Secure shared storage with CIFS share-level access controls on Amazon FSx for NetApp ONTAP
Storage Blog
This article explains how to implement CIFS share-level access controls on Amazon FSx for NetApp ONTAP to restrict user access to shared storage by team.
- Create qtrees as logical subdivisions representing each team within a shared volume
- Map each qtree to a dedicated CIFS share with independent access control boundaries
- Remove default "Everyone: Full Control" entries to eliminate unrestricted access
- Configure share ACLs with AD groups using Full_Control, Change, Read, or No_access permissions
- Use No_access to explicitly deny individual users, overriding group-level permissions
- Enable access-based enumeration to hide files users cannot access
- Share ACLs operate as middle security layer between network policies and file-level NTFS permissions
- Modify ACLs dynamically without disrupting existing user connections
This approach enforces per-team access boundaries, simplifies compliance audits, and reduces onboarding overhead through AD group membership management.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Feb 9
2024
2024
Enabling file system sharing on Amazon FSx for NetApp ONTAP across multiple AWS accounts
Apr 7
2026
2026
Managing NTFS permissions at scale on Amazon FSx for NetApp ONTAP
Feb 29
2024
2024
Managing storage on Windows servers with Amazon FSx for NetApp ONTAP
Jul 9
2024
2024
Amazon FSx for NetApp ONTAP now supports NVMe-over-TCP for simpler, lower-latency shared block storage
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.