Skip to main content

Security for S3 clients

Contributors netapp-lhalbert

StorageGRID tenant accounts use S3 client applications to save object data to StorageGRID. You should review the security measures implemented for client applications.

Summary

The following list summarizes how security is implemented for the S3 REST API:

Connection security

TLS

Server authentication

X.509 server certificate signed by system CA or custom server certificate supplied by administrator

Client authentication

S3 account access key ID and secret access key

Client authorization

Bucket ownership and all applicable access control policies

How StorageGRID provides security for client applications

S3 client applications can connect to the Load Balancer service on Gateway Nodes or Admin Nodes or directly to Storage Nodes.

  • Clients that connect to the Load Balancer service can use HTTPS or HTTP, based on how you configure the load balancer endpoint.

    HTTPS provides secure, TLS-encrypted communication and is recommended. You must attach a security certificate to the endpoint.

    HTTP provides less secure, unencrypted communication and should only be used for non-production or test grids.

  • Clients that connect to Storage Nodes can also use HTTPS or HTTP.

    HTTPS is the default and is recommended.

    HTTP provides less secure, unencrypted communication but can be optionally enabled for non-production or test grids.

  • Communications between StorageGRID and the client are encrypted using TLS.

  • Communications between the Load Balancer service and Storage Nodes within the grid are encrypted whether the load balancer endpoint is configured to accept HTTP or HTTPS connections.

  • Clients must supply HTTP authentication headers to StorageGRID to perform REST API operations.

Security certificates and client applications

In all cases, client applications can make TLS connections using either a custom server certificate uploaded by the grid administrator or a certificate generated by the StorageGRID system:

  • When client applications connect to the Load Balancer service, they use the certificate that was configured for the load balancer endpoint. Each load balancer endpoint has its own certificate—either a custom server certificate uploaded by the grid administrator or a certificate that the grid administrator generated in StorageGRID when configuring the endpoint.

  • When client applications connect directly to a Storage Node, they use either the system-generated server certificates that were generated for Storage Nodes when the StorageGRID system was installed (which are signed by the system certificate authority), or a single custom server certificate that is supplied for the grid by a grid administrator. See add a custom S3 API certificate.

Clients should be configured to trust the certificate authority that signed whichever certificate they use to establish TLS connections.

Supported hashing and encryption algorithms for TLS libraries

The StorageGRID system supports a set of cipher suites that client applications can use when establishing a TLS session. To configure ciphers, go to CONFIGURATION > Security > Security settings and select TLS and SSH policies.

Supported versions of TLS

StorageGRID supports TLS 1.2 and TLS 1.3.

Note SSLv3 and TLS 1.1 (or earlier versions) are no longer supported.