Security checklist
Use the following checklist when planning the security configuration for a production, distributed AIStor Server.
Required steps
| Step | |
|---|---|
| ☐ | Define group policies either on AIStor or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID). |
| ☐ | Define individual access policies on AIStor or the selected 3rd party Identity Provider. |
| ☐ | Configure AIStor to use the selected 3rd party Identity Provider. |
| ☐ | Grant firewall access for TCP traffic to the Object Store S3 API Listen Port (Default: 9000). |
| ☐ | Grant firewall access for TCP traffic to the AIStor Server console port (Recommended Default: 9443). |
Encryption-at-Rest
AIStor Object Store supports Server-Side Encryption using AIStor Key Manager:
| Step | |
|---|---|
| ☐ | Download and install AIStor Key Manager |
| ☐ | Connect the Object Store to Key Manager |
| ☐ | Enable server side encryption on a bucket using mc encrypt set |
AIStor Server supports the following external KMS providers through the AIStor Key Encryption Service (KES).
- AWS Secrets Manager
- Azure KeyVault
- Entrust KeyControl
- Fortanix SDKMS
- Google Cloud Secret Manager
- HashiCorp Vault
- Thales CipherTrust Manager (formerly Gemalto KeySecure)
Encryption-in-Transit (“in flight”)
| Step | |
|---|---|
| ☐ | Enable TLS |
| ☐ | Add separate certificates and keys for each internal and external domain that accesses AIStor |
| ☐ | Generate public and private TLS keys using a supported cipher for TLS 1.3 or TLS 1.2 |
| ☐ | Configure trusted Certificate Authority (CA) store(s) |
| ☐ | Expose your Kubernetes service, such as with NGINX |
| ☐ | (Optional) Validate certificates, such as with https://www.sslchecker.com/certdecoder |