Enhance privacy controls with access-based enumeration for File Gateway

Customers are responding to the growth of unstructured data by using hybrid cloud storage to reduce cost, operational burden, and to access elastic scaling on demand. As data continues to grow in volume and variety, customers must also ensure they are meeting their requirements for privacy and security controls to restrict access and visibility of sensitive information.

Today we are thrilled to announce that AWS Storage Gateway has introduced additional privacy settings for File Gateway, enabling customers to manage the visibility of sensitive information.

In this post, we discuss the new access-based enumeration (ABE) and file shares visible (FSV) privacy settings for File Gateway SMB file shares. We also cover how to implement them so that customers can achieve a balance of privacy appropriate to their needs.

These settings are available on new gateways starting today in every Region where AWS Storage Gateway is available. For existing gateways, the next scheduled software update makes this new capability available.

What is access-based enumeration (ABE)?

Several customers have requested access-based enumeration (ABE), which is a mechanism to filter the listing of files and folders on a File Gateway SMB file share.

This file share privacy setting is useful to avoid unwanted attention or access attempts to data, especially if, for example, files and folders are named with sensitive information.

When the File Gateway receives a folder query and you have enabled ABE, the ABE mechanism checks every file and folder in the list. ABE filters out anything that does not have an access control list (ACL) matching allowed generic read permissions for the requesting user.

ABE requires more CPU power to process and respond to every folder query. Therefore, customers should carefully plan and test the implementation of ABE to ensure the overall performance of the File Gateway, and the experience of end users, is acceptable.

It is important to understand that ABE is a privacy setting, and not a security control. It is still possible for the user to access files and folders that were filtered by ABE if:

1. A user knows the SMB file share and file path.
2. If partial read permissions were configured in an ACL (such as only denying the reading of attributes, but still allowing reading the file itself).

Customers should couple ABE with strong SMB file share and ACL-based permissions to ensure privacy and security for sensitive data.

Configuring ABE

In this example, we browse to an SMB file share on our File Gateway containing human resources (HR) data.

Immediately we can see some folders, which all users should know about, such as Staff Policies and Annual Leave Register.

However, there is also sensitive information, which may not be appropriate for all users to know about (secret unicorn projects, Payroll, and Staff Performance).

If not done so already, the access control list (ACL) of the sensitive files and folders must be configured to deny read permissions to users and groups who should not have access. This is important for two reasons:

1. To prevent unwanted access attempts.
2. ABE relies on ACLs containing generic read permissions in order to process and filter the list of files and folders that it shows to users.

In this example ACL configuration for sensitive files and folders, full control is granted to the group named Administrators, and all access is denied for the user named Tony.

The next step is to update the HR SMB file share configuration on the File Gateway, enabling ABE by checking Access based enumeration.

That’s it! When the user, Tony, browses to the HR SMB file share, they are not able to access the sensitive files and folders because the read ACL was set to deny. Tony is not able to see a list of the sensitive files and folders, due to enabling ABE.

What is file shares visible (FSV)?

Users who browse to the address of the File Gateway will not see the list of SMB file share names by default. Before the FSV setting, the exact SMB file share names were provided to users (automatically via login script for example) so they knew how to connect and work with shared files and folders.

While this can be ideal from a privacy perspective, in some cases customers may want the names of SMB file shares to be visible to all users. This might be the case in highly collaborative workplaces, for example. This is now possible with the file shares visible (FSV) SMB setting.

Note that FSV is a privacy setting and not an explicit security control. Customers should couple FSV with strong SMB file share and ACL-based permissions to ensure the most appropriate access and visibility to data.

Configuring FSV

Here is an example of a File Gateway that has the SMB file shares visible option disabled (default).

Enabling FSV in the File Gateway configuration applies to all SMB file shares. Users will not see this change immediately on connected shares. They must disconnect those shares or restart their machines before they see the updated FSV setting take effect.

Finally, upon reconnecting to the File Gateway, users can now see all SMB file shares.

AWS Storage Gateway API

For developers integrating with the AWS Storage Gateway API, the following updates are now available.

Existing API calls have been updated to include the new ABE and FSV settings:

• update-smb-file-share and create-smb-file-share includes the following new options:
  • access-based-enumeration
    • The files and folders on this share are only visible to users with read access.
  • no-access-based-enumeration
    • The files and folders on this share are always visible during folder enumeration (Default).

• describe-smb-file-share includes a new output:
  • AccessBasedEnumeration
    • Returns the current ABE setting for an individual SMB file share (Boolean value).
• describe-smb-settings includes a new output:
  • FileSharesVisible
    • Returns the current FSV setting for the entire File Gateway (Boolean value).

AWS has added a new API call to control the FSV setting:

• update-smb-file-share-visibility
  • gateway-arn (string)
    • The ARN of the File Gateway you’re configuring.
  • file-shares-visible
    • The shares on this File Gateway will appear when listing shares.
  • no-file-shares-visible
    • The shares on this File Gateway will not appear when listing shares (Default).

Cleaning up

If you have created any resources such as AWS Storage Gateways and Amazon S3 buckets to test this new capability, remember to delete them to avoid incurring any unwanted charges. For pricing details, please refer to AWS Storage Gateway pricing and Amazon S3 pricing.

Conclusion

In this post, we discussed the new access-based enumeration (ABE) and file shares visible (FSV) settings and how to implement them. With these new settings, customers can achieve a balance of privacy and security appropriate to their needs when using File Gateway for hybrid cloud storage.

Before the introduction of ABE, customers ran the risk of sensitive files and folders beings visible to all users, even if they were not accessible, or had to have additional restricted file shares that spread departmental information across many locations.

Please continue to submit feedback to us so that we can continue to deliver features and enhancements that are valuable to you. Thank you for reading this blog post. Please do not hesitate to leave any questions or thoughts you may have in the comments section. Also, remember to join us on November 10, 2020, for the AWS Storage Day virtual event, to learn what is new across the AWS Storage portfolio.

Further reading

Refer to the following AWS documentation for more information.

• User guide:
  • Access-based enumeration
  • File share visibility
• API:
  • Access-based enumeration
  • File share visibility
• To help you apply best practices and for current recommendations in the design, delivery, and maintenance of secure AWS workloads, please refer to the security pillar of the AWS Well-Architected Framework.