docs/source/operations/checklists/security.rst

Security Checklist

minio

Table of Contents

Use the following checklist when planning the security configuration for a production, distributed MinIO deployment.

Required Steps

circle	Define group policies either on MinIO or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID)
circle	Define individual access policies on MinIO or the selected 3rd party Identity Provider
circle	(For Kubernetes deployments only) Configure the tenant(s) to use the selected 3rd party Identity Provider
circle	Grant firewall access for TCP traffic to the MinIO Server S3 API Listen Port (Default: 9000).
circle	Grant firewall access for TCP traffic to the MinIO Server Console Listen Port <minio-console-port-assignment> (Recommended Default: 9090).

Encryption-at-Rest <minio-sse>

MinIO supports the following external KMS providers through Key Encryption Service (KES):

• Hashicorp Vault Root KMS <minio-sse-vault>
• AWS Root KMS <minio-sse-aws>
• Google Cloud Platform Secret Manager Root KMS <minio-sse-gcp>
• Azure Key Vault Root KMS <minio-sse-azure>

circle	Download and install the MinIO Key Encryption Service (KES)
circle	Enable TLS
circle	Generate private and public keys for KES
circle	Generate private and public keys for MinIO
circle	Create a KES configuration file and start the service
circle	Generate an external key for the key management service (KMS)
circle	Connect MinIO to the KES
circle	Enable server side encryption

Encryption-in-Transit ("In flight") <minio-tls>

circle	Enable TLS <minio-tls>
circle	Add separate certificates and keys for each internal and external domain that accesses MinIO
circle	Generate public and private TLS keys using a supported cipher for TLS 1.3 or TLS 1.2
circle	Configure trusted Certificate Authority (CA) store(s)
circle	Expose your Kubernetes service, such as with NGINX
circle	(Optional) Validate certificates, such as with https://www.sslchecker.com/certdecoder