Create a file share - Amazon Storage Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon FSx File Gateway documentation has been moved to What is Amazon FSx File Gateway?

Volume Gateway documentation has been moved to What is Volume Gateway?

Tape Gateway documentation has been moved to What is Tape Gateway?

Create a file share

In this section, you can find instructions on how to create a file share. You can create a file share that can be accessed using either the Network File System (NFS) or Server Message Block (SMB) protocol.


When a file is written to the File Gateway by an NFS or SMB client, the File Gateway uploads the file's data to Amazon S3 followed by its metadata (ownerships, timestamps, and so on). Uploading the file data creates an S3 object, and uploading the metadata for the file updates the metadata for the S3 object. This process creates another version of the object, resulting in two versions of an object. If S3 Versioning is enabled, both versions are stored.

If you change the metadata of a file stored in your File Gateway, a new S3 object is created and replaces the existing S3 object. This behavior is different from editing a file in a file system, where editing a file does not result in a new file being created. Test all file operations that you plan to use with Amazon Storage Gateway so that you understand how each file operation interacts with Amazon S3 storage.

Carefully consider the use of S3 Versioning and Cross-Region Replication (CRR) in Amazon S3 when you're uploading data from your File Gateway. Uploading files from your File Gateway to Amazon S3 when S3 Versioning is enabled results in at least two versions of an S3 object.

Certain workflows involving large files and file-writing patterns such as file uploads that are performed in several steps can increase the number of stored S3 object versions. If the File Gateway cache needs to free up space due to high file-write rates, multiple S3 object versions might be created. These scenarios increase S3 storage if S3 Versioning is enabled and increase transfer costs associated with CRR. Test all file operations that you plan to use with Storage Gateway so that you understand how each file operation interacts with Amazon S3 storage.

Using the Rsync utility with your File Gateway results in the creation of temporary files in the cache and the creation of temporary S3 objects in Amazon S3. This situation results in early deletion charges in the S3 Standard-Infrequent Access (S3 Standard-IA) and S3 Intelligent-Tiering storage classes.

When you create an NFS share, by default anyone who has access to the NFS server can access the NFS file share. You can limit access to clients by IP address.

For SMB, you can have one of three different modes of authentication:

  • A file share with Microsoft Active Directory (AD) access. Any authenticated Microsoft AD user gets access to this file share type.

  • An SMB file share with limited access. Only certain domain users and groups that you specify are allowed access (through an allow list). Users and groups can also be denied access (through a deny list).

  • An SMB file share with guest access. Any users who can provide the guest password get access to this file share.


    File shares exported through the gateway for NFS file shares support POSIX permissions. For SMB file shares, you can use access control lists (ACLs) to manage permissions on files and folders in your file share. For more information, see Using Microsoft Windows ACLs to control access to an SMB file share.

A File Gateway can host one or more file shares of different types. You can have multiple NFS and SMB file shares on a File Gateway.


To create a file share, a File Gateway requires you to activate Amazon Security Token Service (Amazon STS). Make sure that Amazon STS is activated in the Amazon Web Services Region that you are creating your File Gateway in. If Amazon STS is not activated in that Amazon Web Services Region, activate it. For information about how to activate Amazon STS, see Activating and deactivating Amazon STS in an Amazon Web Services Region in the Amazon Identity and Access Management User Guide.


You can use Amazon Key Management Service (Amazon KMS) to encrypt objects that your File Gateway stores in Amazon S3. To do this using the Storage Gateway console, see Create an NFS file share or Create an SMB file share. You can also do this by using the Storage Gateway API. For instructions, see CreateNFSFileShare or CreateSMBFileShare in the Amazon Storage Gateway API Reference.

By default, a File Gateway uses server-side encryption managed with Amazon S3 (SSE-S3) when it writes data to an S3 bucket. If you make SSE-KMS (server-side encryption with Amazon KMS–managed keys) the default encryption for your S3 bucket, objects that a File Gateway stores there are encrypted using SSE-KMS.

To encrypt using SSE-KMS with your own Amazon KMS key, you must enable SSE-KMS encryption. When you do so, provide the Amazon Resource Name (ARN) of the KMS key when you create your file share. You can also update KMS settings for your file share by using the UpdateNFSFileShare or UpdateSMBFileShare API operation. This update applies to objects stored in the Amazon S3 buckets after the update.

If you configure your File Gateway to use SSE-KMS for encryption, you must manually add kms:Encrypt, kms:Decrypt, kms:ReEncrypt, kms:GenerateDataKey, and kms:DescribeKey permissions to the IAM role associated with the file share. For more information, see Using Identity-Based Policies (IAM Policies) for Storage Gateway.