Security for S3 or Swift clients
StorageGRID tenant accounts use S3 or Swift client applications to save object data to StorageGRID. You should review the security measures implemented for client applications.
Summary
The following table summarizes how security is implemented for the S3 and Swift REST APIs:
Security issue | Implementation for REST API |
---|---|
Connection security |
TLS |
Server authentication |
X.509 server certificate signed by system CA or custom server certificate supplied by administrator |
Client authentication |
|
Client authorization |
|
How StorageGRID provides security for client applications
S3 and Swift client applications can connect to the Load Balancer service on Gateway Nodes or Admin Nodes or directly to Storage Nodes.
-
Clients that connect to the Load Balancer service can use HTTPS or HTTP, based on how you configure the load balancer endpoint.
HTTPS provides secure, TLS-encrypted communication and is recommended. You must attach a security certificate to the endpoint.
HTTP provides less secure, unencrypted communication and should only be used for non-production or test grids.
-
Clients that connect to Storage Nodes can also use HTTPS or HTTP.
HTTPS is the default and is recommended.
HTTP provides less secure, unencrypted communication but can be optionally enabled for non-production or test grids.
-
Communications between StorageGRID and the client are encrypted using TLS.
-
Communications between the Load Balancer service and Storage Nodes within the grid are encrypted whether the load balancer endpoint is configured to accept HTTP or HTTPS connections.
-
Clients must supply HTTP authentication headers to StorageGRID to perform REST API operations. See Authenticate requests and Supported Swift API endpoints.
Security certificates and client applications
In all cases, client applications can make TLS connections using either a custom server certificate uploaded by the grid administrator or a certificate generated by the StorageGRID system:
-
When client applications connect to the Load Balancer service, they use the certificate that was configured for the load balancer endpoint. Each load balancer endpoint has its own certificate—either a custom server certificate uploaded by the grid administrator or a certificate that the grid administrator generated in StorageGRID when configuring the endpoint.
-
When client applications connect directly to a Storage Node, they use either the system-generated server certificates that were generated for Storage Nodes when the StorageGRID system was installed (which are signed by the system certificate authority), or a single custom server certificate that is supplied for the grid by a grid administrator. See add a custom S3 or Swift API certificate.
Clients should be configured to trust the certificate authority that signed whichever certificate they use to establish TLS connections.
Supported hashing and encryption algorithms for TLS libraries
The StorageGRID system supports a set of cipher suites that client applications can use when establishing a TLS session. To configure ciphers, go to CONFIGURATION > Security > Security settings and select TLS and SSH policies.
Supported versions of TLS
StorageGRID supports TLS 1.2 and TLS 1.3.
SSLv3 and TLS 1.1 (or earlier versions) are no longer supported. |