Which solution will meet these requirements?
Create an Active Directory Connector to connect to the Active Directory. Map the Active Directory groups to IAM groups to restrict access.
Assign a tag with a Restrict tag key and a Compliance tag value. Map the Active Directory groups to IAM groups to restrict access.
Create an IAM service-linked role that is linked directly to FSx for Windows File Server to restrict access.
Join the file system to the Active Directory to restrict access.
Explanations:
While an Active Directory Connector allows AWS resources to connect to an on-premises AD, mapping AD groups to IAM groups does not restrict access to FSx for Windows File Server, which relies on native AD for file share permissions. IAM roles are not used for SMB-based file access.
Tags (such as Restrict and Compliance) cannot be used to manage access to SMB file shares on FSx for Windows File Server. Access control is based on Active Directory groups and permissions, not tags or IAM groups.
IAM roles and service-linked roles are used for AWS resource permissions but do not control SMB file access on FSx for Windows File Server. SMB file access must be managed through Active Directory integration.
FSx for Windows File Server must be joined to an Active Directory to use AD-based access control for SMB shares. This solution allows the on-premises AD groups to control access to files and folders on the FSx file system after migration.