Working with access control rules
Access control rules for Amazon WorkMail allow administrators to control how their organization's users and impersonation roles are granted access to Amazon WorkMail. Each Amazon WorkMail organization has a default access control rule that grants mailbox access to all users and impersonation roles added to the organization, no matter which access protocol or IP address they use. Administrators can edit or replace the default rule with one of their own, add a new rule, or delete a rule.
Warning
If an administrator deletes all access control rules for an organization, Amazon WorkMail blocks all access to the organization's mailboxes.
Administrators can apply access control rules that allow or deny access based on the following criteria:
Protocols – The protocol used to access the mailbox. Examples include Autodiscover, EWS, IMAP, SMTP, ActiveSync, Outlook for Windows, and Webmail.
IP addresses – The IPv4 CIDR ranges used to access the mailbox.
Amazon WorkMail users – The users in your organization that are used to access the mailbox.
Impersonation roles – The impersonation roles in your organization that are used to access the mailbox. For more information, see Managing impersonation roles.
Administrators apply access control rules in addition to the user's mailbox and folder permissions. For more information, see Working with mailbox permissions and Sharing folders and folder permissions in the Amazon WorkMail User Guide.
Note
When you are enabling access for Outlook for Windows, it is recommended to also enable access for Autodiscover and EWS.
Access control rules do not apply to Amazon WorkMail console or SDK access. Use AWS Identity and Access Management (IAM) roles or policies instead. For more information, see Identity and access management for Amazon WorkMail.
Creating access control rules
Create new access control rules from the Amazon WorkMail console.
To create a new access control rule
-
Open the Amazon WorkMail console at https://console.aws.amazon.com/workmail/
. If necessary, change the AWS Region. In the bar at the top of the console window, open the Select a Region list and choose a Region. For more information, see Regions and endpoints in the Amazon Web Services General Reference.
In the navigation pane, choose Organizations, and then choose the name of your organization.
Choose Access control rules.
Choose Create rule.
For Description, enter a description for the rule.
For Effect, choose Allow or Deny. This allows or denies access based on the conditions that you select in the following step.
For This rule applies to requests that ..., select the conditions to apply to the rule, such as whether to include or exclude specific protocols, IP addresses, or users, or impersonation roles.
(Optional) If you enter IP address ranges, users, or impersonation roles, choose Add to add them to the rule.
Choose Create rule.
Editing access control rules
Edit new and default access control rules from the Amazon WorkMail console.
To edit an access control rule
-
Open the Amazon WorkMail console at https://console.aws.amazon.com/workmail/
. If necessary, change the AWS Region. In the bar at the top of the console window, open the Select a Region list and choose a Region. For more information, see Regions and endpoints in the Amazon Web Services General Reference.
In the navigation pane, choose Organizations, and then choose the name of your organization.
Choose Access control rules.
Select the rule to edit.
Choose Edit rule.
Edit the description, effect, and conditions, as needed.
Choose Save changes.
Important
When you change an access rule, the affected mailboxes can take five minutes to follow the updated rule. Clients that access the affected mailboxes may show inconsistent behavior during that time. However, you will immediately see correct behavior when you test your rules. For more information about testing rules, see the steps in the next section.
Testing access control rules
To see how your organization's access control rules are applied, test the rules from the Amazon WorkMail console.
To test access control rules for your organization
-
Open the Amazon WorkMail console at https://console.aws.amazon.com/workmail/
. If necessary, change the AWS Region. In the bar at the top of the console window, open the Select a Region list and choose a Region. For more information, see Regions and endpoints in the Amazon Web Services General Reference.
In the navigation pane, choose Organizations, and then choose the name of your organization.
Choose Access control rules.
Choose Test rules.
For Request context, select the protocol to test for.
For Source IP address, enter the IP address to test for.
For Request performed by, choose User or Impersonation role to test for.
Select User or Impersonation role to test for.
Choose Test.
The test results appear under Effect.
Deleting access control rules
Delete access control rules that you no longer require from the Amazon WorkMail console.
Warning
If an administrator deletes all access control rules for an organization, Amazon WorkMail blocks all access to the organization's mailboxes.
To delete an access control rule
-
Open the Amazon WorkMail console at https://console.aws.amazon.com/workmail/
. If necessary, change the AWS Region. In the bar at the top of the console window, open the Select a Region list and choose a Region. For more information, see Regions and endpoints in the Amazon Web Services General Reference.
In the navigation pane, choose Organizations, and then choose the name of your organization.
Choose Access control rules.
Select the rule to delete.
Choose Delete rule.
Choose Delete.