Security checklist
Use the following checklist when planning the security configuration for a production, distributed AIStor Server.
Required steps
Step | |
---|---|
☐ | Define group policies either on AIStor or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID). |
☐ | Define individual access policies on AIStor or the selected 3rd party Identity Provider. |
☐ | Configure AIStor to use the selected 3rd party Identity Provider. |
☐ | Grant firewall access for TCP traffic to the Object Store S3 API Listen Port (Default: 9000 ). |
☐ | Grant firewall access for TCP traffic to the AIStor Server console port (Recommended Default: 9443 ). |
Encryption-at-Rest
AIStor Object Store supports Server-Side Encryption using AIStor Key Manager:
Step | |
---|---|
☐ | Download and install AIStor Key Manager |
☐ | Connect the Object Store to Key Manager |
☐ | Enable server side encryption on a bucket using mc encrypt set |
AIStor Server supports the following external KMS providers through the AIStor Key Encryption Service (KES).
- AWS Secrets Manager
- Azure KeyVault
- Entrust KeyControl
- Fortanix SDKMS
- Google Cloud Secret Manager
- HashiCorp Vault
- Thales CipherTrust Manager (formerly Gemalto KeySecure)
Encryption-in-Transit (“in flight”)
Step | |
---|---|
☐ | Enable TLS |
☐ | Add separate certificates and keys for each internal and external domain that accesses AIStor |
☐ | Generate public and private TLS keys using a supported cipher for TLS 1.3 or TLS 1.2 |
☐ | Configure trusted Certificate Authority (CA) store(s) |
☐ | Expose your Kubernetes service, such as with NGINX |
☐ | (Optional) Validate certificates, such as with https://www.sslchecker.com/certdecoder |