RisiAi Logo

RisiAi Consulting

AI Strategy & Implementation Expert

โ† Back to Architectures
Intermediate Level Interactive

AWS FSx Architecture

High-performance file storage architecture using Amazon FSx for shared workloads

Services

AWS FSx EC2 VPC IAM

Use Case

Shared File Storage

๐Ÿ“

AWS FSx for Windows File Server

Enterprise Storage Architecture ยท Azure AD ยท SCP Governance

๐Ÿ—„๏ธFSx for Windows๐Ÿ”Microsoft Entra ID๐Ÿ›ก๏ธAWS Organizations SCP๐ŸŒMulti-AZ๐Ÿ”‘KMS Encryption
1
Identity & Hybrid Authentication
IDP
Microsoft Entra ID (Azure AD)
Primary Identity Provider
Conditional Access PoliciesMFA EnforcedGroup-Based Access
User & group management, SSO federation, device compliance checks, and risk-based authentication policies.
Azure AD Connect
Hybrid Identity Sync
Password hash sync or pass-through auth. Syncs on-prem AD objects to Entra ID with filtering rules.
SAML/OIDCTrust
AD Trust
Relationship
KerberosLDAP
DS
AWS Managed Microsoft AD
Directory Service
Multi-AZ DeploymentLDAP / KerberosSchema Extensions
Fully managed AD in AWS. Two-way forest trust with on-prem/Azure AD. Domain controllers in separate AZs.
AWS IAM Identity Center
SSO & ABAC
SCIM provisioning from Entra ID. Permission sets mapped to AD groups. Attribute-based access control.
Authenticated
2
Organization SCP & Governance
๐Ÿ›๏ธAWS Organizations โ€” Strict SCP Policies
Region Restriction SCP
{
  "Effect": "Deny",
  "Action": "*",
  "Resource": "*",
  "Condition": {
    "StringNotEquals": {
      "aws:RequestedRegion": [
        "eu-west-1", "eu-west-2"
      ]
    }
  }
}
Restrict all resources to approved regions only.
FSx Guardrail SCP
{
  "Effect": "Deny",
  "Action": [
    "fsx:DeleteFileSystem",
    "fsx:DeleteBackup"
  ],
  "Resource": "*",
  "Condition": {
    "StringNotLike": {
      "aws:PrincipalArn":
        "arn:aws:iam::*:role/FSxAdmin"
    }
  }
}
Prevent deletion except by designated admin role.
Encryption Enforcement SCP
{
  "Effect": "Deny",
  "Action": "fsx:CreateFileSystem",
  "Resource": "*",
  "Condition": {
    "Null": {
      "fsx:KmsKeyId": "true"
    }
  }
}
All FSx file systems must use CMK encryption.
Network Boundary SCP
{
  "Effect": "Deny",
  "Action": [
    "fsx:CreateFileSystem"
  ],
  "Resource": "*",
  "Condition": {
    "ForAnyValue:StringNotEquals":
    {
      "fsx:SubnetIds": [
        "subnet-private-a",
        "subnet-private-b"
      ]
    }
  }
}
FSx only in approved private subnets.
Deny Public Access SCP
Deny ec2:CreateInternetGatewayDeny ec2:AttachInternetGatewayDeny s3:PutBucketPolicy (public)
Block any public exposure paths from the storage OU.
Tagging Enforcement SCP
Require: EnvironmentRequire: CostCenterRequire: DataClassificationRequire: Owner
Deny resource creation without mandatory tags for governance and cost allocation.
Governed
3
VPC & Network Architecture
AZ-A
Availability Zone A
Primary
Private Subnet A
10.0.1.0/24 ยท FSx Primary ENI
AD Subnet A
10.0.10.0/24 ยท Domain Controller
AZ-B
Availability Zone B
Standby
Private Subnet B
10.0.2.0/24 ยท FSx Standby ENI
AD Subnet B
10.0.11.0/24 ยท Domain Controller
Security Groups
SMB 445 โ€” App subnets only
DNS 53 โ€” AD subnets
Kerberos 88 โ€” AD subnets
All other โ€” DENY
NACLs
Inbound 445 โ€” 10.0.0.0/16
Inbound 88,389,636 โ€” AD CIDRs
Inbound 0.0.0.0/0 โ€” DENY
Outbound ephemeral โ€” Allow
VPC Endpoints
com.amazonaws.fsx
com.amazonaws.kms
com.amazonaws.logs
com.amazonaws.monitoring
Hybrid Connectivity
AWS Direct ConnectSite-to-Site VPN (backup)Transit GatewayOn-Prem โ†” Azure โ†” AWS
Dedicated 10Gbps Direct Connect for FSx traffic. IPSec VPN failover. Transit Gateway for multi-VPC routing with route table segmentation.
SMB 3.1.1
4
Amazon FSx for Windows File Server
Primary
FSx File System
Multi-AZ ยท SSD-backed
Storage10 TB SSD
Throughput2,048 MB/s
ProtocolSMB 3.1.1
DedupEnabled
Shadow CopiesEnabled
Windows Features
NTFS PermissionsDFS NamespacesDFS ReplicationAccess-Based EnumerationSMB EncryptionVolume Shadow Copies
Full Windows NTFS semantics. ACLs managed via AD groups. DFS namespaces for transparent failover.
Share Structure
\\fs-0abc123.corp.local
ย ย โ”œโ”€โ”€ ๐Ÿ“‚ Departments/
ย ย โ”‚ย ย ย โ”œโ”€โ”€ Finance/ [Restricted]
ย ย โ”‚ย ย ย โ”œโ”€โ”€ Engineering/
ย ย โ”‚ย ย ย โ””โ”€โ”€ Legal/ [Restricted]
ย ย โ”œโ”€โ”€ ๐Ÿ“‚ Shared/
ย ย โ”œโ”€โ”€ ๐Ÿ“‚ UserProfiles/
ย ย โ””โ”€โ”€ ๐Ÿ“‚ Backups/ [CMK Encrypted]
RPO
Backup & DR
Auto BackupDaily ยท 35 days
Backup Window02:00โ€“03:00 UTC
Cross-Regioneu-west-2 copy
Shadow CopiesEvery 6hrs
AWS Backup integration with lifecycle policies. Cross-region backup for disaster recovery.
KMS
Logs
5
Encryption & Data Protection
AWS KMS โ€” CMK
Customer Managed Key
AES-256 encryption at rest
Annual key rotation enabled
Key policy: FSx service role only
CloudTrail key usage logging
In-Transit Encryption
SMB 3.x encryption enforced
TLS 1.2+ for management API
IPSec for VPN traffic
Data Classification
Macie PII ScanningS3 Intelligent TieringRetention Policies
6
Monitoring & Audit
CloudWatch
Metrics & Alarms
FreeStorageCapacity
DataReadBytes / DataWriteBytes
FileServerDiskThroughput
Alarm: Storage < 15%
FSx Audit Logging
File access audit โ†’ CloudWatch
Share access events
Permission change events
Failed access attempts
Security Hub & GuardDuty
CIS BenchmarkAnomaly DetectionConfig RulesEventBridge Alerts
7
Client Access Patterns
Windows EC2 Instances
PS> net use Z: \\fs-0abc.corp.local\Shared
PS> New-PSDrive -Name "S" -PSProvider FileSystem -Root "\\fs-0abc.corp.local\Departments"
Domain-joined instances with GPO-managed drive mappings.
Amazon WorkSpaces
Virtual desktops with AD-joined profiles. FSx mapped as persistent user profile storage.
User Profile Disks
AppStream 2.0
Streaming applications with FSx as shared persistent storage for session data and files.
Session Scripts
DEV
Python SDK Access
boto3
import boto3

fsx = boto3.client('fsx',
    region_name='eu-west-1')

# Describe file systems
fs = fsx.describe_file_systems()

# Create backup
backup = fsx.create_backup(
    FileSystemId='fs-0abc123',
    Tags=[{'Key': 'Type',
           'Value': 'adhoc'}]
)
โ˜…
Deployment Checklist
1
Deploy AWS Managed Microsoft AD
Create directory in VPC with two AZ subnets. Establish two-way forest trust with Azure AD / on-prem AD.
2
Configure Azure AD Connect
Set up hybrid identity sync. Enable password hash sync. Configure SCIM to IAM Identity Center.
3
Apply Organization SCPs
Attach region-lock, encryption-enforce, delete-protect, and tagging SCPs to the storage OU.
4
Provision VPC & Networking
Create private subnets, NACLs, SGs (SMB 445, Kerberos 88, LDAP 389). Set up VPC endpoints and Direct Connect.
5
Create FSx File System
Launch Multi-AZ FSx for Windows. Select SSD, set throughput, enable dedup and shadow copies. Join to Managed AD.
6
Configure Shares & ACLs
Create department shares. Apply NTFS permissions via AD groups. Enable access-based enumeration.
7
Enable Security & Monitoring
Create KMS CMK, enable audit logging, set CloudWatch alarms, activate Security Hub and GuardDuty.
8
Test & Validate
Map drives from domain-joined instance. Verify ACLs, test failover, confirm audit logs flow, run backup restore test.
AWS FSx for Windows ยท Azure AD Hybrid ยท SCP-Governed ยท Production Reference Architecture

Ready to Build?

This architecture can be customized for your specific needs. Let's discuss how to implement this pattern for your organization, or explore variations that better match your requirements.

Start a Project