AWS WorkMail Setup and Usage

Overview

AWS WorkMail is a managed business email and calendaring service. It allows you to use your own domains to send and receive email.

IAM Setup for WorkMail Administration and Backend Development

This section details how to create the necessary AWS Identity and Access Management (IAM) users and groups to manage WorkMail and potentially other backend services.

Phase 1: Create IAM Groups for Roles

It’s best practice to define permissions via groups. We’ll create two groups, one for backend development tasks and one for WorkMail administration. A user can belong to multiple groups if needed.

1. Log in to AWS Management Console: Go to https://aws.amazon.com/console/ and log in.
2. Navigate to IAM: In the search bar at the top, type IAM and select “IAM” (Identity and Access Management) under Services.
3. Go to User groups: In the left-hand navigation pane, click on User groups.
4. Create Backend Developers Group:
   • Click the Create group button.
   • User group name: Enter a descriptive name, e.g., BackendDevelopers.
   • Attach permissions policies: This is where you grant access. Search for and select policies relevant to creating backend services. Start with AWS managed policies (you can refine later with custom policies for stricter least-privilege):
     • AmazonEC2FullAccess (Or more granular like AmazonEC2ReadWriteAccess if sufficient) - For managing virtual servers.
     • AWSLambda_FullAccess - For serverless functions.
     • AmazonRDSFullAccess - For managed databases.
     • AmazonAPIGatewayAdministrator - For creating APIs.
     • AmazonS3FullAccess - For object storage (often needed for deployments, assets).
     • IAMReadOnlyAccess - Often useful for developers to see existing configurations without being able to change IAM itself.
     • (Consider others based on your specific stack: AmazonDynamoDBFullAccess, AmazonSQSFullAccess, CloudWatchLogsFullAccess, etc.)
   • Warning: FullAccess policies are broad. Review them and consider creating more restrictive custom policies later if needed, following the principle of least privilege.
   • Click Create group.
5. Create WorkMail Administrators Group:
   • Click Create group again.
   • User group name: Enter a descriptive name, e.g., WorkMailAdministrators.
   • Attach permissions policies: Search for and select policies relevant to WorkMail:
     • AmazonWorkMailFullAccess - This generally provides the necessary administrative permissions for WorkMail.
     • (You might also need AWSDirectoryServiceFullAccess if managing directories directly, but start with the WorkMail policy).
   • Click Create group.

Phase 2: Create IAM Users for Team Members

Now, create the individual user accounts for your two team members.

1. Go to Users: In the left-hand navigation pane of the IAM dashboard, click on Users.
2. Add Users: Click the Add users button.
3. Specify user details:
   • User name: Enter a unique username for the first team member (e.g., john.doe, jdoe-phenom).
   • (Optional but Recommended): Click Add another user and enter the username for the second team member.
4. Select AWS credential type: Choose both:
   • Password - AWS Management Console access: Allows them to log in to the web console.
     • Select Autogenerated password or Custom password.
     • (Recommended) Check the box for User must create a new password at next sign-in.
   • Access key - Programmatic access: Provides an Access Key ID and Secret Access Key for using the AWS CLI, SDKs, APIs, etc. This is essential for backend development and automation.
5. Set permissions:
   • Choose Add user to group.
   • In the User groups list, check the box(es) for the group(s) each user should belong to:
     • For a backend developer who also needs to manage WorkMail, check both BackendDevelopers and WorkMailAdministrators.
     • If roles are separate, assign them only to the relevant group(s).
   • Click Next: Tags.
6. Add tags (Optional but Recommended):
   • Add tags for organization, like Key: Team, Value: Backend or Key: Project, Value: Phenom.
   • Click Next: Review.
7. Review: Carefully check the usernames, credential types, group memberships, and tags.
8. Create users: Click Create users.

Phase 3: Securely Distribute Credentials

This is a critical step. Handle these credentials securely!

1. Retrieve Credentials: On the confirmation screen after creating users:
   • You will see the usernames.
   • For each user, you can see their Console password (click “Show” if you chose custom or auto-generated).
   • You will see the Access key ID.
   • You will see the Secret access key (click “Show”). This is the ONLY time the Secret Access Key will be shown.
   • Action: Click the Download .csv button for each user. This file contains the username, Console login URL, Access Key ID, and Secret Access Key. Alternatively, securely copy/paste this information immediately.
2. Provide Information Securely: Distribute the following to each team member using a secure method (e.g., a password manager like 1Password/Bitwarden, encrypted message, direct secure channel – NEVER email or unencrypted chat):
   • The AWS Management Console sign-in URL (it looks like https://<account_id_or_alias>.signin.aws.amazon.com/console/).
   • Their User name.
   • Their temporary Console password.
   • Their Access Key ID.
   • Their Secret Access Key.
3. Crucially warn them:
   • To NEVER commit Access Keys to code/GitHub.
   • To store the Access Key ID and Secret Access Key securely (e.g., in their password manager or configured securely via AWS CLI profiles/environment variables).
   • That the Secret Access Key cannot be retrieved again from AWS if lost.

Phase 4: Instruct Team Members on First Steps

1. Initial Console Login: Instruct users to go to the provided Console sign-in URL, enter their username and temporary password.
2. Password Change: They will be prompted to create a new, strong password immediately.
3. Set Up MFA (CRITICAL):
   • IMMEDIATELY after logging in and changing their password, instruct them to set up Multi-Factor Authentication (MFA) on their IAM user account.
   • They can do this by clicking their username in the top right -> “Security credentials” -> “Multi-factor authentication (MFA)” section -> “Assign MFA device”.
   • Using a virtual MFA app (like Google Authenticator, Authy, Duo) on their phone is the most common and recommended method.
   • Explain that MFA is mandatory for security.

By following these steps, you will have created IAM users with appropriate permissions grouped by role, provided them with both Console and programmatic access, and guided them through initial security best practices. Remember to periodically review permissions and follow the principle of least privilege.

1. Setting Up Your WorkMail Organization

1. Navigate to WorkMail: Log in to your AWS Management Console and navigate to the WorkMail service. Select the AWS Region where you want to host your organization.
2. Create Organization:
   • Choose “Create organization”.
   • Select “Quick setup” for a streamlined process or “Standard setup” for more control (e.g., integrating with an existing Active Directory). For most new setups, “Quick setup” is sufficient.
   • Define an Alias for your organization. This alias is used for the web application sign-in URL (e.g., youralias.awsapps.com/mail). Choose something relevant (e.g., phenom-earth).
   • Click “Create organization”. AWS will provision the necessary resources, which may take several minutes.

2. Adding and Verifying Domains

You need to add and verify the domains you want to use with WorkMail (e.g., thephenom.app, the-phenom.app).

1. Navigate to Domains: In your WorkMail organization settings, go to the “Domains” section.
2. Add Domain:
   • Click “Add domain”.
   • Enter the domain name (e.g., thephenom.app).
   • Click “Add domain”.
   • Repeat for any other domains (e.g., the-phenom.app).
3. Verify Domain Ownership:
   • For each added domain, WorkMail will provide DNS records (usually a TXT record and sometimes CNAME records) that you need to add to your domain’s DNS zone.
   • Using Cloudflare: Log in to your Cloudflare dashboard, select the corresponding domain, go to the “DNS” section, and add the records provided by WorkMail.
   • MX Record: WorkMail will also provide an MX (Mail Exchanger) record. Crucially, you must add this MX record to your DNS zone in Cloudflare to direct email for the domain to WorkMail’s servers. There might be multiple MX records with different priorities. Add them exactly as specified. Remove any pre-existing MX records pointing elsewhere if WorkMail is to be the sole email provider for the domain.
   • Wait for Propagation: After adding the DNS records in Cloudflare, return to the WorkMail console. It might take some time (minutes to hours) for DNS changes to propagate. WorkMail will automatically check, or you can initiate a check. The domain status will change to “Verified” once complete.
4. Set Default Domain (Optional): Choose one of your verified domains to be the default for new users.

3. Creating Users

1. Navigate to Users: In your WorkMail organization settings, go to the “Users” section.
2. Create User:
   • Click “Create user”.
   • Enter the user’s details: First name, Last name, Display name.
   • Enter a Username. This will form the first part of their email address (e.g., username@yourdomain.com).
   • Select the Domain for the user’s primary email address from your list of verified domains.
   • Set a password (either create one or generate one). You can require the user to change it on first login.
   • Click “Create user”.

4. Creating Distribution Groups

Distribution groups allow you to send emails to a single address (e.g., support@thephenom.app) which then distributes the email to all members of the group.

1. Navigate to Groups: In your WorkMail organization settings, go to the “Groups” section.
2. Create Group:
   • Click “Create group”.
   • Enter a Group name (e.g., Support Team, Dev Team).
   • Enter the desired Group email address (e.g., support@thephenom.app). Select the appropriate verified domain.
   • Click “Create group”.
3. Add Members to Group:
   • Select the newly created group from the list.
   • Go to the “Members” tab.
   • Click “Add members”.
   • Search for and select the WorkMail users (or other groups) you want to add.
   • Click “Add members”.

5. Accessing WorkMail

• Web Access: Users can access their email via the web application URL defined during organization setup (e.g., youralias.awsapps.com/mail).
• Desktop/Mobile Clients: WorkMail supports standard protocols (IMAP, Exchange ActiveSync) for use with clients like Outlook, Apple Mail, Thunderbird, and mobile email apps. Configuration details are available in the WorkMail documentation.

Remember to manage DNS records carefully, especially MX records, to ensure proper email delivery.