Skip to main content

Overview

Object Storage security covers the proxy-layer communication security, temporary URL key management, audit logging, and governance of cross-project container sharing. This guide covers the key hardening areas for platform administrators.
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.

Hardening Guidelines

TLS enforcement on proxy nodes

All proxy-server endpoints must use TLS:
  • Configure the proxy-server with SSL certificates issued through Xloud Key Manager
  • Disable plain HTTP access at the load balancer frontend — redirect all port 80 traffic to 443
  • Set HSTS headers in the proxy pipeline: 
    strict-transport-security: max-age=31536000
  • Rotate TLS certificates 30 days before expiration using an automated renewal workflow
  • Verify TLS configuration after every certificate rotation:
    Verify TLS certificate on proxy endpoint
    openssl s_client -connect <proxy-ip>:443 -servername <proxy-hostname> < /dev/null
Temporary URLs are signed with an account-level key. Compromise of this key allows generation of arbitrary temporary URLs for all objects in the account:
  • Use randomly generated keys of at least 32 bytes
  • Rotate the Temp-URL-Key quarterly:
    Rotate temp URL signing key
    openstack object store account set \
  --property Temp-URL-Key=$(openssl rand -hex 32)
  • Set Temp-URL-Key-2 as a secondary key during rotation to avoid invalidating existing in-flight URLs immediately:
    Set secondary temp URL key for rotation overlap
    openstack object store account set \
  --property Temp-URL-Key-2=$(openssl rand -hex 32)
The proxy-server logs every API request including the authenticated user, container, object path, HTTP method, and response code. Configure log forwarding with:
  • 90-day minimum retention for compliance frameworks
  • Alerting on unusual patterns:
    • Mass object deletions
    • Access from unexpected source IPs
    • Spike in 4xx errors indicating credential scanning
  • Storage of logs in a separate protected container — restrict write access to the proxy log-shipping service account only
Cross-project container sharing via ACLs requires careful governance:
  • Audit all containers with non-empty read or write ACLs quarterly:
    Find containers with ACLs (admin)
    openstack container list --all-projects --long
  • Require documented business justification for any cross-project ACL
  • Immediately revoke ACLs for decommissioned projects
  • Never grant write ACLs to external user IDs — use dedicated service accounts traceable to a specific application

Security Checklist

ControlFrequencyCommand
TLS certificate validOngoingopenssl s_client -connect <proxy>:443
TLS certificate rotation30 days before expiryKey Manager renewal workflow
Temp URL key rotationQuarterlyaccount set --property Temp-URL-Key=...
Cross-project ACL auditQuarterlycontainer list --all-projects --long
Audit log retention reviewAnnuallyVerify 90-day minimum

Next Steps

Quotas

Enforce per-account and per-container storage limits

Monitoring

Set up cluster health and access pattern monitoring

Key Manager Admin Guide

Manage TLS certificates used by proxy nodes

Admin Troubleshooting

Diagnose security-related access errors