How to use Windows NTFS ACLs to control access to SMB file share on AWS File Gateway?

You can use SMB file shares with Amazon S3 using AWS File Gateway. You can use Guest authentication or Active Directory authentication. Using Active Directory authentication, you can control access to files/directories on the SMB shares using Windows Access Control List (ACL). In this post, let’s look into using Windows ACLs to manage the permissions. When you are creating the file share, under SMB share settings, you can choose Windows Access Control Lists to control file and directory access on file gateway SMB share.

file share -Windows Access Control Lists

After creating the SMB file share, by default both share permissions and security permissions on your file share are set to Everyone. You can check the Everyone default permissions opening fsmgmt.msc from any of the domain joined computers, and connect to your file gateway IP address, and check under shares as below.

fsmgmt.msc, connect to another computer
connect to another computer
share permissions

As you can see in the above screenshots, share permissions provides limited permissions with Full Control, Change and Read. To get more granular level and fine grained access you can use Security permissions, Windows ACLs which are NTFS permissions. Access to share is determined evaluating both Share and NTFS Security permissions, with more restrictive permissions are applied.

You can leave the share permissions as Everyone. You can control who can map/access the file share using allowed users/groups in SMB share access settings, or using NTFS security permissions on root of the file share. When you don’t specify any Active Directory user/domain in share allowed users/group, any AD domain authenticated user can map the share.

Allowed users/groups under file share access settings :

User and group file share access

Root level on the file share:

root level on the file share in windows explorer

You can remove the Everyone ACL on the root of the file share and restrict access adding your Active Directory users/groups on root of the file share. However, permissions applied on the root of the file share are not persisted to Amazon S3.

All NTFS security permissions that are applied on folders/files under the root of the file share are stored in S3. For example, we can check this folder ‘Marketing’ NTFS permissions and check the metadata on S3 as below.

Security permissions for Marketing folder

You can run the following command to see the S3 object metadata. NTFS security permissions are stored in file-acl, file-owner, file-permissions and file-group S3 object metadata. Files/folders also have additional metadata like ctime, mtime.

aws s3api head-object --bucket <bucketname> --key Marketing/

    "AcceptRanges": "bytes",
    "LastModified": "2022-09-22T22:16:29+00:00",
    "ContentLength": 0,
    "ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
    "VersionId": "O7k.20KsvWMOHbmnen_5HbheSCNlP16X",
    "ContentType": "application/octet-stream",
    "ServerSideEncryption": "AES256",
    "Metadata": {
        "user-agent": "aws-storage-gateway",
        "user-agent-id": "sgw-1234ABCD",
        "aws-sgw": "1727069186dc95995b5b1941f560a28eb426dd32c9388e93763e18f65b9026db",
        "file-acl": "EQUFFej2hNwH+bXehQX2tcH6DIkJBQUV6PaE3Af5td6FBfa1wfoMgQScBAEAA/n/BQUV6PaE3Af5td6FBfa1wfoMlAk=",
        "file-ctime": "1663884938761000000ns",
        "file-owner": "67827",
        "file-permissions": "0777",
        "file-group": "67179",
        "file-mtime": "1663884835527613281ns"

When you remove and recreate the file share on the existing gateway or use the same bucket to create a file share on another gateway, you can retain all the NTFS permissions applied on the folders/files under the root of the file share from the S3 object metadata.

Maximum number of Access Control Entries you can apply on a folder/file in the file share are 10. You get an error as : “No more memory is available for security information updates” when you try to add more than 10 Access Control Entries on the folder.

Let us know in the comments if you have any feedback.

Reference :

Leave a Comment

Your email address will not be published. Required fields are marked *