Category: Amazon WorkDocs

Catching Up On AWS Announcements from Early 2017

Even though we have published 123 posts so far this year, we simply don’t have the time to cover every significant AWS launch. Also, the newer services are often richer and take more space to describe, adding to our workload. This post (and others to follow each quarter) will outline some of the launches that we did not have time to address earlier.

So, here we go:

  • Migration Support for NoSQL Databases
  • Comments, Tagging, and Metadata APIs for WorkDocs.
  • Email and SMS Integration for Pinpoint
  • Usage Type Groups and Linked Account Access for AWS Budgets
  • EC2 Systems Manager Support for Hierarchies, Tagging, and CloudWatch Events

These features have already launched and you may already be using them!

Migration Support for NoSQL Databases
With this launch, AWS Database Migration Service can migrate relational databases, NoSQL databases, and data warehouses. The launch adds support for MongoDB databases as a migration source and Amazon DynamoDB tables as a migration target. To get started, create a replication instance and database endpoints for MongoDB and DynamoDB:

Read MongoDB as a Migration Source and DynamoDB as a Migration Target for more information.

Comments, Tagging, and Metadata APIs for WorkDocs
This addition to the Amazon WorkDocs Administrative SDK provides APIs for creating and accessing metadata, tags, and comments:

MetadataCreateCustomMetadata, DeleteCustomMetadata.

TagsCreateLabels, DeleteLabels.

CommentsCreateComment, DeleteComment, DescribeComments.

The SDK is available for Java, Python, Go, JavaScript, .NET, PHP, and Ruby. It handles signing of API requests using Sigv4, and is integrated with IAM (roles and permissions), SNS (real-time notifications), and CloudTrail (monitoring).

Email and SMS Integration for Pinpoint
In addition to the existing Mobile Push Notifications, Amazon Pinpoint can now drive user engagement through email and SMS notifications. In order to use this feature you must first enable the desired channel or channels:

To learn more, read about Amazon Pinpoint Channels.

Usage Type Groups and Linked Account Access for AWS Budgets
AWS Budgets let you set cost and usage budgets and receive notification if they are breached (read Managing Your Costs with Budgets and AWS Budgets Update – Track Cloud Costs and Usage).

In order to make AWS Budgets even more useful, we added support for linked accounts and a new usage type filtering option. Organizations that make use of Consolidated Billing to consolidate payment for multiple AWS accounts will benefit from the support for linked accounts. The member accounts can now access their own budgets, while the payer account remains responsible for payment.

The usage type and usage type group filtering dimensions allow you to track your costs and usage from an aggregate level all the way down to the most basic unit of metering. For example, you can create a budget to track all EC2 usage (EC2-Running Hours):

Or a specific usage type, in this case three different sizes of T2 instances:

EC2 Systems Manager Support for Hierarchies, Tagging, and CloudWatch Events
This management service helps you to automatically collect software inventory, apply OS patches, create system images, and configure both Linux and Windows operating systems.

The Parameter Store (one of the service’s most popular features) stores configuration data such as database access strings and passwords in encrypted form. It is accessible from the CLI, APIs, and SDKs; this allows AWS Lambda functions and code running inside of Amazon ECS containers to access the same parameters.

We added support for storage of parameters in hierarchical form, giving you the ability to group them by organization, application, and so forth. You can also create parallel sets of parameters for use in development, testing, and production environments. To create a hierarchy of parameters, use names that include one or more “/” characters:

We also added support for tagging. You can query parameters based on tags and you can add IAM permissions to parameters via tags.

Finally, the Parameter Store is now a source of CloudWatch Events. You can now track changes to your parameters, perhaps making sure that they are not inadvertently changed in a way that could break an existing application:

Keeping Up
In addition to reading this blog on a regular basis, you can also follow me and AWS Cloud on Twitter. You can also check out the AWS What’s New and subscribe to the RSS Feed.


Amazon WorkDocs Update – Commenting & Reviewing Enhancements and a New Activity Feed

As I have told you in the past, we like to drink our own Champagne at Amazon. Practically speaking, this means that we make use of our own services, tools, and applications as part of our jobs, and that we supply the development teams with feedback if we have an idea for an improvement or if we find something that does not work as expected.

I first talked about Amazon WorkDocs (which was originally called Zocalo) back in the middle of 2014, and have been using it ever since (at busy times I often have drafts of 7 or 8 posts circulating).

I upload drafts of every new blog post (usually as PDFs) to WorkDocs and then share them with the Product Manager, Product Marketing Manager, and other designated reviewers. The reviewers leave feedback for me, I update the draft, and I wait for more feedback. After a couple of iterations the draft settles down and I wait for the go-ahead to publish the post. The circle of reviews often grows to include developers, senior management, and so forth. I simply share the document with them and look forward to even more feedback. My job is to read and to process all of the feedback (lots of suggestions, and the occasional question) as quickly as possible and to make sure that I did not miss anything.

Today I would like to tell you about some recent recent enhancements that makes WorkDocs even more useful. We have added some more commenting and reviewing features, along with an activity feed.

Enhanced Commenting
Over the course of a couple of revisions, some comments will spur a discussion. There might be a question about the applicability of a particular feature or the value of a particular image. In order to make it easier to start and to continue conversations, WorkDocs now supports threaded replies. I simply click on Reply and respond to a comment:

It is displayed like this:

If I click on Private, the comment is accessible only to the person who wrote the original.

In order to strengthen my message, I can also use simple formatting (bold, italic, and strikethrough) in my comments. Here’s how I specify each one:

And here’s the result:

Clicking on the ? displays a handy guide to formatting:

When the time for comments has passed, I can now disable feedback with a single click:

To learn more about these features, read Giving Feedback in the WorkDocs User Guide.

Enhanced Reviewing
As the comments accumulate, I sometimes need to draw a reviewer’s attention to a particular comment. I can do this by entering an @ in the comment and then choosing their name from the popup menu:

The user will be notified by email in order to let them know that their feedback is needed.

From time to time, a potential reviewer will come in to possession of a URL to a WorkDocs document but will not have access to the document. They can now request access to the document like this:

The request will be routed to the owner of the document via email for approval.

Similarly, someone who has been granted Viewer-level access can now request Contributor-level access:

Again, the request will be routed to the owner of the document via email for approval:


Activity Feed
With multiple blog posts out for review at any given time, keeping track of what’s coming and going can be challenging. In order to give me a big-picture view, WorkDocs now includes an Activity Feed. The feed shows me what is going on with my own documents and with those that have been shared with me. I can watch as files and folders are created, changed, removed, and commented on. I can also see who is making the changes and track the times when they were made:

I can enter a search term to control what I see in the feed:

And I can further filter the updates by activity type or by date:

Available Now
These features are available now and you can start using them today.



Attention Developers – Public Preview of Amazon WorkDocs SDK Now Available

I am a heavy-duty user and a big fan of Amazon WorkDocs. With AWS re:Invent just days away, I have nearly two dozen draft blog posts underway. I use WorkDocs to make sure that all of the interested parties are reviewing and commenting on the most recent version of each draft.

Today I am happy announce that we are launching a public preview of an Administrative SDK for WorkDocs. I have been looking forward to this announcement and can’t wait to build some tools to streamline my blogging and reviewing workflow. This SDK opens the doors to many types of value-added integration including advanced content management, document migration, virus scanning, data-loss prevention, and ediscovery.

The SDK provides full, administrator-level access to the resources contained within a WorkDocs site. You can build applications that manage users, content, and permissions and sell them on AWS Marketplace for deployment through the WorkDocs administrator console.

Resources and Actions
The Administrative SDK gives you Create, Read, Update, and Delete actions on WorkDocs users, folders, files, and permissions along with the ability to subscribe to notifications that are sent when an action is performed on them. Permission to access specific functions and resources is granted by AWS Identity and Access Management (IAM).

Here’s an overview of the functions provided by the SDK:

Users Folders Documents Permissions Notifications
  • Create User
  • Activate User
  • Describe Users
  • Update User
  • Delete User
  • Create Folder
  • Get Folder
  • Get Folder Path
  • Update Folder
  • Delete Folder
  • Describe Folder
  • Delete Folder Contents
  • Get Document
  • Delete Document
  • Get Document Path
  • Get Document Version
  • Describe Document Versions
  • Initiate Document Version Upload
  • Abort Document Version Upload
  • Update Document Version
  • Add Resource Permissions
  • Describe Resource Permissions
  • Remove Resource Permission
  • Remove All Resource Permissions
  • Subscribe to Notifications
  • Unsubscribe from Notifications

The SDK is available for Java and Python developers and works in all six AWS Regions where WorkDocs is available. The download is free and there is no charge for calls to the API during the Public Preview period.

Developers Wanted
During the Public Preview, we are looking for developers who are ready to commit engineering resources to the construction of a Proof of Concept application that uses the SDK, and who are willing to meet with the WorkDocs team to provide status updates and share feedback.

If you have an idea for a great application and would like to apply for the Public Preview, sign up today.



I Love My Amazon WorkSpace!

Early last year my colleague Steve Mueller stopped by my office to tell me about an internal pilot program that he thought would be of interest to me. He explained that they were getting ready to run Amazon WorkSpaces on the Amazon network and offered to get me on the waiting list. Of course, being someone that likes to live on the bleeding edge, I accepted his offer.

Getting Started
Shortly thereafter I started to run the WorkSpaces client on my office desktop, a fairly well-equipped PC with two screens and plenty of memory. At that time I used the desktop during the working day and a separate laptop when I was traveling or working from home. Even though I used Amazon WorkDocs to share my files between the two environments, switching between them caused some friction. I had distinct sets of browser tabs, bookmarks, and the like. No matter how much I tried, I could never manage to keep the configurations of my productivity apps in sync across the environments.

After using the WorkSpace at the office for a couple of weeks, I realized that it was just as fast and responsive as my desktop. Over that time, I made the WorkSpace into my principal working environment and slowly severed my ties to my once trusty desktop.

I work from home two or three days per week. My home desktop has two large screens, lots of memory, a top-notch mechanical keyboard, and runs Ubuntu Linux. I run VirtualBox and Windows 7 on top of Linux. In other words, I have a fast, pixel-rich environment.

Once I was comfortable with my office WorkSpace, I installed the client at home and started using it there. This was a giant leap forward and a great light bulb moment for me. I was now able to use my fast, pixel-rich home environment to access my working environment.

At this point you are probably thinking that the combination of client virtualization and server virtualization must be slow, laggy, or less responsive than a local device. That’s just not true! I am an incredibly demanding user. I pound on the keyboard at a rapid-fire clip, I keep tons of windows open, alt-tab between them like a ferret, and I am absolutely intolerant of systems that get in my way.  My WorkSpace is fast and responsive and makes me even more productive.

Move to Zero Client
A few months in to my WorkSpaces journey, Steve IM’ed me to talked about his plan to make some Zero Client devices available to members of the pilot program. I liked what he told me and I agreed to participate. He and his sidekick Michael Garza set me up with a Dell Zero Client and two shiny new monitors that had been taking up space under Steve’s desk. At this point my office desktop had no further value to me. I unplugged it, saluted it for its meritorious service, and carried it over to the hardware return shelf in our copy room.  I was now all-in, and totally dependent on, my WorkSpace and my Zero Client.

The Zero Client is a small, quiet device. It has no fans and no internal storage. It simply connects to the local peripherals (displays, keyboard, mouse, speakers, and audio headset) and to the network. It produces little heat and draws far less power than a full desktop.

During this time I was also doing quite a bit of domestic and international travel. I began to log in to my WorkSpace from the road. Once I did this, I realized that I now had something really cool—a single, unified working environment that spanned my office, my home, and my laptop. I had one set of files and one set of apps and I could get to them from any of my devices. I now have a portable desktop that I can get to from just about anywhere.

The fact that I was using a remote WorkSpace instead of local compute power faded in to the background pretty quickly. One morning I sent the team an email with the provocative title “My WorkSpace has Disappeared!” They read it in a panic, only to realize that I had punked them, and that I was simply letting them know that I was able to focus on my work, and not on my WorkSpace. I did report a few bugs to them,  none of which were serious, and all of which were addressed really quickly.

Dead Laptop
The reality of my transition became apparent late last year when the hard drive in my laptop failed one morning. I took it in to our IT helpdesk and they replaced the drive. Then I went back up to my office, reinstalled the WorkSpaces client, and kept on going. I installed no other apps and didn’t copy any files. At this point the only personal items on my laptop are the registration code for the WorkSpace and my stickers! I do still run PowerPoint locally, since you can never know what kind of connectivity will be available at a conference or a corporate presentation.

I also began to notice something else that made WorkSpaces different and better. Because laptops are portable and fragile, we all tend to think of the information stored on them as transient. In the dark recesses of our minds we know that one day something bad will happen and we will lose the laptop and its contents. Moving to WorkSpaces takes this worry away. I know that my files are stored in the cloud and that losing my laptop would be essentially inconsequential.

It Just Works
To borrow a phrase from my colleague James Hamilton, WorkSpaces just works. It looks, feels, and behaves just like a local desktop would.

Like I said before, I am demanding user. I have two big monitors, run lots of productivity apps, and keep far too many browser windows and tabs open. I also do things that have not been a great fit for virtual desktops up until now. For example:

Image Editing – I capture and edit all of the screen shots for this blog (thank you, Snagit).

Audio Editing – I use Audacity to edit the AWS Podcasts. This year I plan to use the new audio-in support to record podcasts on my WorkSpace.

Music – I installed the Amazon Music player and listen to my favorite tunes while blogging.

Video – I watch internal and external videos.

Printing – I always have access to the printers on our corporate network. When I am at home, I also have access to the laser and ink jet printers on my home network.

Because the WorkSpace is running on Amazon’s network, I can download large files without regard to local speed limitations or bandwidth caps. Here’s a representative speed test (via Bandwidth Place):

Sense of Permanence
We transitioned from our pilot WorkSpaces to our production environment late last year and are now provisioning WorkSpaces for many members of the AWS team. My WorkSpace is now my portable desktop.

After having used WorkSpaces for well over a year, I have to report that the biggest difference between it and a local environment isn’t technical. Instead, it simply feels different (and better).  There’s a strong sense of permanence—my WorkSpace is my environment, regardless of where I happen to be. When I log in, my environment is always as I left it. I don’t have to wait for email to sync or patches to install, as I did when I would open up my laptop after it had been off for a week or two.

Now With Tagging
As enterprises continue to evaluate, adopt, and deploy WorkSpaces in large numbers, they have asked us for the ability to track usage for cost allocation purposes. In many cases they would like to see which WorkSpaces are being used by each department and/or project. Today we are launching support for tagging of WorkSpaces. The WorkSpaces administrator can now assign up to 10 tags (key/value pairs) to each WorkSpace using the AWS Management Console, AWS Command Line Interface (CLI), or the WorkSpaces API. Once tagged, the costs are visible in the AWS Cost Allocation Report where they can be sliced and diced as needed for reporting purposes.

Here’s how the WorkSpaces administrator can use the Console to manage the tags for a WorkSpace:

Tags are available today in all Regions where WorkSpaces is available: US East (Northern Virginia), US West (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Asia Pacific (Sydney).

Learning More
If you have found my journey compelling and would like to learn more, here are some resources to get you started:

Request a Demo
If you and your organization could benefit from Amazon WorkSpaces and would like to learn more, please get in touch with our team at


Amazon WorkDocs Update – Flexible Permissions and Sharing with Groups

I have become a devoted user of Amazon WorkDocs. I draft my blog posts (including this one) and then use WorkDocs to route them to the appropriate people and teams for review and translation. On an average day I probably upload new versions of 4 or 5 draft blog posts and review and respond to feedback on a similar number.

Today we are making WorkDocs even more useful by introducing additional sharing and ownership options for folder and documents. Let’s take a look at these new features!

Folder Link Sharing
You can now share a WorkDocs folder by creating and then sending a link. You can share read only or read & write access to the folder. To share a folder using a link, select the folder and then click on Share Link:

Then choose the type of access that you would like to share:

Copy the resulting link and send it to the lucky recipients. If you share read only access, the link recipient can only read the contents of the folder. If you share read & write access, the recipient can read the contents of the folder, provide feedback on the contents, and upload new versions of any of the documents or folders within. To learn more, read Creating a Shared Link in the WorkDocs Web Client Help.

Sharing with Groups
You can now share individual documents and entire folders with Active Directory (AD) groups. This will share the items with all of the members of group. You can do this by entering the name of the group when you share the item:

You can now make your colleagues and collaborators into co-owners of your documents and files. A co-owner can rename and delete documents and folders, and can also re-share them. Here’s now I would share my draft posts with Werner:

Share Today
These features are available now and you can start using them today!


Amazon WorkMail – Managed Email and Calendaring in the AWS Cloud

Have you ever had to set up, run, and scale an email server? While it has been a long time since I have done this on my own, I do know that it is a lot of work! Users expect to be able to access their email from the application, device, or browser of their choice. They want to be able to send and receive large files (multi-megabyte video attachments and presentations often find their way in to my inbox). Email administrators and CSO’s are looking for robust security measures.

Paradoxically, email is both mission-critical and pedestrian. Everyone needs it to work, but hardly anyone truly understands what it takes to make this happen!

Introducing Amazon WorkMail
Today I would like to introduce Amazon WorkMail. This managed email and calendaring solution runs in the Cloud. It offers a unique set of security controls and works with your existing desktop and mobile clients (there’s also a browser-based interface). If your organization already has a directory of its own, Amazon WorkMail can make use of it via the recently introduced AWS Directory Service. If not, Amazon WorkMail will use Directory Service to create a directory for you as part of the setup process.

Amazon WorkMail was designed to work with your existing PC and Mac-based Outlook clients including the prepackaged Click-to-Run versions. It also works with mobile clients that speak the Exchange ActiveSync protocol.

Our 30-day free trial will give you the time and the resources to evaluate Amazon WorkMail in your own environment. As part of the trial, you can serve up to 25 users, with 50 gigabytes of email storage per employee. In order to help you to move your organization to Amazon WorkMail, we also provide you with a mailbox migration tool.

Amazon WorkMail makes use of a number of AWS services including Amazon WorkDocs (formerly known as Amazon Zocalo), the Directory Service, AWS Identity and Access Management (IAM), AWS Key Management Service (KMS), and Amazon Simple Email Service (SES).

Amazon WorkMail Features
You can set up Amazon WorkMail for a new organization in a matter of minutes. As I mentioned earlier, you can use your existing directory or you can have Amazon WorkMail set one up for you. You can send and receive email through your existing domain name by adding a TXT record (for verification of ownership) and an MX record (to route the mail to Amazon WorkMail to your existing DNS configuration).

As a Amazon WorkMail user, you have access to all of the usual email features including calendaring, calendar sharing, tasks, contact lists, distribution lists, resource booking, public folders, and out-of-office (OOF) messages.

The browser-based interface has a full array of features. It works with a wide variety of browsers including Firefox, Chrome, Safari, and newer (IE 9 and higher) versions of Internet Explorer. The interface gives you access to email, calendars, contacts, and tasks. You can access shared calendars and public folders, book resources, and manage your OOF.

Amazon WorkMail was designed to work in today’s data-rich, email-intensive environments. Each inbox has room for up to 50 gigabytes of messages and attachments. Messages can range in size all the way up to 25 megabytes.

As part of this launch we are renaming Amazon Zocalo to Amazon WorkDocs! Amazon WorkMail can be used in conjunction with WorkDocs for simple, controlled distribution of documents that contain sensitive information.

Amazon WorkMail Security Controls

Let’s talk about security for a bit. Amazon WorkMail includes a number of security features and controls that will allow it to meet the needs of many types of organizations. Here’s an overview of some of the most important features and controls:

  • Location Control – The Amazon WorkMail administrator can choose to create mailboxes in any supported AWS region. All mail and other data will be stored within the region and will not be transferred to any other region. During the Preview, Amazon WorkMail will be supported in the US East (Northern Virginia) and EU (Ireland) regions, with more to follow over time.
  • S/MIME – Data in transit to and from Outlook clients and certain iPhone and iPad apps is encrypted using S/MIME. Data in transit to other clients is encrypted using SSL.
  • Stored Data Encryption – Data at rest (messages, contacts, attachments, and metadata) is encrypted using keys supplied and managed by KMS.
  • Message Scanning – Incoming and outgoing email messages and attachments are scanned for malware, viruses, and spam.
  • Mobile Device Policies & Actions – The Amazon WorkMail administrator can selectively require encryption, password protection, and automatic screen locking for mobile devices. The administrator can also remotely wipe a lost or mislaid mobile device if necessary.

Getting Started with Amazon WorkMail
Let’s walk through Amazon WorkMail while wearing our email administrator hats! I need to create a Amazon WorkMail organization. In most cases, I would use a single organization for an entire company.

I start by opening up the AWS Management Console and choosing Amazon WorkMail:

I click the Get started button. At this point I can choose between a Quick setup (Amazon WorkMail will create a new directory for me)  or a Custom setup (Amazon WorkMail will use an existing directory that I configure):

I’ll go for the quick setup today. I need to pick a unique name for my organization:

This will automatically create a directory and then create and initialize my organization. It will also initiate the Amazon SES domain verification process (for in this case) and create a set of DKIM keys so that I can send DKIM-signed mail. The entire process takes 10 to 20 minutes and requires no additional work on my part. The organization’s status will start out as creating and will transition to active before too long:

After the creation process completes I can begin to add Amazon WorkMail users to my organization (if I had used an existing directory in the previous step I could simply select them from a list at this point). I’ll begin by adding myself:

Then  I specify the email address and password. If I have associated one or more domain names with the organization, I can use the name as the basis for the email address:

I can browse all of the organization’s users:

I can also create groups, attach domains, and manage mobile device policies, all from the Console.

The Amazon WorkMail Browser-Based Interface
Let’s take a look at the browser-based interface to Amazon WorkMail. Here’s my inbox:

And my calendar:

This is just a sampling of the features that are available in the Amazon WorkMail.

Pricing and Availability
We are launching a Preview of Amazon WorkMail in the US East (Northern Virginia) and EU (Ireland) regions today and you can sign up for the Preview if you are interested in joining.

After the 30-day free trial (25 users and 50 gigabytes of storage per user), pricing is on a per-user, pay-as-you-go basis. You will be charged $4 per month for a 50 gigabyte Amazon WorkMail mailbox, or $6 per month for a bundle that includes Amazon WorkMail and WorkDocs. There is no separate charge for the use of SES to send messages.