I recently added the Cloudberry Drive service addon to my AWS stack to create a storage gateway between an S3 bucket and a Windows 2019 Standard server on my private domain. It's works very well but seems to have one big flaw when it comes to permissions. When you configure the application to connect to AWS S3 it creates the mapped drive and "Windows" share path (\servername\s3BucketName).
This is very convenient but there seems to be no way to manage permissions to this location. The security tab is missing in the properties of the folder. And as this appears as though it's technically a Windows share I cannot manage permissions to the location that way either.
So now I have this great solution for doing my GET/PUT actions using a UNC path internally, but the ACL shows the system default "EVERYONE" ACE listed when looking using Get-ACL in PowerShell. So literally all domain users have access to this location at present I have no way to prevent this access without setting up either IP based or user-based access using the Windows firewall (which I haven't tested but I think I can do it that way) but this would not be very easy to manage as we have a lot of systems and users accessing this.
It looks like there is no support for this AWS addon via the CloudBerry Drive folks and so far, AWS support is saying they cannot assist even though I added this to my AWS account and am billed via AWS for the product.
Has anyone ever run into this issue and if so, have you found a solution or at least a better workaround to the open access issue?
I have not yet tried creating an actual Windows share using this UNC path to then attempt to manage permissions that way for fear of breaking the existing connection to the AWS S3 bucket. This storage gateway is constantly in use, and we only have one maintenance window per month. I'm worried that trying this might break the connectivity altogether as it already functions like a windows share.
I was also thinking of trying to use PowerShell (Set-ACL) to manage the permissions, but yet again I fear I might break the connectivity. (Get-ACL output below)
#########################
PS> get-item "\serverhostname\S3BucketName" | Get-Acl | fl
Path : Microsoft.PowerShell.Core\FileSystem::\serverhostname\S3BucketName
Owner : Everyone
Group : Everyone
Access : Everyone Allow -1
Audit :
Sddl : O:WDG:WD
#########################