Security best practices - Amazon FSx for Windows File Server
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security best practices

We recommend that you follow these best practices for administering your file system’s security and access controls. For more detailed information on configuring Amazon FSx to meet your security and compliance objectives, see Security in Amazon FSx.

Network security

Don't modify or delete the ENI that's associated with your file system

Your Amazon FSx file system is accessed through an elastic network interface (ENI) that resides in the virtual private cloud (VPC) that's associated with your file system. Modifying or deleting the network interface can cause a permanent loss of connection between your VPC and your file system.

Using security groups and network ACLs

You can use security groups and network access control lists (ACLs) to limit access to your file systems. For VPC security groups, the default security group is already added to your file system in the console. Make sure that the security group and the network ACLs for the subnets where you create your file system allow traffic on the ports. For more information, see Amazon VPC Security Groups.

Active Directory

When you create an Amazon FSx file system, you can join it to your Microsoft AD domain to provide user authentication, and share-, file-, and folder-level access control authorization. Your users can use their existing AD accounts to connect to file shares and access files and folders within them. In addition, you can migrate the existing security ACL configuration to Amazon FSx without any modifications. Amazon FSx provides you with two options for Active Directory: Amazon managed Microsoft AD or self-managed Microsoft AD.

If you’re using an Amazon managed Microsoft AD, we recommend leaving the default settings of your AD security group. If you do modify these settings, ensure that you maintain a network configuration that satisfies the network requirements. For more information, see Networking prerequisites.

If you’re using a self-managed Microsoft AD, you have additional options for configuring your file system. We recommend the following best practices for initial configuration when using Amazon FSx with your self-managed Microsoft AD:

  • Assign subnets to a single AD site: If your AD environment has a large number of domain controllers, use Active Directory Sites and Services to assign the subnets used by your Amazon FSx file systems to a single AD site with the highest availability and reliability. Make sure that the VPC security group, VPC network ACL, Windows firewall rules on your DCs, and any other network routing controls you have in your AD infrastructure allow communication from Amazon FSx on the required ports. This allows Windows to revert to other DCs if it can't use the assigned AD site. For more information, see File System Access Control with Amazon VPC.

  • Use a separate Organizational Unit (OU): Use an OU for your Amazon FSx file systems that’s separate from any other organizational units that you might have.

  • Configure your service account with minimum privileges required: Configure or delegate the service account that you provide to Amazon FSx with the minimum privileges required. For more information, see Prerequisites for using a self-managed Microsoft Active Directory and Delegating privileges to your Amazon FSx service account .

  • Continuously verify your AD configuration: Run the Amazon FSx Active Directory validation tool against your AD configuration prior to creating your Amazon FSx file system to verify that your configuration is valid for use with Amazon FSx, and to discover any warnings and errors that the tool might expose.

Avoid losing availability due to AD misconfiguration

When using Amazon FSx with your self-managed Microsoft AD, it's important to have a valid AD configuration not only during the creation of your file system, but also for ongoing operations and availability. During failure recovery events, routine maintenance events, and throughput capacity update actions, Amazon FSx rejoins file server resources to your Active Directory. If the AD configuration is not valid during an event, your file system changes to a status of Misconfigured, and is at risk of becoming unavailable. Here are some ways that you can avoid losing availability:

  • Keep your AD configuration updated with Amazon FSx: If you make changes, such as resetting the password of your service account, make sure you update the configuration for any file systems using this service account.

  • Monitor for AD misconfiguration: Set Misconfigured status notifications for yourself so that you can reset your file system’s AD configuration, if necessary. For an example that uses a Lambda-based solution to achieve this, see Monitoring the health of Amazon FSx file systems using Amazon EventBridge and Amazon Lambda.

  • Validate your AD configuration regularly: If you want to proactively detect AD misconfigurations, we recommend that you run the Active Directory Validation tool against your AD configuration on an ongoing basis. If you receive warnings or errors when running the validation tool, it means that your file system is at risk of becoming misconfigured.

  • Don't move or modify computer objects created by FSx: Amazon FSx creates and manages computer objects in your AD, using the service account and permissions that you provide. Moving or modifying these computer objects can result in your file system becoming misconfigured.

Windows ACLs

With Amazon FSx, you use standard Windows access control lists (ACLs) for fine-grained share-, file-, and folder-level access control. Amazon FSx file systems automatically verify the credentials of users who access file system data to enforce these Windows ACLs.

  • Don’t change the NTFS ACL permissions for the SYSTEM user: Amazon FSx requires that the SYSTEM user have full control NTFS ACL permissions on all folders within your file system. Changing the NTFS ACL permissions for the SYSTEM user may result in your file system becoming inaccessible and future file system backups may become unusable.