Security checklist

Use the following checklist when planning the security configuration for a production, distributed AIStor Server.

Required steps

Step
Define group policies either on AIStor or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID).
Define individual access policies on AIStor or the selected 3rd party Identity Provider.
Configure AIStor to use the selected 3rd party Identity Provider.
Grant firewall access for TCP traffic to the Object Store S3 API Listen Port (Default: 9000).
Grant firewall access for TCP traffic to the AIStor Server console port (Recommended Default: 9443).

Encryption-at-Rest

AIStor Object Store supports Server-Side Encryption using AIStor Key Manager:

Step
Download and install AIStor Key Manager
Connect the Object Store to Key Manager
Enable server side encryption on a bucket using mc encrypt set

AIStor Server supports the following external KMS providers through the AIStor Key Encryption Service (KES).

Encryption-in-Transit (“in flight”)

Step
Enable TLS
Add separate certificates and keys for each internal and external domain that accesses AIStor
Generate public and private TLS keys using a supported cipher for TLS 1.3 or TLS 1.2
Configure trusted Certificate Authority (CA) store(s)
Expose your Kubernetes service, such as with NGINX
(Optional) Validate certificates, such as with https://www.sslchecker.com/certdecoder
All rights reserved 2024-Present, MinIO, Inc.