docs: add s3proxy to features

README.md

@@ -34,7 +34,9 @@ Encrypting your K8s is good for:
 ### 🔒 Everything always encrypted
 
 * Runtime encryption: All nodes run inside AMD SEV-based Confidential VMs (CVMs). Support for Intel TDX will be added in the future.
-* Transparent encryption of network and storage: All pod-to-pod traffic and all writes to persistent storage are [automatically encrypted][network-encryption]
+* Transparent encryption of network: All [pod-to-pod traffic is automatically encrypted][network-encryption]
+* Transparent encryption of storage: All writes to persistent storage are automatically encrypted.
+  This includes [nodes' state disks][storage-encryption], [persistent volumes via CSI][csi], and [S3 object storage][s3proxy].
 * Transparent key management: All cryptographic [keys are managed within the confidential context][key-management]
 
 ### 🔍 Everything verifiable
@@ -72,8 +74,9 @@ If you're already familiar with Kubernetes, it's easy to get started with Conste
 ## Live demos
 
 We're running public instances of popular software on Constellation:
-* Rocket.Chat: https://rocket.edgeless.systems/ ([blog post](https://dev.to/flxflx/rocketchat-constellation-most-secure-chat-server-ever--50oa))
-* GitLab: https://gitlab.edgeless.systems/ ([blog post](https://dev.to/flxflx/setting-up-a-confidential-gitlab-333h))
+
+* Rocket.Chat: <https://rocket.edgeless.systems/> ([blog post](https://dev.to/flxflx/rocketchat-constellation-most-secure-chat-server-ever--50oa))
+* GitLab: <https://gitlab.edgeless.systems/> ([blog post](https://dev.to/flxflx/setting-up-a-confidential-gitlab-333h))
 
 These instances run on CVMs in Azure and Constellation keeps them end-to-end confidential.
 
@@ -102,7 +105,7 @@ Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most imp
 * Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md).
 
 > **Warning**
-> Please report any security issue via a [private GitHub vulnerability report](https://github.com/edgelesssys/constellation/security/advisories/new) or write to security@edgeless.systems.
+> Please report any security issue via a [private GitHub vulnerability report](https://github.com/edgelesssys/constellation/security/advisories/new) or write to <security@edgeless.systems>.
 
 ## License
 
@@ -126,6 +129,9 @@ The Constellation source code is licensed under the [GNU Affero General Public L
 [key-management]: https://docs.edgeless.systems/constellation/architecture/keys
 [license]: https://docs.edgeless.systems/constellation/overview/license
 [network-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#network-encryption
+[storage-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#storage-encryption
+[csi]: https://docs.edgeless.systems/constellation/workflows/storage
+[s3proxy]: https://docs.edgeless.systems/constellation/workflows/s3proxy
 [supply-chain]: https://docs.edgeless.systems/constellation/architecture/attestation#chain-of-trust
 [security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits
 [twitter]: https://twitter.com/EdgelessSystems

docs/docs/overview/confidential-kubernetes.md

@@ -13,7 +13,7 @@ Each of the above properties is equally important. Only with all three in conjun
 Constellation implements the Confidential Kubernetes concept with the following security features.
 
 * **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster.
-* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md) and [persistent storage](../architecture/encrypted-storage.md). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
+* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
 * **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs.
 * **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster.
 * **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.)

docs/versioned_docs/version-2.12/overview/confidential-kubernetes.md

@@ -13,7 +13,7 @@ Each of the above properties is equally important. Only with all three in conjun
 Constellation implements the Confidential Kubernetes concept with the following security features.
 
 * **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster.
-* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md) and [persistent storage](../architecture/encrypted-storage.md). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
+* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.
 * **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs.
 * **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster.
 * **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.)