File Gateway (SMB) and Folder level KMS (CMK) in bucket

0

Is it possible or is there a work-a-round to implement folder level CMKs in a bucket that a single file share (SMB) points to? I would like a bucket with folders ProjectA, ProjectB, etc. I would assign default encryption at the folder level with a unique CMK for each folder.

The problem is when you create a file share in Storage Gateway you need to specify either SSE-S3 or SSE-KMS. If you chose the latter you can specify only one CMK. When a file is created in ProjectA using SMB share it gets the CMK that you specified in the file share rather than the folder level one you specified in S3 bucket.

Any ideas ?

Thanks

Peter

asked 3 years ago298 views
4 Answers
0

Hello,

I'm Mike with the Storage Gateway team.

I've talked with a couple of developers about your specific need to protect select prefixes (folders) within the same bucket with different CMKs. There isn't a way to accomplish this currently with a single share at the root of the S3 bucket, however, there are a couple of different ways that this could be accomplished using multiple shares.

  1. You can set up shares to a specific prefix within a S3 bucket and apply a different CMK to each individual share. Storage gateway supports this ability to create a share into a specific folder or prefix within the same bucket. What you would need to avoid is mapping shares that overlap each other in the bucket structure. For instance, a share at the root of the bucket and a share into a subfolder would overlap since the subfolder would also show up in the root share. The gateway has logic to protect you from accidently doing this kind of overlap, but you should map out your shares carefully to avoid this situation. For more info on prefix shares and adding CMKs to those shares, take a look at the following:

https://docs.aws.amazon.com/storagegateway/latest/userguide/GettingStartedCreateFileShare.html
https://docs.aws.amazon.com/storagegateway/latest/userguide/CreatingAnSMBFileShare.html#create-SMB-file-share

  1. You can leverage S3 access points to make a single S3 bucket appear as different location that can then have shares created at the root of each access point. The storage gateway supports S3 access points. You can learn more about this S3 feature here:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points.html

Please let me know if you have any other questions I can answer.

Mike H.

AWS
answered 3 years ago
0

Thanks Mike. I actually thought of the one file share per prefix idea but if I am dealing with 100+ project folders then that sounds hard to manage and my understanding is SGW only support 10 file shares per gateway ?

I will look at your S3 access point documentation to see if I understand how that can help.

answered 3 years ago
0

Based on this link, it appears I will still have to create one file share per access point which doesn't work for 100 plus prefix (bucket folders).

https://aws.amazon.com/about-aws/whats-new/2021/07/aws-storage-gateway-adds-supports-aws-privatelink-amazon-s3-amazon-s3-access-points/

answered 3 years ago
0

Yes, either solution will require a share per prefix and with that many prefixes, I agree, either solution is unwieldy. The file gateway is limited to 10 shares currently, so you would need quite a few to cover your needs.

If you still chose to take this path, that high number of shares could be then placed behind a solution like Windows DFS which could then aggregate the shares back into a single namespace that appears like 100 subfolders inside a single share. It's a lot of work and maintenance, but it would accomplish the simplicity for the user you are looking for.

Mike

AWS
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions