Microsoft Workloads on AWS

Automating Amazon FSx for Windows File Server configuration for more efficient enforcement of security controls

Modern data security strategies require enforcing multiple security controls – including encryption, end-user access control, monitoring, and auditing – to meet internal security policies and compliance goals. Automating the configuration and enforcement of these controls not only reduces the risk of human error and mismanagement, but also reduces management cost and overhead, especially for complex environments.

Automating configuration and enforcement of security options empowers organizations to more efficiently manage and improve their audit and security capabilities.

In this blog post, we describe how to automate the configuration of Amazon FSx for Windows File Server file systems with a decoupled, AWS Step Functions based orchestration mechanism. This helps customers  protect their fully-managed file storage on Amazon FSx with features like data in transit encryption enforcement, end-user access control through Windows Access Control Lists (ACLs), and file access auditing.

Amazon FSx for Windows File Server configuration options

Amazon FSx for Windows File Server provides fully-managed, highly-reliable, and scalable file storage that is accessible over the industry-standard Server Message Block (SMB) protocol. It is built on Windows Server, delivering a wide range of administrative features, such as user quotas, end-user file restore, and Microsoft Active Directory integration.

Although most of these features can be enabled directly through the AWS Management Console or API, for certain configuration options, customers currently need to leverage native Windows administration tools, such as PowerShell commands. In addition, some configuration options need to be updated after the file system is created; for example, setting specific access controls. This adds administrative overhead, especially for customers who need to efficiently create and manage a large number of file systems.

Architecture overview

The automation workflow is designed using AWS Step Functions. When triggered, the Step Functions workflow helps configure settings, such as enabling in-transit encryption, access control lists, and audit logging on any existing Amazon FSx file systems.

In addition, this solution can be easily integrated to send notifications regarding the progress of the workflow and its related activities (for example, successful completion or failure messages), or to send audit logs to an Amazon CloudWatch log group for visibility.

This workflow is also idempotent as it can run multiple times against the same Amazon FSx file system, independent of any other process or mechanism.

Architecture components

The main services that are used in this solution are the following:

  1. Amazon FSx for Windows File Server – Amazon FSx for Windows File Server provides fully-managed, shared storage built on Windows Server and delivers a wide range of data access, data management, and administrative capabilities.
  2. AWS Step Functions – AWS Step Functions is a low-code, visual workflow service that developers use to build distributed applications and automate processes. Here it is used as an orchestration tool to automate the configuration of the Amazon FSx file system.
  3. AWS Lambda – AWS Lambda is a serverless, event-driven compute service that lets developers run code for virtually any type of application or backend service without provisioning or managing servers. In this architecture, Lambda functions are the building block for the logic of the workflow.
  4. Amazon Elastic Compute Cloud (Amazon EC2) – Amazon EC2 offers the broadest and deepest compute platform. This solution uses Amazon EC2 instances to run PowerShell scripts to configure file systems.
  5. AWS CloudFormation – AWS CloudFormation lets developers model, provision, and manage AWS and third-party resources by treating infrastructure as code. This solution can be modeled as a CloudFormation template.
  6. AWS Systems Manager – AWS Systems Manager is a secure, end-to-end management solution for hybrid cloud environments. The Amazon FSx file systems gets automatically configured by leveraging the Systems Manager AWS-RunPowerShellScript feature.
  7. Amazon CloudWatch – Amazon CloudWatch is a monitoring and observability service that provides developers with data and actionable insights to monitor applications, respond to system-wide performance changes, and optimize resource utilization. All logs related to the AWS services proposed in this solution are visible in Amazon CloudWatch Logs.

Solution architecture

The solution architecture in Figure 1 shows the automation flow for configuring an existing Amazon FSx file system.

Figure 1: Solution Architecture

Figure 1: Solution Architecture

The following numbers correspond to the numbers in Figure 1:

  1. The Step Functions workflow gets triggered either manually or through an incoming event. The event should contain the Amazon FSx file system resource ID that needs to be configured. For example, this event can be triggered when a file system is created.
  2. Once the state machine is triggered, the first step is to create a CloudFormation Stack that contains a new Windows Amazon EC2 instance used by Systems Manager to run a PowerShell automation later in the process (see step 4).
  3. Once the Amazon EC2 instance is up and running, the next step is to retrieve file system details, such as the Windows Remote Administration endpoint and the DNS file share endpoint.
  4. At this point, the Systems Manager automation is triggered to run the PowerShell commands that set the Amazon FSx file share.
  5. Once the automation runs successfully, the Amazon EC2 stack can be terminated to save costs.
  6. In the event of any failures, the Lambda named “Failure Notification” can send notifications for awareness through a SNS topic.
  7. Logs are available in CloudWatch for auditing and troubleshooting purposes.

Step Function workflow details

Figure 2: Step Function Workflow

Figure 2: Step Function Workflow

The six Lambda functions shown in Figure 2 are needed as part of the state machine for the Step Functions. Below are the high-level details for each of the functions:

  1. Create EC2 via CloudFormation Stack
    • This standalone temporary Windows Amazon EC2 instance runs the required PowerShell scripts for configuring the Amazon FSx server.
  2. Check EC2 status
    • Verify the Amazon EC2 instance is up and running before proceeding with this workflow.
  3. Get Amazon FSx details
    • This includes the Amazon FSx remote administration endpoint and the DNS endpoint of the file share.
  4. Trigger Amazon FSx configuration
    • Run the SSM PowerShell automation that will configure the Amazon FSx file system to enable encryption, audit logging, and extra security permissions via ACLs. For more information on how to configure these options for your file system, see the Amazon FSx documentation for Managing encryption in transit, file access auditing, and Windows ACLs.
  5. Delete EC2 CloudFormation Stack
    • Removes the CloudFormation Stack that was created in step 1, which is a good practice in order to save on infrastructure costs. The Amazon EC2 instance gets terminated.
  6. Failure notification
    • Sends a notification with any details about any error in the workflow.

Main advantages of this approach

Customers can benefit from these solution advantages:

Reusability

This Step Functions workflow can be used to configure both new and existing Amazon FSx file systems.

Visual tool provided by the Step Functions service

Users can visualize the execution of the function steps through the console to gain insights on the progress of the execution of the workflow at any time.

Integration of the solution via APIs from CloudFormation

Step Functions can be easily triggered both via API calls or through a CloudFormation template using a Custom Resource.

Conclusion

In this blog post, we showed how to automate the configuration of your Amazon FSx file systems with a decoupled, AWS Step Functions based orchestration mechanism.

If you are already leveraging Amazon FSx for Windows File Server, you can use this approach to automate the configuration of any number of new or existing file systems. This also ensures that your fully-managed file storage is compliant with your security requirements.

References

  1. Amazon FSx for Windows File Server
  2. Amazon FSx for Windows File Server User Guide
  3. Amazon FSx for Windows File Server Boto3 docs

AWS can help you assess how your company can get the most out of cloud. Join the millions of AWS customers that trust us to migrate and modernize their most important applications in the cloud. To learn more on modernizing Windows Server or SQL Server, visit Windows on AWSContact us to start your modernization journey today.

Alvaro Sanchez Martin

Alvaro Sanchez Martin

Alvaro Sanchez Martin is a Cloud Infrastructure Architect at AWS. He leads highly-available and fault-tolerant enterprise deployments and Infrastructure automation through DevOps practices. He focuses on facilitating discussions with senior leadership regarding technical / architectural trade-offs, best practices, and risk mitigation.

Vikas Lall

Vikas Lall

Vikas Lall is a 8x AWS Certified Cloud Application Architect with extensive experience working with AWS Serverless architecture , Core Infrastructure , Security , Networking and AWS AI services. He is passionate about helping customers in their Cloud journey, learning and applying skills on new offerings from AWS including Artificial Intelligence , Machine Learning, Serverless.