Managing Amazon WorkDocs with AWS Managed Microsoft Active Directory (AD)

Amazon WorkDocs provides fully managed, secure enterprise-level storage and sharing features for those looking to improve user productivity. As well as delivering robust administrative controls and feedback capabilities, WorkDocs files are stored in the cloud, safely and securely. You can also leverage Workdocs to several different use case requirements and tailor it to fit your business-critical workloads. These use cases include

  • Storing private files in an organizational structure
  • Using an application to download and use files offline
  • Sharing access to files with other users with a secure password
  • Sharing the files for a specific time duration
  • Sharing files according to best compliance practices
  • Standard file support for GDocs, Word, and images, etc.

With WorkDocs, your users’ files are only available to them and those they designated contributors and viewers they have set access permissions for. Other organization members do not have access to other user’s files unless they are explicitly granted access.

WorkDocs also provides a ton of other features which are useful for any Document Management System within an organization. Most notably, these are:

  • Sharing
  • User Management
  • Editing
  • Encryption
  • Feedback
  • Workflow  
  • Compliance

In the back end, Amazon WorkDocs also works as a Directory service.

Logging and Monitoring in Amazon WorkDocs

Amazon WorkDocs site administrators can view and export the document management activity feed for an entire site. They can also use AWS CloudTrail to capture events from the Amazon WorkDocs console. An integral benefit of WorkDocs is its seamless integration with your AWS cloud environments and applications.

Quick Start

When you set up a new Amazon WorkDocs site in a back end of your AWS workloads, it will launch a Simple AD directory—a standalone managed directory that is run on a Samba 4 Active Directory Compatible Server. But you don’t have any control over the creation of groups and you can not be logged into the Simple AD. If you want to have complete control over your Directory and group creations, the best way is to create an AWS Managed Microsoft Active Directory (AD).

 So, why do we need AWS Managed Microsoft AD instead of just a Simple AD? If we use a Simple AD, we can’t log in to the Directory, and we can’t create any groups. For managed control over both users and groups, we need to leverage Managed Microsoft AD. Also, by using this service, we can log in into the Microsoft Active Directory by launching a Windows server on the same subnets where we launch our service.

AWS Managed Microsoft Active Directory (AD)

As part of this process, we first need to create a Managed Microsoft AD in AWS Directory Services; which will allow us to run the feature as a managed service. When you opt into AWS Managed Microsoft AD, the platform manages infrastructure, while users are responsible for managing the data within active Directory. The service is built on highly available, AWS-managed infrastructure and each Directory is deployed across multiple Availability Zones. When you choose to launch this directory type, a highly available pair of domain controllers are created and connected to your virtual private cloud (VPC). The managed service component tracks the status of your AD domain and automatically detects and replaces any domain controllers that fail.

While creating our AD domain, we need to specify the domain on which it has to work. We need to launch AD in at least two subnets in our VPC in two different Availability Zones in the Region where you need to deploy your AD domain controllers. 

Also, to login to the Windows server, you need a domain administrator role to create users and groups in AD; normal users don’t have the necessary permissions to create any users and groups. Even as an administrator, you also can’t create any groups in the Amazon WorkDocs panel, we can only create groups in AD. This feature is particularly useful to leverage for large enterprises with multiple user profile groups according to your company hierarchy.

The creation of our AD directory will take a minimum of 25-30 minutes with just a few steps in the AWS Management Console.

After specifying the edition, we need to select and enter the domain name (of which AD has to create).

Next, we need to specify the VPC and subnets on which it has to be launched.

After our AD is created we will launch a Windows server in the same subnets.

If you press ‘Next’, we can review our AD and click on ‘Create Directory’ as there are no changes.

After creating our AD, the output is as follows: Malepati.tk is our Microsoft AD.

#AWSManagedMicrosoftAD

Setting up Amazon WorkDocs

As we know already, Amazon WorkDocs use Directory Services. So, launch Amazon WorkDocs by using Managed Microsoft AD.     

After creating WorkDocs, you will receive a link to launch an Amazon WorkDocs site:

After clicking on the link WorkDocs, your site will be launched. As a WorkDocs administrator, you now have control over setting user permissions:

#AmazonWorkDocsaccess

Types of Amazon WorkDocs Users

You can leverage four types of user roles in Amazon WorkDocs for your organization. These include:

  1. Guest user
  2. User
  3. Power user
  4. Administrator
#AmazonWorkDocsadministration

Each new user should begin in a guest-user role; they can’t upload any files yet and can’t view any files unless a file is shared with them specifically. 

Administrators can then update the guest-user role to any of the three remaining roles according to the AWS best practice of allocating least privilege for their role in your organization. This best practice will help to maintain the integrity of your document management system and work processes. However, once you update a user, you can no longer revert them back to a guest-user role in the future.

In the administration panel, you can also exploit the ‘IP Allow List’ option to specify particular IP ranges for your company. For example, to ensure that any of your sensitive documents can only be accessed when users log in to WorkDocs from within a company device within the configured IP range only. Through this feature, users can also ONLY log in to Amazon WorkDocs on a certain IP too.

By using Amazon WorkDocs and Managed Microsoft AD together, we can reap the multiple document management benefits they provide on AWS while sharing files to the specific user or a specific group of users and improve maintain file security and best practice Identity and Access Management rules: which all makes sense for multiple business use cases as discussed. Get started with the two by following these step-by-step guidelines to support your organization’s document management system.


Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.

Rajasekhar Mandava

Leave a Comment

Your email address will not be published. Required fields are marked *

As AWS Certified Consulting Partners, you get more than just extensive cloud expertise and first-rate IT support. Our team gives true meaning to the words “brand ambassadors.”

We leverage our comprehensive industry experience on your business' behalf to resolve system pain points, transform your infrastructure, and work in tandem with you.

All for the growth and acceleration of your company.

Follow Us
Subscribe To Our Newsletter
Copyright © 2020 IbexLabs
Scroll to Top