AWS End User Computing
WorkDocs
Enterprise cloud document storage with collaboration and feedback features
Amazon WorkDocs is a fully managed, secure enterprise document storage and sharing service that provides cloud-based collaboration with versioning, commenting, feedback workflows, and Active Directory integration. It serves as an alternative to SharePoint or Google Drive for organizations standardizing on AWS, and cloud engineers encounter it when designing document management, compliance archiving, or hybrid workspace solutions.
How WorkDocs Works: Architecture and Core Concepts
WorkDocs is built on a managed storage backend with per-user provisioning through a directory service. Each WorkDocs site is associated with an AWS directory (AWS Managed AD, Simple AD, or AD Connector), and users log in using their directory credentials.
| Concept | Description |
|---|---|
| Site | A WorkDocs deployment tied to a directory. One directory maps to one site. |
| User Storage | Each user gets a personal storage quota (default 1 TB per user) |
| Organization Folder | Shared top-level folders for team collaboration |
| My Drive | Personal folder visible only to the user (analogous to My Documents) |
| Feedback | Annotate and comment on documents without editing the original |
| Versioning | Every upload creates a new version; older versions are retained and accessible |
WorkDocs stores documents in S3 on the backend, but users never interact with S3 directly. The service handles encryption, indexing, and versioning. Content is encrypted at rest using AES-256 and in transit using TLS.
WorkDocs is region-specific. The directory and WorkDocs site must be in the same AWS region. You cannot federate a WorkDocs site across regions - consider this when designing multi-region architectures.
User Management and Provisioning
Users can be provisioned manually through the WorkDocs console/API, or automatically via AD group membership if using Managed AD. There are three user roles:
| Role | Capabilities | Storage Quota |
|---|---|---|
| Admin | Manage users, site settings, content policies, audit logs | 1 TB (adjustable) |
| Power User | Create shared drives, manage team folders, view activity reports | 1 TB (adjustable) |
| User | Store, share, comment on documents | 1 TB (adjustable) |
| Guest | View and comment only on content explicitly shared with them | No storage |
# Add a user to a WorkDocs site
aws workdocs create-user \
--organization-id d-9067abc123 \
--username jsmith \
--given-name John \
--surname Smith \
--password "TempP@ss123!" \
--storage-rule StorageAllocatedInBytes=1099511627776
# List users in a WorkDocs site
aws workdocs describe-users \
--organization-id d-9067abc123 \
--query "Users[*].{User:Username,Status:RecycleBinFolderId}"
# Deactivate a user (retains their content)
aws workdocs deactivate-user \
--user-id abc123-def456WorkDocs Drive: Desktop Sync and Integration
WorkDocs Drive is a desktop application for Windows and macOS that mounts WorkDocs storage as a local drive. Unlike the sync client, WorkDocs Drive streams files on demand rather than downloading everything - it shows all files in Explorer/Finder but only downloads content when you open it.
| Client Type | Behavior | Best For |
|---|---|---|
| WorkDocs Drive (Windows/Mac) | On-demand streaming, files appear local but live in cloud | Users who need seamless OS integration without full sync |
| WorkDocs Sync | Full bidirectional sync of selected folders to local disk | Users who need offline access to documents |
| Web App | Browser-based access at workdocs.aws | Occasional access, no install required |
| Mobile App (iOS/Android) | Browse, view, comment on documents from mobile | Field workers, mobile-first users |
WorkDocs also integrates with Microsoft Office via a companion app that lets users check out and edit Office documents directly from WorkDocs without downloading and re-uploading. The checkout prevents concurrent edits by locking the document.
Pricing, Storage Quotas, and Cost Management
WorkDocs pricing is simple: you pay per user per month, and each user includes a storage allocation. There is no charge for data transfer between WorkDocs and other AWS services in the same region.
| Component | Price |
|---|---|
| Standard user (paid) | $5/user/month - includes 1 TB storage |
| Additional storage | $0.03/GB/month beyond the 1 TB per-user allocation |
| Guest users | Free - no storage quota, view and comment only |
| Free trial | 30-day free trial for up to 50 users |
If you use WorkDocs within WorkSpaces, WorkDocs is included free with the WorkSpaces subscription. Each WorkSpaces user gets WorkDocs storage at no additional charge. This is often overlooked and represents significant cost savings for WorkSpaces deployments.
# Check storage usage for a WorkDocs site (admin API)
aws workdocs get-current-user \
--authentication-token $AUTH_TOKEN
# The StorageRule field in user details shows allocated vs used:
# "StorageRule": {
# "StorageAllocatedInBytes": 1099511627776,
# "StorageType": "QUOTA"
# }Audit Logs and Compliance Features
WorkDocs provides comprehensive activity logging for compliance and security auditing. All user actions - uploads, downloads, shares, deletes, permission changes - are recorded.
| Audit Capability | Details |
|---|---|
| Activity Feed | Per-user and per-document activity visible in the console and API |
| CloudTrail Integration | API calls logged to CloudTrail (management and data events) |
| Content Audit | Admins can view all document activity across the organization |
| Notifications | Email or in-app notifications for document activities (configurable per user) |
| Retention | Deleted documents go to Recycle Bin and are retained for 60 days |
For compliance scenarios, WorkDocs can be used as a secure document repository because it maintains full version history indefinitely (until explicitly deleted), encrypts all content, and logs all access. The 60-day recycle bin provides a recovery window for accidental deletions.
WorkDocs does not support legal hold or immutable storage natively. For strict compliance requirements (SEC 17a-4, FINRA), you would need to architect a separate immutable archive - for example, by syncing documents to S3 with Object Lock enabled.
Interview Focus Points
- 1How does WorkDocs differ from S3 for document storage, and when would you choose one over the other?
- 2A company uses WorkSpaces for their workforce. What is the cost implication of also using WorkDocs?
- 3How would you enforce that no documents can be shared externally via public links in WorkDocs?
- 4Explain how WorkDocs Drive works differently from the WorkDocs Sync client.
- 5How does WorkDocs handle document versioning and what happens when a user deletes a document?
- 6What directory services can WorkDocs integrate with, and what is the constraint on cross-region deployments?
- 7How would you audit which users downloaded a specific sensitive document from WorkDocs?
- 8For a HIPAA-covered organization, what WorkDocs configuration and architectural additions would you recommend?