Amazon WorkLink Documentation

Amazon WorkLink is a managed service that provides your employees and contractors access to your internal websites and web apps using their mobile phones.

Easy setup and administration

Amazon WorkLink can be set up from your AWS Management Console. To get started, link your existing identity provider to Amazon WorkLink, and use that to configure access permissions for your employees. Next, add your web domains that will be accessed using WorkLink. To enable access to these added web domains, use your existing on-premises VPN hardware to create a point-to-point connection with your AWS Virtual Private Cloud (VPC) or use Direct Connect if you have it set up already. Once you have completed these steps, you can use the provided email template to invite employees to download the Amazon WorkLink app from their device app store, log in with their corporate credentials, and start accessing internal websites using Safari.

Content isolation

Amazon WorkLink performs on-device DNS resolution to identify internal website and web app requests, and then loads this content in a container running in AWS. Amazon WorkLink processes all HTML, JavaScript, and CSS in AWS, and transforms it into vector graphics. It then delivers the content to employee phones as vector graphics, while preserving native interactions. As a result, internal web pages aren’t directly rendered on these devices, and content isn’t stored or downloaded to local browser caches. Amazon WorkLink also isolates browsing sessions by providing a dedicated pool of EC2 instances to each customer, and a dedicated container to each active user.

Split rendering

Amazon WorkLink identifies which elements of the requested page require user input, such as text boxes and drop-down lists. It mirrors those interactive elements of the webpage on mobile phones, so that user actions are processed locally. Amazon WorkLink displays the rest by rendering layers of vector graphics to represent each web page on mobile phones.

Amazon WorkLink works with websites and web apps that persist application state with browser cookies. Amazon WorkLink integrates with the AWS Key Management Service (KMS) to encrypt cookies in AWS containers before sending them to employee phones. The cookies are sent back to the AWS cloud to be decrypted when needed. This allows your employees to resume their browsing sessions and provides an uninterrupted browsing experience. 

SAML-based user management

Amazon WorkLink supports user authentication and federated sign-in using any SAML 2.0 compliant identity provider. You can use your SAML provider to authorize which groups of users from your directory should have access to Amazon WorkLink as well as set user permissions for your internal websites. 

Microsoft Active Directory integration

Amazon WorkLink allows you to use your Microsoft Active Directory to manage user authentication. You can apply existing group policies to enable access to Amazon WorkLink as well as set user permissions for your internal websites. You can link your AWS Directory Service with Amazon WorkLink via AWS Single Sign-On.

Access control

Amazon WorkLink lets you specify which of your internal websites and web apps should be available to your employees, contractors, and partners. You can allowlist the sites that you want to make accessible externally in the Amazon WorkLink console, and set permissions for your users through your existing identity provider including, SAML 2.0 and Active Directory. This lets you control the level of access users get.

Monitoring and analytics

Amazon WorkLink creates activity logs that allow you to track the total number of people accessing content through it, the content they accessed, and when they accessed that content. These logs are delivered to you via an Amazon Kinesis stream and you can store, process, and analyze these logs with tools or data store of your choice. 

The Amazon WorkLink mobile app performs on-device DNS resolution, and verifies users’ access to the WorkLink service. When an employee uses the browser on their phones to navigate to an internal site, the Amazon WorkLink app resolves the associated DNS request locally on the employee phone and routes the corporate web page request through AWS. Amazon WorkLink does not route any personal web page requests through AWS. DNS resolution for those requests are handled by the default DNS resolver on employee phones. The Amazon WorkLink app verifies employee access to WorkLink, and honors your existing SAML policies. The app prompts employees to re-login only when their SSO session expires, so that employees don't need to log in each time they want to access an internal website.

Managed service

Amazon WorkLink manages the deployment, provisioning and scaling of the resources you need. Amazon WorkLink-managed resources connect with your Amazon Virtual Private Cloud (VPC) to access the internal websites you specify. You can leverage AWS Direct Connect installations to route traffic from AWS to company websites and reduce the use of VPN gateway hardware and software on-premise. Alternatively, you can reuse existing VPN installations to setup a site-to-site VPN tunnel between AWS and the on-premise network.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at, or other agreement between you and AWS governing your use of AWS’s services.