User support policy during vulnerability scanning
Yandex Cloud users can evaluate the security of their own software either themselves or through contractors if this is not in conflict with this document. Such security checks include:
- Vulnerability scans.
- Penetration tests.
- Performance issue detection and checks for compliance with operational conditions.
Vulnerability scanning service users and providers can also submit a request for hosting their security assessment tools within the Yandex Cloud IP address space. See Rules for performing external security scans. To perform a scan, you need an active billing account.
Alert
You cannot assess the security of Yandex Cloud infrastructure or services on your own. If, while using them, you somehow obtain data that does not belong to you, please contact the Yandex Cloud support team at cloud@support.yandex.ru. Use of such data is prohibited under the applicable law.
Document scope
The policy applies to the following use cases:
- Performing your own resource security checks.
- Checking your resource security using third-party services.
- Hosting security analysis tools after your request is approved by Yandex Cloud experts.
If your user infrastructure meets the requirements of Russian Federal Security Service Order No. 213 dated May 11, 2023, follow these recommendations.
Request for getting approval of third-party resource testing
If you are a security analysis service provider and plan to use Yandex Cloud resources (including for hosting security assessment tools) to render such services, you need to get approval from Yandex Cloud to perform these activities.
Submit a request to the Yandex Cloud support team at cloud@support.yandex.ru no later than two (2) weeks prior to the testing start date. In your email, provide the following:
- Description of activities and/or scheduled events.
- Account ID and services to be involved in your activities.
- External IPs to perform your activities from.
- Activity start and end time.
- Contact details, including your phone number at which we can reach you quickly.
We will respond within a few (usually, two) business days after we get your request.
Services that can be used for security analysis
Note
You can see the list of services available in the Kazakhstan region on the Yandex Cloud services page.
- Yandex Application Load Balancer
- Yandex API Gateway
- Yandex Cloud CDN
- Yandex Compute Cloud
- Yandex Cloud Functions
- Yandex Container Registry
- Yandex Data Processing
- Yandex Data Transfer
- Yandex Managed Service for Apache Kafka®
- Yandex Managed Service for ClickHouse®
- Yandex Managed Service for Greenplum®
- Yandex Managed Service for Kubernetes
- Yandex Managed Service for MongoDB
- Yandex Managed Service for MySQL®
- Yandex Managed Service for PostgreSQL
- Yandex Managed Service for Redis
- Yandex Managed Service for YDB
- Yandex Network Load Balancer
- Yandex Object Storage
- Yandex Serverless Containers
Security scanning guidelines
-
Use a reserved external static IP address to make sure it does not change.
-
Provide authorities with this Yandex Cloud policy along with the domains and external IPs the testing is performed for.
-
Make sure to only disclose the IPs that refer to your resources.
-
To ensure the security of your resources, follow the Standard for securing Yandex Cloud infrastructure.
Prohibited actions
Yandex Cloud does not limit users in their choice of tools and services for assessing the security of resources in use, except for the following attacks:
- DDoS attacks at levels L3, L4, and L7 of the OSI model or their simulation.
- TCP SYN Flood / UDP Flood / ICMP Flood / spoofed packet DDoS attacks or their simulation.
- UDP / ICMP / TCP (Teardrop) fragmentation.
- ICMP Smurf.
- DNS /NTP / LDAP / memcached, etc., attack amplification.
Any port scanning must be run in a non-aggressive mode. You are not allowed to access another user's environment/data or go beyond a container (such as a VM).
The following tools do not violate the policy:
- Tools for identifying the name or version of the software used by Yandex Cloud services and comparing them to the list of versions known to be vulnerable to DDoS attacks (such as banner grabbing).
- Tools that abort a process running on a Yandex Cloud resource if this is required for remote or local use as part of a security assessment.
However, you may not use these tools for request flood attacks listed above. The user shall be liable for any damage caused by violating this policy.
Using security assessment tools
Security assessment includes any actions performed to identify if security measures are taken and whether they are efficient for safeguarding the Yandex Cloud resources belonging to a user, such as:
- Port scanning.
- Scanning for vulnerabilities.
- Exploit exposure analysis.
- Scanning by web apps.
- Any forms of code injection, forgery, or distractions.
Any security tools or services that create, impact the existence of, or demonstrate conditions for actually performing DDoS attacks or simulating them in any other way are expressly prohibited.
Some tools and services have hidden or embedded features for carrying out the above-mentioned DDoS attacks. You can only use them if they help you explicitly disable, reset, or eliminate this feature in any other way.
If you detect a vulnerability in any Yandex Cloud component while assessing the security of your own software, contact the Yandex Cloud support team at cloud@support.yandex.ru.
Responsibility during activities
If Yandex Cloud is notified of a possible violation, the message will be forwarded to you. Once you receive the message, you have to provide a detailed description of the actions that had led to the violation, as well as contact details for the purpose of third-party reports. If you fail to respond, Yandex Cloud has the right to block the user account or VM the violation was committed from without prior notice.
The user is solely responsible for:
- Correct configuration of the tools or services used for security assessment.
- Such operation of the tools and services that would ensure that prohibited attack vectors cannot be implemented or simulated.
- Proper security assessment by third-party contractors in full compliance with the provisions of this policy.
- Any damage to Yandex Cloud, its users, and users of other Yandex Group units caused by user actions as part of security testing or assessment.