AWS Security Blog

How to Configure Security Settings in Amazon WorkDocs

Amazon WorkDocs (formerly Amazon Zocalo) is a fully managed, secure enterprise storage and sharing service that incorporates feedback capabilities to improve user productivity. You can comment on files, send them to others for feedback, and upload new versions without having to resort to emailing multiple versions of files as attachments. WorkDocs includes security features such as encryption, granular sharing, and access to WorkDocs sites. In addition, WorkDocs is now ISO/IEC 27018:2014 compliant, which means that WorkDocs has a system of controls in place that specifically addresses privacy protection of your content.

In this post, I will discuss some of these WorkDocs security features and show you how to improve the security of your WorkDocs site.

Image of the WorkDocs Administration option

Administrative security settings

Let’s first dive into some of the security features that are exclusive to the WorkDocs site administrator, such as how to control whether users can send WorkDocs file links externally and whether users can invite external users to join WorkDocs.

Access the WorkDocs administration dashboard as shown in the previous screenshot. In the dashboard, which only appears if the signed-in WorkDocs user is an administrator, the administrator can set the language settings for email notifications, modify the default storage quota that each user is assigned, manage users, and change the WorkDocs site’s security settings.

The administrative security settings include granular controls to help the administrator configure whether users in the site can share links with external users and who can enable new users on the site. Two configuration options are available to address these two use cases (as shown in the following image).

Image of two configuration options

Users cannot send external view links

In the first security setting (Users cannot send external view links), an External Share Settings window gives the administrator three options. The first option, Users can send external view links to anyone, is the least restrictive option. With this option, any link to a folder or file inside WorkDocs can be accessed by anyone, even if that person is outside the domain when using Simple AD. Simple AD is a stand-alone managed directory for your WorkDocs site, and AD Connector allows the WorkDocs admin to easily connect Microsoft Active Directory to the AWS cloud. These options are useful for sites where your administrators or users plan to make a lot of their work public or share with the public through their WorkDocs site.

Image of having selected "Users can send external view links to anyone"

The second option is more restrictive than the first: Users can send external view links to a few specific domains. With this option, the administrator can specify the domains with which users can share. Domains such as can be typed in the Which domains? box. This option is useful when you want to collaborate with someone who works at a specific company.

The third option is the most restrictive: Users cannot send external view links. This option restricts users from sending any externally viewable links. This means that only users marked Active in the WorkDocs site can access the files, if those files are shared with them. This option is good if you who have sensitive information and work only with those individuals internal to a WorkDocs site.

So which setting is right for you? If you have sensitive information and only work with users who are internal to a WorkDocs site, you might find the most restrictive setting to be the most appropriate. However, if you do not have sensitive information and want others outside the organization to collaborate on or view your files when they have a link, the first option would be the most appropriate for you. The second option specifies the exact domains from which another user outside your organization can access a WorkDocs link.

Only administrators can enable new users

In the second security setting (Only administrators can enable new users), the administrator can configure who can enable and add new users to a WorkDocs site. This second security setting offers two options: one option that enables any user in the WorkDocs site to add new users by sharing files or folders with them, and a second that allows only the administrator to enable new users, which is the least permissive option.

Image of "Only administrators can enable new users" security setting

In the first option, the users must already exist in your directory, whether by using your on-premises Active Directory (AD Connector) or Simple AD. In the second option, only the administrator can enable new users by going to the administration dashboard and changing the relevant users’ status to Active to enable the new user or to Inactive to disable the user.

Certain configurations require setting both the External Share Settings and Invite Settings. To allow anonymous users to be invited to view files, see the Anonymous Viewers documentation. Anonymous viewers will not be able to download or provide feedback about the files. This configuration would benefit those who want to do a one-way share outside the organization.

Sharing permissions

WorkDocs also offers sharing settings, which provide you not only ease of use but also an additional layer of access security.

End users configure file and folder sharing permissions in WorkDocs, subject to the administrative security settings explained previously in this post. WorkDocs has a role-based access control model, with four different user roles:

  • Owner
  • Co-owner
  • Contributor
  • Viewer

If you upload a file, you are the owner of the file and can share the file and its folder with other users and Active Directory groups. To share a file or folder with someone else, specify how you want to share it: share a link, or add the other users to the file or folder as one of the other user roles.

A co-owner can remove or reshare a file. A contributor, on the other hand, can only modify the file, but not delete or reshare it. A viewer can only view the file, but cannot modify or provide feedback about the file. The viewer role is the only role that cannot provide feedback.

Image of user roles

Similarly, WorkDocs provides link-based sharing without explicitly adding a user to the file or folder as one of the defined roles. A user can also share the document with others inside and outside the site by providing a link (the configuration is set by External Share Settings, as described previously in this blog post). These are the sharing options:

  • Read Only – Allows those with the link to view the file but not to comment.
  • Read & Write – Accessible by people who have the file link, when the file does not need to be shared with specific users.
  • Private – Only you can access – Accessible only by people whom you have invited and explicitly added to the file or folder, including yourself.

Image of sharing options

A manageable set of roles and permissions simplifies the sharing process while making sure that security principles are followed.


Because sharing and collaboration are now the norm in work environments, collaborating outside the company with partners and vendors has become common. WorkDocs allows you to achieve such collaboration with added security and ease. Likewise, a granular permissions-based access model allows numerous options for you to share critical content inside and outside your company. To supplement the content in this blog post, in a future post I will go into detail about how to set up SSO and MFA with your WorkDocs site.

If you have questions or comments, add them below, or go to the WorkDocs forum.

– Edwin