Security checklist

Use the following checklist when planning the security configuration for a production, distributed AIStor Server.

Required steps

Identity and access management

Step Details
Group policies Define group policies either on MinIO AIStor or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID Connect)
Individual access policies Define individual access policies on MinIO AIStor or the selected 3rd party Identity Provider
Identity provider configuration Configure MinIO AIStor to use the selected 3rd party Identity Provider

Firewall access

Port Details
S3 API listen port Grant firewall access for TCP traffic to the Object Store S3 API Listen Port (Default: 9000)
Console port Grant firewall access for TCP traffic to the AIStor Server console port (Recommended Default: 9443)

Encryption-at-rest

MinIO AIStor supports Server-Side Encryption using MinIO KMS:

Step Details
Install MinIO KMS Download and install MinIO KMS
Connect to MinIO KMS Connect the Object Store to MinIO KMS
Enable encryption Enable server side encryption on a bucket using mc encrypt set

AIStor Server supports the following external KMS providers through the MinIO AIStor Key Encryption Service (KES).

Encryption-in-transit (“in flight”)

TLS configuration

Step Details
Enable TLS Enable TLS for all MinIO AIStor traffic
Certificate placement Configure certificate placement on each node
Domain certificates Add separate certificates and keys for each internal and external domain that accesses MinIO AIStor
Key generation Generate public and private TLS keys using a supported cipher for TLS 1.3 or TLS 1.2
Trusted CA stores Configure trusted Certificate Authority (CA) store(s)
Kubernetes service Expose your Kubernetes service, such as with NGINX
Validate certificates
After configuring TLS, validate your certificates using a tool such as SSL Certificate Decoder.