stackoom
  简体   繁体   中英

How to restrict domain user access to FsX folders in a EC2 Windows Environment?

 原文  2022-06-20 12:06:20       amazon-web-services/ amazon-ec2/ aws-fsx-windows/ amazon-fsx

Question

Background: A Windows domain set up in AWS EC2 with member servers. We use our own AD which is also hoted in the same VPC. An FsX share has been created that is mounted on all Windows servers that are part of the domain. The FsX share mounts fine. However, by default it appears that any authenticated user on the domain has read/write access to the FsX share.

We are struggling with limiting read/write access to certain folders in the share to only designated users.

AWS docs at https://docs.aws.amazon.com/fsx/latest/WindowsGuide/limit-access-file-folder.html say the following:

Every Amazon FSx file system comes with a default Windows file share called share. The Windows ACLs for this shared folder are configured to allow read/write access to domain users . They also allow full control to the delegated administrators group in your Active Directory that is delegated to perform administrative actions on your file systems. If you're integrating your file system with AWS Managed Microsoft AD, this group is AWS Delegated FSx Administrators. If you're integrating your file system with your self-managed Microsoft AD setup, this group can be Domain Admins. Or it can be a custom delegated administrators group that you specified when creating the file system. To change the ACLs, you can map the share as a user that is a member of the delegated administrators group.

Is it possible to override this default behavior and if so, how?

We mount the file share on V: drive and want that V:\user1 folder should only have RW for user1@domain.com an V:\user2 should likewise be limited to user2@domain.com

From the Folder Properties security it does not permit removal of the All Users permission as it is inheriting it from someother perm that was set up during creation of the FsX.

1 answers

solution1
 0  2022-12-13 16:49:48

No answer yet. aws FSx doesnt support disabling inheritance on main share folder, so we will not be able to achieve to restrict access to particular folder for particular user, as all AD users are part of Authenticated users group which we cant remove, if we deny it, we will not be able to access the folder.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to Restrict Amazon EC2 instance access? Restrict access to DynamoDB from EC2 instance Windows EC2 User Data Not Executing How to run django app on windows server ec2 instance with mysql database and costum domain How to create AWS EC2 instance shared folders How to reset root password when denied access to user in ubuntu ec2 instance How Can I set environment variables on AWS EC2? AWS EC2 can't access my ec2 public domain, tried many web solutions none worked AWS EC2 Windows 10 can't access metadata How to point AWS EC2 Server to my Godaddy domain
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM