COS Overview and Requirements

CipherTrust Transparent Encryption for Cloud Object Storage (CTE COS) is an object storage service that you can use to store and protect any amount of data for a range of use cases, such as websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. CTE COS provides management features so you can organize your data and configure finely-tuned access controls to meet your specific business, organizational, and compliance requirements.

CTE COS for Amazon Simple Storage Service (CTE COS S3) is an extension to CTE for inline encryption and local host access controls involving applications performing REST-API-based operations to S3 object stores.

CTE COS S3 is not a replacement for AWS IAM access controls which are enforced independently at the AWS server end.

The following diagram shows the high-level CTE COS S3 architecture:

Supported operations

• CTE COS S3 will process only AWS S3 REST https calls issued by applications. The interception is done by a bundled TLS proxy with additional CTE services.

• CTE’s traditional access controls and inline encryption are transparently applied during the following operations:

  • Create a bucket

  • Write an object

  • Read an object

  • Delete an object

  • List objects

Limitations

• CTE COS S3 is supported only on RHEL 8 and RHEL 9.

• Only REST API based S3 protocol-aware applications are supported.

• Only locally generated self-signed COS Proxy CA Certificates are supported.

• AWS S3 URL path validations are not currently implemented. CTE COS S3 requires that the user must specify the correct URLs for bucket paths.

• CTE COS S3 permits only AES CBC-CS1 encryption. Encrypted files in protected buckets therefore will prepend the 4K embedded header used in CTE's AES CBC-CS1 encryption. The key manager will enforce usage of AES CBC-CS1 keys within S3 bucket policies.

Multi-part Upload Restrictions

• All upload operations for a multi-part upload must be conducted from the same host.

• Maximum file size upload is 5TB.

• Part sizes during uploads must be identical. The part numbering must be in sequence starting with 1, e.g. 1,2,3,4,… Not 10, 20, 30, etc.

• The part size specified in CTE S3’s AWS credential file must match the part size specified within the application.

• Thales recommends that the Content-MD5 header be included in the request message.

System and Software Requirements

• The RHEL 8, or 9 Linux hosts must meet the standard CTE requirements.

• You must have an AWS account

• We recommend that you guard the bucket by restricting it with a CTE COS S3 Role to prevent accidental data corruption from connections outside the control of CTE COS S3. For details, see Optionally Configure a CTE COS S3 Role for Guarded Buckets.

• You must download and install the pre-requisite rpm packages before you install CTE COS S3. For details, see Install Required Linux Packages.

• The CTE Agent must be installed in the default directory on the host. You cannot change the default path if you also enable CTE COS S3.

Client Software Requirements

• Clients must exist on the same host as CTE COS S3. External Client connections will be rejected by the COS Proxy.

• Clients must be AWS S3 protocol aware, and can directly connect to a S3 bucket without the use of an intermediary service, such as the AWS S3 Management Console website.

• Clients must be configured to divert outgoing network connection to a COS proxy (default is localhost:3128 or 127.0.0.1:3128). For more information, see Configure the AWS CLI Network Proxy.

• Clients must use the TLS 1.2 / TLS 1.3 network encryption protocol over TCP/IP to establish connections to the COS proxy.

• Clients must be configured to use the COS CA Root Certificate of the COS proxy to verify and authenticate TLS connections. For more information, see Configure the AWS CLI to use the COS Root CA Certificate.