Security for S3 or Swift clients

09/26/2023 Contributors

StorageGRID tenant accounts use S3 or Swift client applications to save object data to StorageGRID. You should review the security measures implemented for client applications.

Summary

The following table summarizes how security is implemented for the S3 and Swift REST APIs:

Security issue	Implementation for REST API
Connection security	TLS
Server authentication	X.509 server certificate signed by system CA or custom server certificate supplied by administrator
Client authentication	S3 S3 account (access key ID and secret access key) Swift Swift account (user name and password)
Client authorization	S3 Bucket ownership and all applicable access control policies Swift Administrator role access

Security issue

Implementation for REST API

Connection security

TLS

Server authentication

X.509 server certificate signed by system CA or custom server certificate supplied by administrator

Client authentication

S3: S3 account (access key ID and secret access key)
Swift: Swift account (user name and password)

Client authorization

S3: Bucket ownership and all applicable access control policies
Swift: Administrator role access

How StorageGRID provides security for client applications

S3 and Swift client applications can connect to the Load Balancer service on Gateway Nodes or Admin Nodes or directly to Storage Nodes.

Clients that connect to the Load Balancer service can use HTTPS or HTTP, based on how you configure the load balancer endpoint.

HTTPS provides secure, TLS-encrypted communication and is recommended. You must attach a security certificate to the endpoint.

HTTP provides less secure, unencrypted communication and should only be used for non-production or test grids.
Clients that connect to Storage Nodes can also use HTTPS or HTTP.

HTTPS is the default and is recommended.

HTTP provides less secure, unencrypted communication but can be optionally enabled for non-production or test grids.
Communications between StorageGRID and the client are encrypted using TLS.
Communications between the Load Balancer service and Storage Nodes within the grid are encrypted whether the load balancer endpoint is configured to accept HTTP or HTTPS connections.
Clients must supply HTTP authentication headers to StorageGRID to perform REST API operations. See Authenticate requests and Supported Swift API endpoints.

Security certificates and client applications

In all cases, client applications can make TLS connections using either a custom server certificate uploaded by the grid administrator or a certificate generated by the StorageGRID system:

When client applications connect to the Load Balancer service, they use the certificate that was configured for the load balancer endpoint. Each load balancer endpoint has its own certificate—either a custom server certificate uploaded by the grid administrator or a certificate that the grid administrator generated in StorageGRID when configuring the endpoint.

See Considerations for load balancing.
When client applications connect directly to a Storage Node, they use either the system-generated server certificates that were generated for Storage Nodes when the StorageGRID system was installed (which are signed by the system certificate authority), or a single custom server certificate that is supplied for the grid by a grid administrator. See add a custom S3 or Swift API certificate.

Clients should be configured to trust the certificate authority that signed whichever certificate they use to establish TLS connections.

Supported hashing and encryption algorithms for TLS libraries

The StorageGRID system supports a set of cipher suites that client applications can use when establishing a TLS session. To configure ciphers, go to CONFIGURATION > Security > Security settings and select TLS and SSH policies.

Supported versions of TLS

StorageGRID supports TLS 1.2 and TLS 1.3.

SSLv3 and TLS 1.1 (or earlier versions) are no longer supported.