazon WorkDocs*


Amazon WorkMail regions (as of June 25, 2015)

• us-east-1 (N. Virginia)• eu-west-2 (Ireland)


Amazon WorkDocs

Fully managed, highly secure enterprise storage and sharing service.

Amazon WorkDocs users can:– Comment on files– Send documents to others for feedback – Upload new versions – Sync files between PC/MAC and Amazon WorkDocs

Eliminates the need to email and track changes to documents


Amazon WorkDocs supported platforms

• Supported platforms:– PCs– Macs – Tablets– Phones

• Integrates with existing corporate directory (via AD Connector)• Has flexible sharing policies, audit logs, and provides control

of the location where data is stored


Amazon WorkDocs administration & control

• Simple user management

• Delegated administration

• Fine-grained quota controls

• Employee content migration

• Viral invite option

• Audit logs

• Multi-Factor Authentication


Amazon WorkDocs

Sync client for Mac and Windows• Download client from Amazon Web Services• Register client • Provide credentials (AD username/password)• Choose files to sync and folders to sync


Amazon WorkDocs sync excluded files

• .lock or .~doctor.ppt• hello.txt~ or ~hello.txt• ppt.C407.tmp or ~WRD000.tmp• Microsoft User Data or Outlook file• */:<>?\|• Files over 5 TB


Amazon WorkDocs

• Supports MFA with Radius• Single sign-in available from an Amazon

WorkSpaces session


DEMO corporate directory integration

Users: Get to use existing enterprise credentials

IT: WorkSpaces control like regular desktops


Thank You.This presentation will be loaded to SlideShare the week following the Symposium.

http://www.slideshare.net/AmazonWebServices


aws directory service, amazon workspaces, amazon workmail, and amazon workdocs

Technology

aws government

premises directory

aws console

directory infrastructure

aws apps

aws cloud

nonprofit symposium

dns servers directory