This topic discusses different methods you can use to secure your file systems.
Watch a video about security in File Storage.
Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) uses policies to control what users can do within Oracle Cloud Infrastructure, such as creating instances, a VCN and its security rules, mount targets, and file systems.
Network security controls which instance IP addresses or CIDR blocks can connect to a host file system. It uses VCN security rules to allow or deny traffic to the mount target, and therefore access to any associated file system.
NFS export options apply access control on each file system export based on source IP address.
NFS v.3 Unix security controls what users can do on the instance, such as installing applications, creating directories, mounting external file systems by a local mount point, and reading and writing files.
|This security layer...||Uses these...||To control actions like...|
|Oracle Cloud Infrastructure (Oracle Cloud Infrastructure)||OCI Users and policies||Creating instances and VCNs. Creating, listing, and associating file systems and mount targets.|
|Network security||IP addresses, CIDR blocks, security rules||Connecting the client instance to the mount target.|
|NFS export options||File system exports, IP addresses, Unix users||Privileged source port connection, reading and writing files, and limiting root user access on a per-file system basis.|
|NFS v.3 Unix security||Unix users, file mode bits||Mounting file systems, reading and writing files.|
You create users and groups in Oracle Cloud Infrastructure. Then, you can use policies to specify which users and groups can create, access, or modify resources such as file systems, mount targets, and export options.
The network security layer allows you to use VCN security rules to block the appropriate ports from specific IP addresses and CIDR blocks and restrict host access. However, it's on an ‘all or nothing’ basis - the client either can or cannot access the mount target, and therefore all file systems associated with it. See Working with NFS Export Options to specify granular controls on a per-file system basis.
File Storage service supports the AUTH_UNIX style of authentication and permission checking for remote NFS client requests. When mounting file systems, we recommend that you use the
-nosuid option. This option disables set-user-identifier or set-group-identifier bits. Remote users are prevented from gaining higher privileges using a
setuid program. For more information, see Mounting File Systems.
Remember that users in UNIX aren’t the same as users in Oracle Cloud Infrastructure - they’re not linked or associated in any way. The Oracle Cloud Infrastructure policy layer doesn’t govern anything that happens inside the file system, the UNIX security layer does. Conversely, the UNIX security layer doesn’t govern creating file systems or mount targets in Oracle Cloud Infrastructure.
NFS export options are a method of applying access control at the network security layer and the NFS v.3 Unix security layer. You can use NFS export options to limit access levels by IP addresses or CIDR blocks connecting to multiple file systems through exports of an associated mount target. Access can be restricted so that each client’s file system is inaccessible and invisible to the other, allowing for managed hosted environment security. Moreover, you can set permissions for read-only, read/write, or root-squash for your file systems. See Working with NFS Export Options for more information.
The Oracle Cloud Infrastructure File Storageservice always encrypts all file systems at rest. By default all file systems are encrypted using the Oracle-provided encryption keys.
You have the option to encrypt all of your file systems using the keys that you own and manage using the Key Management service. For more information, see Overview of Key Management. If you do not configure a file system to use the Key Management service or you later unassign a key from the file system, the File Storage service uses the Oracle-provided encryption key instead. For how to use your own key for new file systems, see Creating File Systems. See To assign a key to a file system for instructions about how to assign or change the key for an existing file system.