Introduction of Amazon WorkMail

Amazon WorkMail is a secure, managed business email and calendaring service that offers seamless integration with existing email clients and applications. Ensuring the safety and availability of your email data is crucial for business continuity and compliance purposes. Backing up WorkMail mailbox content to Amazon S3, a scalable and secure object storage service, provides a reliable solution for preserving your valuable email data.

This guide will walk you through the process of backing up your WorkMail mailbox content to an S3 bucket. By following these steps, you can automate the backup process, safeguard your emails against accidental deletions or data loss, and maintain an archive of your mailbox content. Whether you are an IT administrator managing corporate emails or an individual user seeking to protect your data, this guide will provide you with the necessary tools and instructions to securely backup your WorkMail mailbox content to Amazon S3.

Step By Step Guide to Backup Your WorkMail Mailbox Content to an S3 Bucket

Prerequisites

The following are prerequisites for exporting mailbox content:

• The ability to program.
• An Amazon WorkMail administrator account.
• An Amazon S3 bucket that does not allow public access. For more information, see Using Amazon S3 block public access in the Amazon Simple Storage Service User Guide and the Amazon Simple Storage Service User Guide.

Preparation

Before you begin the process of backing up your WorkMail mailbox content to an S3 bucket, there are a few prerequisites and preparatory steps to ensure a smooth and successful backup. This section will outline the necessary preparations.

1. Amazon S3 Bucket Creation

Create an Amazon S3 bucket where the backup data will be stored. This bucket should be properly configured with the necessary permissions to allow writing data.

2. AWS CLI Installation

Install the AWS Command Line Interface (CLI) on your local machine or server. The AWS CLI will be used to interact with AWS services programmatically. You can download and install the AWS CLI from the official AWS website.

Link: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html

Creating AWS KMS Key:

When backing up sensitive data, such as email content from Amazon WorkMail, it is crucial to protect that data both in transit and at rest. Amazon S3 provides server-side encryption options to safeguard your data, and using AWS Key Management Service (KMS) enhances this security by providing additional control over the encryption keys. 

1. Select key type as Symmetric and Key usage as Encrypt and Decrypt

2. Add alias, description and Tags 

3. Select the key administrative permissions for your IAM User and usage permissions then create keys.

Creating Policy for Role and User :

1. Now we need to create some policies to access the resources of AWS. First Save this policy as mailbox-export-policy.json locally and change the values of region, bucket name, s3 prefix, Key ID which you created earlier.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
         "s3:PutObject",
         "s3:PutObjectMultipartUpload",
         "s3:AbortMultipartUpload",
         "s3:ListMultipartUploadParts",
         "s3:ListBucketMultipartUploads"
       ],
       "Resource": [
          "arn:aws:s3:::<Bucket Name>",
          "arn:aws:s3:::<Bucket Name>/<S3 PREFIX>/*"
        ]
     },
       {
         "Effect": "Allow",
         "Action": [
            "kms:Decrypt",
            "kms:GenerateDataKey"
          ],
          "Resource": [
             "arn:aws:kms:<Region>:<Account ID>:key/<KEY ID>"
          ]
       }
   ]
}

2. Create this mailbox-export-trust-policy.json and save it.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
         "Service": [
            "workmail.amazonaws.com",
            "export.workmail.amazonaws.com"
           ]
         },
            "Action": "sts:AssumeRole"
      }
   ]
}

3. You can use the AWS CLI to create the IAM role in your account by running the following commands.

First configure the CLI profile by running the following command:

$ aws configure --profile <profile name>

$ aws iam create-role --role-name WorkmailMailboxExportRole --assume-role-policy-document file://mailbox-export-trust-policy.json --region us-east-1 --profile <profile name<

$ aws iam put-role-policy --role-name WorkmailMailboxExportRole --policy-name MailboxExport --policy-document file://mailbox-export-policy.json --profile <profile name<

This will create a role called WorkmailMailboxExportRole with policy.

(optional) If needed Create additional s3 access policy for additional access for role WorkmailMailboxExportRole name json file with  s3-bucket-access-policy.json and save it in local. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
       "Effect": "Allow",
         	"Action": [
             "s3:AbortMultipartUpload",
             "s3:CreateBucket",
             "s3:DeleteBucketPolicy",
             "s3:GetBucketAcl",
             "s3:GetBucketCORS",
             "s3:GetBucketLocation",
             "s3:GetBucketLogging",
             "s3:GetBucketNotification",
             "s3:GetBucketPolicy",
             "s3:GetBucketRequestPayment",
             "s3:GetBucketTagging",
             "s3:GetBucketVersioning",
             "s3:GetBucketWebsite",
             "s3:GetLifecycleConfiguration",
             "s3:GetObject",
             "s3:GetObjectAcl",
             "s3:GetObjectTagging",
             "s3:ListBucket",
             "s3:ListBucketMultipartUploads",
             "s3:ListBucketVersions",
             "s3:PutBucketAcl",
             "s3:PutBucketCORS",
             "s3:PutBucketLogging",
             "s3:PutBucketNotification",
             "s3:PutBucketPolicy",
             "s3:PutBucketRequestPayment",
             "s3:PutBucketTagging",
             "s3:PutBucketVersioning",
             "s3:PutBucketWebsite",
             "s3:PutLifecycleConfiguration",
             "s3:PutObject",
             "s3:PutObjectAcl",
             "s3:PutObjectTagging",
             "s3:ReplicateObject",
             "s3:RestoreObject",
             "s3:UpdateJobPriority",
             "s3:UpdateJobStatus"
          ],
          "Resource": [
             "arn:aws:s3:::<Bucket name>",
             "arn:aws:s3:::<Bucket name>/*"
           ]
       },
       {
         "Effect": "Deny",
         "Action": [
            "s3:DeleteObject",
            "s3:DeleteBucket"
          ],
          "Resource": [
             "arn:aws:s3:::<Bucket name>",
             "arn:aws:s3:::<Bucket name>/*"
           ]
       }
   ]
}

Use this command in aws cli to assign the policy to role:

$ aws iam put-role-policy --role-name WorkmailMailboxExportRole --policy-name MailboxExport --policy-document file://s3-bucket-access-policy.json --profile <profile name>

4. Create AllowAssumeWorkMailExportRole policy for your IAM User. and attach it to that IAM user.

{
  "Version": "2012-10-17",
  "Statement": [
     {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::067663569019:role/WorkmailMailboxExportRole"
      }
   ]
}

Creating Backup of User’s mailbox content:

1. Use AWS CLI to start a Mailbox Export Job.

$ aws workmail start-mailbox-export-job --organization-id <workmail organization id> --entity-id <Users ID> --kms-key-arn arn:aws:kms:us-east-1:<Account ID>:key/<KEY-ID> --role-arn arn:aws:iam::<Account ID>:role/WorkmailMailboxExportRole --s3-bucket-name <Bucket name> --s3-prefix <S3-PREFIX>

2. Monitor the state of mailbox export jobs for your Amazon workmail Organization.

$ aws workmail list-mailbox-export-jobs --organization-id <workmail organization id>

3. Use this command to monitor specific job status.

$ aws workmail list-mailbox-export-jobs --organization-id <workmail organization id>
$ aws workmail describe-mailbox-export-job --organization-id  <workmail organization id> --job-id <JOB-ID>

Conclusion

Backing up your Amazon WorkMail mailbox content to an Amazon S3 bucket is a crucial step in ensuring data security, compliance, and business continuity. By leveraging AWS services such as S3, KMS, and IAM, you can automate the backup process and protect your email data against accidental deletions or data loss. This guide provided you with a step-by-step approach to achieve this, from preparing your environment to monitoring the backup jobs.

Recap of Key Steps

• Preparation
  • Create an Amazon S3 bucket for storing backup data.
  • Install the AWS CLI on your local machine or server.

• Creating AWS KMS Key
  • Create a symmetric KMS key for encrypting your backup data.
  • Configure key permissions for your IAM user.

• Creating IAM Policies and Roles
  • Create and save the mailbox-export-policy.json and mailbox-export-trust-policy.json files.
  • Use the AWS CLI to create the IAM role and attach the necessary policies.
  • Optionally, create an additional S3 access policy and assign it to the role.
  • Create the AllowAssumeWorkMailExportRole policy for your IAM user and attach it.

• Starting the Backup Process
  • Use the AWS CLI to initiate a mailbox export job.
  • Monitor the status of your export jobs to ensure successful backups.

Why It Matters

• Backing up your WorkMail mailbox content to S3 is vital for several reasons:
• Data Security: Protects sensitive email data with encryption both in transit and at rest.
• Compliance: Ensures adherence to legal and regulatory requirements for data retention and protection.
• Business Continuity: Provides a reliable backup solution to restore email data in case of accidental deletions, system failures, or data corruption.
• Automation: Simplifies the backup process, reducing the need for manual intervention and minimizing the risk of human error.

By implementing these steps, you can safeguard your email data, ensure compliance, and maintain uninterrupted business operations.