

# Creating a file share
<a name="GettingStartedCreateFileShare"></a>

In this section, you can find instructions on how to create a file share that can be accessed using the Network File System (NFS) or the Server Message Block (SMB) protocol.

When you create an NFS share, anyone who has access to the NFS server can access the NFS file share by default. You can limit access to clients by IP address.

When you create an SMB file share, you can use one of three modes of authentication:
+ A file share with Microsoft Active Directory (AD) access. Any authenticated Microsoft AD user gets access to this file share type.
+ An SMB file share with limited access. Only certain domain users and groups that you specify are allowed access (through an allow list). Users and groups can also be denied access (through a deny list).
+ An SMB file share with guest access. Any user who can provide the guest password has access to this file share.
**Note**  
File shares that are exported through the gateway for NFS file shares support POSIX permissions. For SMB file shares, you can use access control lists (ACLs) to manage permissions on files and folders in your file share. For more information, see [Using Windows ACLs to limit SMB file share access](smb-acl.md).

A File Gateway can host one or more file shares of different types. You can have multiple NFS and SMB file shares on a File Gateway.

**Important**  
To create a file share, a File Gateway requires you to activate AWS Security Token Service (AWS STS). If AWS STS isn't activated in the AWS Region where you create your File Gateway, activate it. For information about how to activate AWS STS, see [Activating and deactivating AWS Security Token Service in an AWS Region](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate) in the *AWS Identity and Access Management User Guide*.

**Topics**
+ [Avoiding unanticipated costs when uploading gateway data](avoid-unanticipated-costs.md)
+ [Encrypt objects stored by File Gateway in Amazon S3](encrypt-objects-stored-by-file-gateway-in-amazon-s3.md)
+ [Create an NFS file share](create-nfs-file-share.md)
+ [Create an SMB file share](create-smb-file-share.md)

# Avoiding unanticipated costs when uploading gateway data
<a name="avoid-unanticipated-costs"></a>

When a file is written to the File Gateway by an NFS client, the File Gateway uploads the file's data to Amazon S3 followed by its metadata. Uploading the file data creates an S3 object, and uploading the metadata for the file updates the metadata for the S3 object. This process creates an additional version of the object. If S3 versioning is turned on, both versions are stored.

If you change the metadata of a file that's stored in your File Gateway, a new S3 object is created and replaces the existing S3 object. This behavior is different from editing a file in a file system, where editing a file does not result in a new file being created. Test all file operations that you plan to use with AWS Storage Gateway so that you understand how each file operation interacts with Amazon S3 storage.

Carefully consider the use of S3 versioning and Cross-Region replication (CRR) in Amazon S3 when you're uploading data from your File Gateway. Uploading files from your File Gateway to Amazon S3 when S3 versioning is turned on commonly results in more than one version of an S3 object.

Certain workflows involving large files and file-writing patterns such as file uploads that are performed in several steps can increase the number of stored S3 object versions. If the File Gateway cache needs to free up space due to high file-write rates, multiple S3 object versions might be created. These scenarios increase S3 storage if S3 Versioning is turned on and increase the transfer costs associated with CRR. Test all file operations that you plan to use with Storage Gateway so that you understand how each file operation interacts with Amazon S3 storage.

Using the Rsync utility with your File Gateway results in the creation of temporary files in the cache and the creation of temporary S3 objects in Amazon S3. This situation results in early deletion charges in the S3 Standard-Infrequent Access (S3 Standard-IA) storage class.

# Encrypt objects stored by File Gateway in Amazon S3
<a name="encrypt-objects-stored-by-file-gateway-in-amazon-s3"></a>

S3 File Gateway supports the following methods of server-side encryption for the data that it stores in Amazon S3:
+ **SSE-S3** — By default, all new objects uploaded to Amazon S3 buckets use server-side encryption with Amazon S3 managed keys. For more information, see [Using server-side encryption with Amazon S3 managed keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) in the *Amazon Simple Storage Service User Guide*.
+ **SSE-KMS** — You can configure your file share to use server-side encryption with AWS Key Management Service (AWS KMS) managed keys. AWS KMS is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. For more information, see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) in the *AWS Key Management Service Developer Guide*.
+ **DSSE-KMS** — Dual-layer server-side encryption with AWS KMS keys applies two layers of encryption to objects when they are uploaded to Amazon S3. This helps fulfill compliance standards for multilayer encryption. For more information, see [Using dual-layer server-side encryption with AWS KMS keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingDSSEncryption.html) in the *Amazon Simple Storage Service User Guide*.
**Note**  
There are additional charges for using DSSE-KMS and AWS KMS keys. For more information, see [AWS KMS pricing](https://aws.amazon.com/kms/pricing/).

You can specify an encryption method when you create a new file share by using the Storage Gateway console or the Storage Gateway API. For console procedures, see [Create an NFS file share with a custom configuration](CreatingAnNFSFileShare.md) or [Create an SMB file share with a custom configuration](CreatingAnSMBFileShare.md). For information about the corresponding API commands, see [CreateNFSFileShare](https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_CreateNFSFileShare.html) or [CreateSMBFileShare](https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_CreateSMBFileShare.html) in the *AWS Storage Gateway API Reference*.


You can also update encryption settings for an existing file share using the Storage Gateway console, or the Storage Gateway API. For the console procedure, see [Change the server-side encryption method for an existing file share](edit-file-share-encryption.md). For information about the corresponding API commands, see [UpdateNFSFileShare](https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_UpdateNFSFileShare.html) or [UpdateSMBFileShare](https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_UpdateSMBFileShare.html) in the *AWS Storage Gateway API Reference*.

**Note**  
After you update the encryption method, the gateway uses the new method for all new objects it creates in Amazon S3 and for any stored objects that it updates or modifies in the future. Existing Amazon S3 objects will only receive the new encryption method if they are updated or modified by the gateway.

**Important**  
Make sure that your file share uses the same encryption type as the Amazon S3 bucket where it stores your data.  
If you configure your File Gateway to use SSE-KMS or DSSE-KMS for encryption, you must manually add `kms:Encrypt`, `kms:Decrypt`, `kms:ReEncrypt*`, `kms:GenerateDataKey`, and `kms:DescribeKey` permissions to the IAM role associated with the file share. For more information, see [Using Identity-Based Policies (IAM Policies) for Storage Gateway](https://docs.aws.amazon.com/filegateway/latest/files3/using-identity-based-policies.html).

# Create an NFS file share
<a name="create-nfs-file-share"></a>

The Network File System (NFS) protocol is a stateful file sharing protocol for Unix-based systems. When an NFS-enabled client and NFS server communicate, the client requests a file or directory from the server using remote procedure calls (RPC). The server verifies that the file or directory is available and that the client has the required access permissions. The server then mounts the file or directory remotely on the client and shares access via a virtual connection. For client operations, NFS makes using the remote server file similar to accessing a local file.

**Note**  
The NFS protocol supports a maximum of 16 groups per user. Users might have issues mounting NFS file shares if they belong to more than 16 groups. To avoid mounting issues, make sure that users are members of 16 or fewer groups when accessing NFS file shares.

The following topics explain various methods for creating an NFS file share for your File Gateway:

**Contents**
+ [Create an NFS file share using the default configuration](nfs-fileshare-quickstart-settings.md)
  + [Default configuration settings for NFS file shares](nfs-fileshare-quickstart-settings.md#quickstart-default-settings)
+ [Create an NFS file share with a custom configuration](CreatingAnNFSFileShare.md)

# Create an NFS file share using the default configuration
<a name="nfs-fileshare-quickstart-settings"></a>

This section explains how to create a new Network File System (NFS) file share using preconfigured default settings. Use this method for basic deployments, personal use, testing, or as a way to quickly deploy multiple file shares that you plan to edit and customize later. For a list of the default settings for file shares that you create using this procedure, see [Default configuration settings for NFS file shares](https://docs.aws.amazon.com/filegateway/latest/files3/nfs-fileshare-quickstart-settings.html#quickstart-default-settings). If you need more granular control or want to use advanced settings for your file share, see [Create an NFS file share using a custom configuration](https://docs.aws.amazon.com/filegateway/latest/files3/CreatingAnNFSFileShare.html).

**Note**  
If you need to connect your file share to Amazon S3 through a Virtual Private Cloud (VPC), you must follow the custom configuration procedure. You can’t edit VPC settings for a file share after you create it. 

**Important**  
Using S3 Versioning, Cross-Region Replication, or the Rsync utility when uploading data from a File Gateway can have significant cost implications. For more information, see [Avoiding unanticipated costs when uploading data from File Gateway](https://docs.aws.amazon.com/filegateway/latest/files3/avoid-unanticipated-costs.html).

**To create an NFS file share using the default configuration:**

1. Open the AWS Storage Gateway console at [https://console.aws.amazon.com/storagegateway/home/](https://console.aws.amazon.com/storagegateway/home/) and choose **File shares** from the left navigation pane.

1. Choose **Create file share**.

1. For **Gateway**, choose your Amazon S3 File Gateway from the list.

1. For **File share protocol**, choose **NFS**.

1. For **S3 bucket**, do one of the following:
   + Choose an existing Amazon S3 bucket in your account from the dropdown list.
   + Choose **A bucket in another account** from the dropdown list, then enter the name of the bucket in **Cross-account bucket name**.
   + Choose **Create new S3 bucket**, then choose the AWS Region where the Amazon S3 endpoint for your new bucket is located, and enter a unique **S3 bucket name**. Choose **Create S3 bucket** when finished.

     For information about creating a new bucket, see [How do I create an S3 bucket?](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html) in the Amazon S3 User Guide.
**Note**  
S3 File Gateway does not support support Amazon S3 buckets with periods (`.`) in the bucket name.  
Make sure your bucket name complies with the rules for bucket naming in Amazon S3. For more information, see [Rules for bucket naming](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules) in the *Amazon Simple Storage Service User Guide*.

1. Review the settings under **Default configuration**, then choose **Create file share** to create your new NFS file share using the default configuration.

After your NFS file share is created, you can view its configuration settings in the AWS Storage Gateway console on the file share's **Details** tab. For information about mounting your file share, see [Mount your NFS file share on your client](https://docs.aws.amazon.com/filegateway/latest/files3/GettingStartedAccessFileShare.html).

## Default configuration settings for NFS file shares
<a name="quickstart-default-settings"></a>

The following settings apply to all new NFS file shares that you create using the default configuration. After you create a file share, you can select it from the **File shares** page in the AWS Storage Gateway console to view details about its configuration.

**Important**  
The default NFS file share configuration provides full file control and access permissions to the owner of the S3 bucket that's mapped to the file share, even if the bucket is owned by a different AWS account. For more information about using your file share to access objects in a bucket that's owned by another account, see [Using a file share for cross-account access](cross-account-access.md).


| Setting | Default value | Notes | 
| --- | --- | --- | 
|  **Amazon S3 location**  |  The file share connects directly to the Amazon S3 bucket and has the same name as the bucket. Your gateway uses this bucket to store and retrieve files.  |  The name doesn't include a prefix.  | 
|  **AWS PrivateLink for S3**  |  The file share doesn't connect to Amazon S3 through an interface endpoint in your virtual private cloud (VPC).  |  | 
|   **File upload notification**   |  Off  |   | 
|  **Storage class for new objects**   |  Amazon S3 Standard   |  This lets you store your frequently accessed object data redundantly in multiple Availability Zones that are geographically separated. For more information about the Amazon S3 Standard storage class, see [Storage classes for frequently accessed objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html#sc-freq-data-access) in the *Amazon Simple Storage Service User Guide*.   | 
|   **Encryption**  | Server-side encryption with S3 managed keys (SSE-S3) | All Amazon S3 objects that your S3 File Gateway uploads, updates, or modifies are encrypted by default with server-side encryption using Amazon S3 managed keys.  | 
|   **Object metadata**  | Guess MIME type | This allows Storage Gateway to guess the Multipurpose Internet Mail Extension (MIME) type for uploaded objects based on file extensions. This option requires that Access Control Lists (ACLs) are turned on  for the Amazon S3 bucket that's associated with your file share. If ACLs are  turned off, the file share can't access the Amazon S3 bucket, and remains in the **Unavailable** state  indefinitely.  | 
|  **Enable requester pays**  |  Off  |  For more information, see [Requester Pays buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/RequesterPaysBuckets.html).  | 
|  **Audit logs**  |  Off  |  Logging to an Amazon CloudWatch group is turned off by default.  | 
|   **Access to your S3 bucket**   |  Create a new IAM role   |   The default option allows the File Gateway to create a new IAM role and access  policy on your behalf. All NFS clients are allowed access. For information about supported  NFS clients, see [Supported NFS and SMB clients for File Gateway](Requirements.md#requirements-s3-fgw-clients).    | 
|  **Mount options**  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/filegateway/latest/files3/nfs-fileshare-quickstart-settings.html)  |  The default value of **Squash level** means that  access for the remote  superuser (root) is mapped to User Identifier (UID) (65534) and Group Identifier (GID) (65534).  | 
|  **File metadata defaults**  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/filegateway/latest/files3/nfs-fileshare-quickstart-settings.html)  | 

# Create an NFS file share with a custom configuration
<a name="CreatingAnNFSFileShare"></a>

Use the following procedure to create a Network File System (NFS) file share with a custom configuration. To create an NFS file share using default configuration settings, see [Create an NFS file share using the default configuration](https://docs.aws.amazon.com/filegateway/latest/files3/nfs-fileshare-quickstart-settings.html). 

**Important**  
Using S3 Versioning, Cross-Region Replication, or the Rsync utility when uploading data from a File Gateway can have significant cost implications. For more information, see [Avoiding unanticipated costs when uploading data from File Gateway](https://docs.aws.amazon.com/filegateway/latest/files3/avoid-unanticipated-costs.html).

**To create an NFS file share with customized settings**

1. Open the AWS Storage Gateway console at [https://console.aws.amazon.com/storagegateway/home/](https://console.aws.amazon.com/storagegateway/home/) and choose **File shares** from the left navigation pane.

1. Choose **Create file share**.

1. Choose **Customize configuration**. You can ignore the other fields on this page for now. You will be prompted to configure gateway, protocol, and storage settings in subsequent steps.

1. For **Gateway**, choose the Amazon S3 File Gateway for your new file share for from the dropdown list.

1. For **CloudWatch log group**, choose one of the following from the dropdown list:
   + To turn off logging for this file share, choose **Disable logging**.
   + To automatically create a new log group for this file share, choose **Created by Storage Gateway**.
   + To send health and resource notifications for this file share to an existing log group, choose the desired group from the list.

   For more information about audit logs, see [Understanding S3 File Gateway audit logs](https://docs.aws.amazon.com/filegateway/latest/files3/monitoring-file-gateway.html#audit-logs).

1. (Optional) Under **Tags - Optional**, choose **Add new tag**, then enter a **Key** and **Value** for your file share.

   A tag is a case-sensitive key-value pair that helps you categorize your Storage Gateway resources. Adding tags can make filtering and searching for your file share easier. You can repeat this step to add up to 50 tags.

   Choose **Next** when finished.

1. For **S3 bucket**, do one of the following to specify where your file share will store and retrieve files:
   + To connect the file share directly to an existing S3 bucket in your Amazon Web Services account, choose the bucket name from the dropdown list.
   + To connect the file share to an existing S3 bucket that is owned by an Amazon Web Services account other than the one that you use to create the file share, choose **A bucket in another account** from the dropdown list, then enter the **Cross-account bucket name**.
   + To connect the file share to a new S3 bucket, choose **Create a new S3 bucket**, then choose the **Region** where the Amazon S3 endpoint for your new bucket is located, and enter a unique **S3 bucket name**. Choose **Create S3 bucket** when finished. For more information about creating new buckets, see [How do I create an S3 bucket?](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html) in the Amazon S3 User Guide.
   + To connect the file share to an S3 bucket using an access point name, choose **Amazon S3 access point name** from the dropdown list, then enter the **Access point name**. If you need to create a new access point, you can choose **Create an S3 access point**. For further instructions, see [Creating an access point](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-access-points.html) in the Amazon S3 User Guide. For more information about access points, see [Managing data access with Amazon S3 access points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points.html) and [Delegating access control to access points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html#access-points-delegating-control) in the Amazon S3 User Guide.
   + To connect the file share to an S3 bucket using an access point alias, choose **Amazon S3 access point alias** from the dropdown list, then enter the **Access point alias**. If you need to create a new access point, you can choose **Create an S3 access point**. For further instructions, see [Creating an access point](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-access-points.html) in the Amazon S3 User Guide. For more information about access point aliases, see [Using a bucket-style alias for your access point](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-alias.html) in the Amazon S3 User Guide.
**Note**  
Each file share can only connect to one S3 bucket, but multiple file shares can connect to the same bucket. If you connect more than one file share to the same bucket, you must configure each file share to use a unique, non-overlapping **S3 bucket prefix** to prevent read/write conflicts.  
S3 File Gateway does not support support Amazon S3 buckets with periods (`.`) in the bucket name.  
Make sure your bucket name complies with the rules for bucket naming in Amazon S3. For more information, see [Rules for bucket naming](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules) in the *Amazon Simple Storage Service User Guide*.

1. (Optional) For **S3 bucket prefix**, enter a prefix for your file share to apply to the objects it creates in Amazon S3. Prefixes are a way to organize your data in S3, similar to directories in traditional file structures. For more information, see [Organizing objects using prefixes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html) in the Amazon S3 User Guide.
**Note**  
If you connect more than one file share to the same bucket, you must configure each file share to use a unique, non-overlapping prefix to prevent read/write conflicts.
The prefix must end with a forward slash (/).
After the file share is created, the prefix can't be modified or deleted.

1. For **Region**, choose the AWS Region where the S3 endpoint for your bucket is located from the dropdown list. This field appears only when you specify an access point or a bucket in another account for **S3 bucket**.

1. For **Storage class for new objects**, choose a storage class from the dropdown list. For more information about storage classes, see [Using storage classes with a File Gateway](https://docs.aws.amazon.com/filegateway/latest/files3/storage-classes.html#ia-file-gateway).

1. For **IAM Role**, do one of the following to configure an IAM role for your file share:
   + To automatically create a new IAM role with the necessary permissions for your file share to work properly, choose **Created by Storage Gateway** from the dropdown list.
   + To use an existing IAM role, choose the role name from the dropdown list.
   + To create a new IAM role, choose **Create a role**. For further instructions, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the AWS Identity and Access Management User Guide.

   For more information about how IAM roles control access between your file share and S3 bucket, see [Granting access to an Amazon S3 bucket](https://docs.aws.amazon.com/filegateway/latest/files3/add-file-share.html#grant-access-s3).

1. For **Private link**, do the following only if you need to configure your file share to communicate with AWS using a private endpoint in a Virtual Private Cloud (VPC). Otherwise, skip this step. For more information, see [What is AWS PrivateLink?](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) in the AWS PrivateLink Guide.

   1. Select **Use VPC endpoint**.

   1. For **Identify VPC endpoint by**, do one of the following:
      + Select **VPC endpoint ID**, then choose the endpoint that you want to use from the **VPC endpoint** dropdown list.
      + Select **DNS name**, then enter the **DNS name** for the endpoint that you want to use.

1. For **Encryption**, choose the type of server-side encryption that the file share will use for the data that it stores in Amazon S3:
   + To use server-side encryption managed with Amazon S3 (SSE-S3), choose **S3-Managed Keys (SSE-S3)**.

     For more information, see [Using server-side encryption with Amazon S3 managed keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) in the *Amazon Simple Storage Service User Guide*.
   + To use server-side encryption managed with AWS Key Management Service (SSE-KMS), choose **KMS-Managed Keys (SSE-KMS)**. For **Primary KMS key**, choose an existing AWS KMS key, or choose **Create a new KMS key** to create a new KMS key in the AWS Key Management Service (AWS KMS) console.

     For more information about AWS KMS, see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) in the *AWS Key Management Service Developer Guide*.
   + To use dual-layer server-side encryption managed with AWS Key Management Service (DSSE-KMS), choose **Dual-layer server-side encryption with AWS Key Management Service keys (DSSE-KMS)**. For **Primary KMS key**, choose an existing AWS KMS key, or choose **Create a new KMS key** to create a new KMS key in the AWS Key Management Service (AWS KMS) console.

     For more information about DSSE-KMS, see [Using dual-layer server-side encryption with AWS KMS keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingDSSEncryption.html) in the *Amazon Simple Storage Service User Guide*.
**Note**  
There are additional charges for using DSSE-KMS and AWS KMS keys. For more information, see [AWS KMS pricing](https://aws.amazon.com/kms/pricing/).  
To specify an AWS KMS key with an alias that is not listed or to use an AWS KMS key from a different AWS account, you must use the AWS Command Line Interface. Asymmetric KMS keys are not supported. For more information, see [CreateNFSFileShare](https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_CreateMFSFileShare.html) in the *AWS Storage Gateway API Reference*. 
**Important**  
Make sure that your file share uses the same encryption type as the Amazon S3 bucket where it stores your data.

1. For **Guess MIME types**, select **Guess media MIME type** to allow Storage Gateway to guess the media type for uploaded objects based on their file extensions.

1. For **File share name**, enter a name for your file share.
**Note**  
A valid NFS file share name can only contain the following characters: `a`-`z`, `A`-`Z`, `0`-`9`, `-`, `.`, and `_`.

1. For **Upload events**, select **Log an event when a file is successfully uploaded by the gateway** if you want your gateway to record CloudWatch log events when it successfully uploads files to Amazon S3. Notification delay controls the minimum delay between the most recent client write operation and generation of the `ObjectUploaded` log notification. Because clients can make many small writes to files in a short time, we recommend setting this parameter for as long as possible to avoid generating multiple notifications for the same file in rapid succession. For more information, see [Getting file upload notification](https://docs.aws.amazon.com/filegateway/latest/files3/monitoring-file-gateway.html#get-file-upload-notification).
**Note**  
This setting has no effect on the timing of the object uploading to S3, only on the timing of the notification.  
This setting is not meant to specify an exact time at which the notification will be sent. In some cases, the gateway might require more than the specified delay time to generate and send notifications.

   Choose **Next** when finished.

1. 

1. For **File share protocol**, choose **NFS**.

1. For **Client access**, do one of the following to specify which NFS clients can access your file share:
   + To accept all incoming client connections, select **All NFS clients**.
   + To accept incoming client connections only from specific IP addresses, select **Specific NFS clients**, then choose **Add a client**. For **Allowed clients**, specify a valid IP address or CIDR block from which to accept connections. If you need to specify additional IP addresses, choose **Add another client**.
**Note**  
We recommend configuring limiting access to your file share using the **Specific NFS clients** option. If you don't, any client on your network can mount to the file share.

1. For **Access type**, select one of the following:
   + To allow clients to read and write files on the file share, select **Read/Write**.
   + To allow clients to read files but not write to the file share, select **Read-only**.
**Note**  
For file shares that are mounted on a Microsoft Windows client, if you choose **Read-only**, you might see a message about an unexpected error keeping you from creating the folder. You can ignore this message.

1. For **Access level**, choose one of the following:
   + **Root squash (default)**: Access for the remote superuser (root) is mapped to UID (65534) and GID (65534).
   + **All squash**: All user access is mapped to User ID (UID) (65534) and Group ID (GID) (65534).
   + **No root squash**: The remote superuser (root) receives access as root.

1. (Optional) For **Automated cache refresh from S3**, choose **Set cache refresh interval**, then set the time in **Minutes** or **Days** to refresh the file share's cache using Time To Live (TTL). TTL is the length of time since the last refresh. After the TTL interval has elapsed, accessing a directory causes the File Gateway to refresh that directory's contents from the Amazon S3 bucket. 
**Note**  
Setting this value shorter than 30 minutes can negatively impact gateway performance in situations where large numbers of Amazon S3 objects are frequently created or deleted.

1. For **File metadata defaults**, select **Change default metadata for S3 objects that were not created or modified by your gateway** if you want your gateway to apply file metadata (including Unix permissions) to preexisting objects that it discovers in your S3 bucket. Specify the **Directory permissions**, **File permissions**, **User ID**, and **Group ID** that you want to apply in the corresponding fields.

1. For **File ownership and permissions**, select **Give the S3 bucket owner full ownership of files created by the gateway, including read, write, edit, and delete permissions** if you want the AWS account that owns the S3 bucket to have full control of all objects written to the bucket by your file share.

   Choose **Next** when finished.

1. Review the file share configuration. Choose **Edit** to modify the settings for any section that you want to change. When finished, choose **Create**.

After your NFS file share is created, you can view its configuration settings in the AWS Storage Gateway console on the file share's **Details** tab. For instructions to mount your file share, see [Mount your NFS file share on your client](https://docs.aws.amazon.com/filegateway/latest/files3/GettingStartedAccessFileShare.html).

# Create an SMB file share
<a name="create-smb-file-share"></a>

The Server Message Block (SMB) protocol is deeply integrated into the Microsoft Windows product suite, and remains the default file sharing protocol for Windows operating systems. The process of client-server communication is similar to NFS at a high level, but there are differences in some details and operational mechanisms. For example, in SMB, file systems are not mounted on the local SMB client. Instead, a network share hosted on the SMB server is accessed via a network path. 

The topics in this section explain various methods for creating an SMB file share for your File Gateway.

**Contents**
+ [Create an SMB file share using the default configuration](smb-fileshare-quickstart-settings.md)
  + [Default configuration settings for SMB file shares](smb-fileshare-quickstart-settings.md#quickstart-default-settings)
+ [Create an SMB file share with a custom configuration](CreatingAnSMBFileShare.md)

# Create an SMB file share using the default configuration
<a name="smb-fileshare-quickstart-settings"></a>

This section explains how to create a new Server Message Block (SMB) file share using preconfigured default settings. Use this method for basic deployments, personal use, testing, or as a way to quickly deploy multiple file shares that you plan to edit and customize later. For a list of the default settings for file shares that you create using this procedure, see [Default configuration settings for SMB file shares](https://docs.aws.amazon.com/filegateway/latest/files3/smb-fileshare-quickstart-settings.html#quickstart-default-settings). If you need more granular control or want to use advanced settings for your file share, see [Create an SMB file share with a custom configuration](https://docs.aws.amazon.com/filegateway/latest/files3/CreatingAnSMBFileShare.html).

**Note**  
If you need to connect your file share to Amazon S3 through a Virtual Private Cloud (VPC), you must follow the custom configuration procedure. You can’t edit VPC settings for a file share after you create it. 

**Important**  
Using S3 Versioning, Cross-Region Replication, or the Rsync utility when uploading data from a File Gateway can have significant cost implications. For more information, see [Avoiding unanticipated costs when uploading data from File Gateway](https://docs.aws.amazon.com/filegateway/latest/files3/avoid-unanticipated-costs.html).

**Prerequisites**  
Before you create your file share, do the following:
+ Configure SMB security settings for your File Gateway. For instructions, see [Setting a security level for your gateway](https://docs.aws.amazon.com/filegateway/latest/files3/security-strategy.html).
+ Configure either Microsoft Active Directory or guest access for authentication. For instructions, see [Using Active Directory to authenticate users](https://docs.aws.amazon.com/filegateway/latest/files3/enable-ad-settings.html) or [Providing guest access to your file share](https://docs.aws.amazon.com/filegateway/latest/files3/guest-access.html).
+ Make sure that the required ports are open in your security group. For more information, see [Port Requirements](https://docs.aws.amazon.com/filegateway/latest/files3/Resource_Ports.html).

**To create an SMB file share using the default configuration:**

1. Open the AWS Storage Gateway console at [https://console.aws.amazon.com/storagegateway/home/](https://console.aws.amazon.com/storagegateway/home/) and choose **File shares** from the left navigation pane.

1. Choose **Create file share**.

1. For **Gateway**, choose the Amazon S3 File Gateway from the dropdown list.

1. For **File share protocol**, choose **SMB**.

1. For **S3 bucket**, do one of the following:
   + Choose an existing Amazon S3 bucket in your account from the dropdown list.
   + Choose **A bucket in another account** from the dropdown list, then enter the name of the bucket in **Cross-account bucket name**.
   + Choose **Create new S3 bucket**, then choose the AWS Region where the Amazon S3 endpoint for your new bucket is located, and enter a unique **S3 bucket name**. Choose **Create S3 bucket** when finished.

     For information about creating a new bucket, see [How do I create an S3 bucket?](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html) in the Amazon S3 User Guide.
**Note**  
S3 File Gateway does not support support Amazon S3 buckets with periods (`.`) in the bucket name.  
Make sure your bucket name complies with the rules for bucket naming in Amazon S3. For more information, see [Rules for bucket naming](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules) in the *Amazon Simple Storage Service User Guide*.

1.  **User authentication**, choose the authentication method you want to use from the dropdown list:
   + To use your corporate Microsoft Active Directory or AWS Managed Microsoft AD to authenticate user access to your SMB file share, choose **Active Directory**. Your gateway must be joined to a domain to use this method. For more information, see [Using Active Directory to authenticate users](https://docs.aws.amazon.com/filegateway/latest/files3/enable-ad-settings.html).
**Note**  
To use AWS Managed Microsoft AD with an Amazon EC2 gateway, you must create the Amazon EC2 instance in the same VPC as the AWS Managed Microsoft AD, add the `_workspaceMembers` security group to the Amazon EC2 instance, and join the AD domain using the Admin credentials from the AWS Managed Microsoft AD.  
For more information about AWS Managed Microsoft AD, see the [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html).  
For more information about Amazon EC2, see the [https://docs.aws.amazon.com/ec2/](https://docs.aws.amazon.com/ec2/).

     If **Join status** indicates that your gateway is already joined to an Active Directory domain, proceed to the next step. Otherwise, do the following:

     1. Choose **Configure**.

     1. For **Domain**, enter the name of the Active Directory domain you want your gateway to join.

     1. Enter the **Username** and **Password** that the gateway will use to join the domain.

     1. (Optional) For **Organization unit (OU)**, enter the designated OU that your Active Directory uses for new computer objects.

     1. (Optional) For **Domain controller(s) (DC)**, enter the name of the DC through which your gateway will connect to Active Directory. You can leave this field blank to allow DNS to automatically select a DC.

     1. Choose **Join Active Directory**.
**Note**  
Joining a domain creates an Active Directory account in the default container (which isn't an organizational unit) using the Gateway ID as the account name (for example, SGW-1234ADE). It is not possible to customize the name of this account.  
If your Active Directory environment requires that you pre-stage accounts to facilitate the domain join process, you need to create this account ahead of time.  
If your Active Directory environment has a designated OU for new computer objects, you must specify that OU when joining the domain.
   + To grant password-protected access to anyone who provides the guest password that you configure, choose **Guest access**. Your File Gateway doesn't need to be part of a Microsoft Active Directory domain to use this method. Choose **Configure** to specify your **Guest password**, then choose **Save**.

1. Review the settings under **Default configuration**, then choose **Create file share** to create your new SMB file share using the default configuration.

After your SMB file share is created, you can view its configuration settings in the AWS Storage Gateway console on the file share's **Details** tab. For information about mounting your file share, see [Mount your SMB file share on your client](https://docs.aws.amazon.com/filegateway/latest/files3/using-smb-fileshare.html).

## Default configuration settings for SMB file shares
<a name="quickstart-default-settings"></a>

The following settings apply to all new SMB file shares that you create using the default configuration. After you create a file share, you can select it from the **File shares** page in the AWS Storage Gateway console to view details about its configuration.

**Important**  
The default SMB file share configuration provides full file control and access permissions to the owner of the S3 bucket that's mapped to the file share, even if the bucket is owned by a different Amazon Web Services account. For more information about using your file share to access objects in a bucket that's owned by another account, see [Using a file share for cross-account access](https://docs.aws.amazon.com/filegateway/latest/files3/add-file-share.html#cross-account-access).


| Setting | Default value | Notes | 
| --- | --- | --- | 
|  **Amazon S3 location**  |  The file share connects directly to the Amazon S3 bucket and has the same name as the bucket. Your gateway uses this bucket to store and retrieve files.  |  The name doesn't include a prefix.  | 
|  **AWS PrivateLink for S3**  |  The file share doesn't connect to Amazon S3 through an interface endpoint in your virtual private cloud (VPC).  |  | 
|   **File upload notification**   |  Off  |   | 
|  **Storage class for new objects**   |  Amazon S3 Standard  |  This lets you store your frequently accessed object data redundantly in multiple Availability Zones that are geographically separated. For more information about the Amazon S3 Standard storage class, see [Storage classes for frequently accessed objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html#sc-freq-data-access) in the *Amazon Simple Storage Service User Guide*.   | 
|   **Encryption**  | Server-side encryption with S3 managed keys (SSE-S3) | All Amazon S3 objects that your S3 File Gateway uploads, updates, or modifies are encrypted by default with server-side encryption using Amazon S3 managed keys.  | 
|   **Object metadata**  | Guess MIME type | This allows Storage Gateway to guess the Multipurpose Internet Mail Extension (MIME) type for uploaded objects based on file extensions. This option requires that Access Control Lists (ACLs) are turned on for the Amazon S3 bucket that's associated with your file share. If ACLs are  turned off, the file share can't access the Amazon S3 bucket, and remains in the **Unavailable** state  indefinitely.  | 
|  **Access based enumeration**  |  Not activated  |  The files and folders on the file share are visible to all users  during directory enumeration. Access-based enumeration is a system that filters the enumeration of  files and folders on an SMB file share based on the share's access  control lists (ACLs).  | 
|  **Enable requester pays**  |  Off  |  For more information, see [Requester Pays buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/RequesterPaysBuckets.html).  | 
|  **Opportunistic locking**  |  On  |  This allows the file share to use opportunistic locking to optimize  the file buffering strategy.  In most cases, activating opportunistic locking improves  performance, particularly with regard to Windows context  menus.  | 
|  **Audit logs**  |  Off  |  Logging to an Amazon CloudWatch group is turned off by default.  | 
|  **Force case sensitivity**  |  Off  |  This allows the client to control the case sensitivity.  | 
|   **Access to your S3 bucket**   |  Create a new IAM role   |   The default option allows the File Gateway to create a new IAM role and access  policy on your behalf.  | 

# Create an SMB file share with a custom configuration
<a name="CreatingAnSMBFileShare"></a>

Use the following procedure to create a Server Message Block (SMB) file share with a custom configuration. To create an SMB file share using default configuration settings, see [Create an SMB file share using the default configuration](https://docs.aws.amazon.com/filegateway/latest/files3/smb-fileshare-quickstart-settings.html).

**Important**  
Using S3 Versioning, Cross-Region Replication, or the Rsync utility when uploading data from a File Gateway can have significant cost implications. For more information, see [Avoiding unanticipated costs when uploading data from File Gateway](https://docs.aws.amazon.com/filegateway/latest/files3/avoid-unanticipated-costs.html).

**Prerequisites**  
Before you create your file share, do the following:
+ Configure SMB security settings for your File Gateway. For instructions, see [Setting a security level for your gateway](https://docs.aws.amazon.com/filegateway/latest/files3/security-strategy.html).
+ Configure either Microsoft Active Directory or guest access for authentication. For instructions, see [Using Active Directory to authenticate users](https://docs.aws.amazon.com/filegateway/latest/files3/enable-ad-settings.html) or [Providing guest access to your file share](https://docs.aws.amazon.com/filegateway/latest/files3/guest-access.html).
+ Make sure that the required ports are open in your security group. For more information, see [Port Requirements](https://docs.aws.amazon.com/filegateway/latest/files3/Resource_Ports.html).

**To create an SMB file share with customized settings**

1. Open the AWS Storage Gateway console at [https://console.aws.amazon.com/storagegateway/home/](https://console.aws.amazon.com/storagegateway/home/) and choose **File shares** from the left navigation pane.

1. Choose **Create file share**.

1. Choose **Customize configuration**. You can ignore the other fields on this page for now. You will be prompted to configure gateway, protocol, and storage settings in subsequent steps.

1. For **Gateway**, choose the Amazon S3 File Gateway from the dropdown list.

1. For **CloudWatch log group**, choose one of the following from the dropdown list:
   + To turn off logging for this file share, choose **Disable logging**.
   + To automatically create a new log group for this file share, choose **Created by Storage Gateway**.
   + To send health and resource notifications for this file share to an existing log group, choose the desired group from the list.

   For more information about audit logs, see [Understanding S3 File Gateway audit logs](https://docs.aws.amazon.com/filegateway/latest/files3/monitoring-file-gateway.html#audit-logs).

1. (Optional) Under **Tags - Optional**, choose **Add new tag**, then enter a **Key** and **Value** for your file share. A tag is a case-sensitive key-value pair that helps you to categorize your Storage Gateway resources. Adding tags can make filtering and searching for your file share easier. You can repeat this step to add up to 50 tags.

   Choose **Next** when finished.

1. For **S3 bucket**, do one of the following to specify where to store and retrieve files:
   + To connect the file share directly to an existing S3 bucket in your Amazon Web Services account, choose the bucket name from the dropdown list.
   + To connect the file share to an existing S3 bucket that's owned by an Amazon Web Services account other than the one that you're using to create the file share, choose **A bucket in another account** from the dropdown list, then enter the **Cross-account bucket name**.
   + To connect the file share to a new S3 bucket, choose **Create a new S3 bucket**, then choose the **Region** where the Amazon S3 endpoint for your new bucket is located, and enter a unique **S3 bucket name**. Choose **Create S3 bucket** when finished. For more information about creating new buckets, see [How do I create an S3 bucket?](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html) in the Amazon S3 User Guide.
   + To connect the file share to an S3 bucket using an access point name, choose **Amazon S3 access point name** from the dropdown list, then enter the **Access point name**. If you need to create a new access point, you can choose **Create an S3 access point**. For further instructions, see [Creating an access point](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-access-points.html) in the Amazon S3 User Guide. For more information about access points, see [Managing data access with Amazon S3 access points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points.html) and [Delegating access control to access points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html#access-points-delegating-control) in the Amazon S3 User Guide.
   + To connect the file share to an S3 bucket using an access point alias, choose **Amazon S3 access point alias** from the dropdown list, then enter the **Access point alias**. If you need to create a new access point, you can choose **Create an S3 access point**. For further instructions, see [Creating an access point](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-access-points.html) in the Amazon S3 User Guide. For more information about access point aliases, see [Using a bucket-style alias for your access point](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-alias.html) in the Amazon S3 User Guide.
**Note**  
Each file share can only connect to one S3 bucket, but multiple file shares can connect to the same bucket. If you connect more than one file share to the same bucket, you must configure each file share to use a unique, non-overlapping **S3 bucket prefix** to prevent read/write conflicts.  
S3 File Gateway does not support support Amazon S3 buckets with periods (`.`) in the bucket name.  
Make sure your bucket name complies with the rules for bucket naming in Amazon S3. For more information, see [Rules for bucket naming](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules) in the *Amazon Simple Storage Service User Guide*.

1. (Optional) For **S3 bucket prefix**, enter a prefix for your file share to apply to the objects it creates in Amazon S3. Prefixes are a way to organize your data in S3, similar to directories in traditional file structures. For more information, see [Organizing objects using prefixes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html) in the Amazon S3 User Guide.
**Note**  
If you connect more than one file share to the same bucket, you must configure each file share to use a unique, non-overlapping prefix to prevent read/write conflicts.
The prefix must end with a forward slash (/).
After the file share is created, the prefix can't be modified or deleted.

1. For **Region**, choose the AWS Region where the S3 endpoint for your bucket is located from the dropdown list. This field appears only when you specify an access point or a bucket in another account for **S3 bucket**.

1. For **Storage class for new objects**, choose a storage class from the dropdown list. For more information about storage classes, see [Using storage classes with a File Gateway](https://docs.aws.amazon.com/filegateway/latest/files3/storage-classes.html#ia-file-gateway).

1. For **IAM Role**, do one of the following to configure an IAM role for your file share:
   + To automatically create a new IAM role with the necessary permissions for your file share to work properly, choose **Created by Storage Gateway** from the dropdown list.
   + To use an existing IAM role, choose the role name from the dropdown list.
   + To create a new IAM role, choose **Create a role**. For further instructions, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the AWS Identity and Access Management User Guide.

   For more information about how IAM roles control access between your file share and S3 bucket, see [Granting access to an Amazon S3bucket](https://docs.aws.amazon.com/filegateway/latest/files3/add-file-share.html#grant-access-s3).

1. For **Private link**, do the following only if you need to configure your file share to communicate with AWS using a private endpoint in a Virtual Private Cloud (VPC). Otherwise, skip this step. For more information, see [What is AWS PrivateLink?](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) in the AWS PrivateLink Guide.

   1. Select **Use VPC endpoint**.

   1. For **Identify VPC endpoint by**, do one of the following:
      + Select **VPC endpoint ID**, then choose the endpoint that you want to use from the **VPC endpoint** dropdown list.
      + Select **DNS name**, then enter the **DNS name** for the endpoint that you want to use.

1. For **Encryption**, choose the type of encryption keys to use to encrypt objects that your File Gateway stores in Amazon S3:
   + To use server-side encryption managed with Amazon S3 (SSE-S3), choose **S3-Managed Keys (SSE-S3)**. 

     For more information, see [Using server-side encryption with Amazon S3 managed keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) in the *Amazon Simple Storage Service User Guide*.
   + To use server-side encryption managed with AWS Key Management Service (SSE-KMS), choose **KMS-Managed Keys (SSE-KMS)**. For **Primary KMS key**, choose an existing AWS KMS key, or choose **Create a new KMS key** to create a new KMS key in the AWS Key Management Service (AWS KMS) console.

     For more information about AWS KMS, see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) in the *AWS Key Management Service Developer Guide*.
   + To use dual-layer server-side encryption managed with AWS Key Management Service (DSSE-KMS), choose **Dual-layer server-side encryption with AWS Key Management Service keys (DSSE-KMS)**. For **Primary KMS key**, choose an existing AWS KMS key, or choose **Create a new KMS key** to create a new KMS key in the AWS Key Management Service (AWS KMS) console.

     For more information about DSSE-KMS, see [Using dual-layer server-side encryption with AWS KMS keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingDSSEncryption.html) in the *Amazon Simple Storage Service User Guide*.
**Note**  
There are additional charges for using DSSE-KMS and AWS KMS keys. For more information, see [AWS KMS pricing](https://aws.amazon.com/kms/pricing/).  
To specify an AWS KMS key with an alias that is not listed or to use an AWS KMS key from a different AWS account, you must use the AWS Command Line Interface. Asymmetric KMS keys are not supported. For more information, see [CreateSMBFileShare](https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_CreateSMBFileShare.html) in the *AWS Storage Gateway API Reference*. 
**Important**  
Make sure that your file share uses the same encryption type as the Amazon S3 bucket where it stores your data.

1. For **Guess MIME types**, select **Guess media MIME type** to allow Storage Gateway to guess the Multipurpose Internet Mail Extension (MIME) type for uploaded objects based on their file extensions.

1. For **File share name**, enter a name for your file share.
**Note**  
A valid SMB file share name cannot contain the following characters: `[`,`]`,`#`,`;`,`<`,`>`,`:`,`"`,`\`,`/`,`|`,`?`,`*`,`+`, or ASCII control characters `1-31`.

1. For **Upload events**, select **Log an event when a file is successfully uploaded by the gateway** if you want your gateway to record CloudWatch log events when it successfully uploads files to Amazon S3. Notification delay controls the delay between the most recent client write operation and generation of the `ObjectUploaded` log notification. Because clients can make many small writes to files in a short time, we recommend setting this parameter for as long as possible to avoid generating multiple notifications for the same file in rapid succession. For more information, see [Getting file upload notification](https://docs.aws.amazon.com/filegateway/latest/files3/monitoring-file-gateway.html#get-file-upload-notification).
**Note**  
This setting has no effect on the timing of the object uploading to S3, only on the timing of the notification.  
This setting is not meant to specify an exact time at which the notification will be sent. In some cases, the gateway might require more than the specified delay time to generate and send notifications.

   Choose **Next** when finished.

1. For **File share protocol**, choose **SMB**.

1. For **User authentication**, choose the authentication method that you want to use from the dropdown list:
   + To use your corporate Microsoft Active Directory or AWS Managed Microsoft AD to authenticate user access to your SMB file share, choose **Active Directory**. Your gateway must be joined to a domain to use this method. For more information, see [Using Active Directory to authenticate users](https://docs.aws.amazon.com/filegateway/latest/files3/enable-ad-settings.html).
**Note**  
To use AWS Managed Microsoft AD with an Amazon EC2 gateway, you must create the Amazon EC2 instance in the same VPC as the AWS Managed Microsoft AD, add the `_workspaceMembers` security group to the Amazon EC2 instance, and join the AD domain using the Admin credentials from the AWS Managed Microsoft AD.  
For more information about AWS Managed Microsoft AD, see the [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html).  
For more information about Amazon EC2, see the [https://docs.aws.amazon.com/ec2/](https://docs.aws.amazon.com/ec2/).

     If **Join status** indicates that your gateway is already joined to an Active Directory domain, proceed to the next step. Otherwise, do the following:

     1. Choose **Configure**.

     1. For **Domain**, enter the name of the Active Directory domain that you want your gateway to join.

     1. Enter the **Username** and **Password** that the gateway will use to join the domain.

     1. (Optional) For **Organization unit (OU)**, enter the designated OU that your Active Directory uses for new computer objects.

     1. (Optional) For **Domain controller(s) (DC)**, enter the name of the DC through which your gateway will connect to Active Directory. You can leave this field blank to allow DNS to automatically select a DC.

     1. Choose **Join Active Directory**.
**Note**  
Joining a domain creates an Active Directory account in the default container (which isn't an organizational unit), using the gateway's Gateway ID as the account name (for example, SGW-1234ADE). It is not possible to customize the name of this account.  
If your Active Directory environment requires that you pre-stage accounts to facilitate the domain join process, you need to create this account ahead of time.  
If your Active Directory environment has a designated OU for new computer objects, you must specify that OU when joining the domain.
   + To grant password-protected access to anyone who provides the guest password that you configure, choose **Guest access**. Your File Gateway doesn't need to be part of a Microsoft Active Directory domain to use this method. Choose **Configure** to specify your **Guest password**, then choose **Save**.

1. For **User access**, do one of the following to specify which SMB clients can access your file share:
   + To grant access to all users that successfully authenticate through Active Directory, select **All AD-authenticated users**.
   + To allow or deny access to specific users or groups, choose **Specific AD-authenticated users or groups**, then do the following:
     + For **Allowed users and groups**, choose **Add allowed user** or **Add allowed group** and enter an Active Directory user or group that you want to allow file share access. Repeat this process to allow as many users and groups as necessary
     + For **Denied users and groups**, choose **Add denied user** or **Add denied group** and enter an Active Directory user or group that you want to deny file share access. Repeat this process to deny as many users and groups as necessary. 
**Note**  
The **User and group file share access** section appears only if User authentication is set to **Active Directory**.  
When specifying users or groups, do not include the domain. The domain name is implied by the membership of the gateway in the specific Active Directory to which it is joined.

1. (Optional) For **Admin users**, enter a comma-separated list of Active Directory users and groups. Admin users receive privileges to update access control lists (ACLs) on all files and folders in the file share. Groups must be prefixed with the `@` character, for example, `@group1`. 

1. For **Access type**, select one of the following:
   + To allow clients to read and write files on the file share, select **Read/Write**.
   + To allow clients to read files but not write to the file share, select **Read-only**.
**Note**  
For file shares that are mounted on a Microsoft Windows client, if you choose **Read-only**, you might see a message about an unexpected error keeping you from creating the folder. You can ignore this message.

1. For **File and directory access control**, select one of the following:
   + To set fine-grained permissions on files and folders in your SMB file share, select **Windows Access Control List**. For more information, see [Using Microsoft Windows ACLs to Control Access to an SMB File Share](https://docs.aws.amazon.com/filegateway/latest/files3/smb-acl.html).
   + To use POSIX permissions to control access to files and directories that are stored through your SMB file share, choose **POSIX permissions**.

1. For **Access based enumeration**, do one of the following:
   + To make the files and folders on the share visible only to users who have read access, select **Hide files and directories where user doesn't have permission**.
   + To make the files and folders on the share visible to all users during directory enumeration, don't select the check box.
**Note**  
Access-based enumeration is a system that filters the enumeration of files and folders on an SMB file share based on the share's access control lists (ACLs).

1. For File access options, select one of the following:
   + To optimize the file share’s file buffering strategy using opportunistic locking, select **Opportunistic lock**. In most cases, activating opportunistic locking improves performance, particularly with regard to Windows context menus.
   + To allow the gateway - rather than the SMB client - to control file name case sensitivity, select **Force case sensitivity**.
   + To deactivate both settings, select **Neither**.
**Note**  
To avoid file access conflicts, these settings are mutually exclusive and cannot be activated at the same time.

1. (Optional) For **Automated cache refresh from S3**, choose **Set cache refresh interval**, then set the time in **Minutes** or **Days** to refresh the file share's cache using Time To Live (TTL). TTL is the length of time since the last refresh. After the TTL interval has elapsed, accessing a directory causes the File Gateway to refresh that directory's contents from the Amazon S3 bucket. 
**Note**  
Setting this value shorter than 30 minutes can negatively impact gateway performance in situations where large numbers of Amazon S3 objects are frequently created or deleted.

1. For **File ownership and permissions**, select **Give the S3 bucket owner full ownership of files created by the gateway, including read, write, edit, and delete permissions** if you want the AWS account that owns the S3 bucket to have full control of all objects written to the bucket by your file share.

   Choose **Next** when finished.

1. Review the file share configuration. Choose **Edit** to modify the settings for any section that you want to change. When finished, choose **Create**.

After your SMB file share is created, you can view its configuration settings in the AWS Storage Gateway console on the file share's **Details** tab. For instructions to mount your file share, see [Mount your SMB file share on your client](https://docs.aws.amazon.com/filegateway/latest/files3/using-smb-fileshare.html).