Standard for securing Yandex Cloud infrastructure 1.1
Introduction
This document provides recommendations for technical protection measures and helps you choose information security measures when deploying information systems in Yandex Cloud.
The recommendations and security measures described in the standard have links to the Guides and solutions for setting up secure resource configurations with standard and additional information security tools available to Yandex Cloud users.
The standard also describes different methods and tools for verifying recommendation compliance, such as:
- Using the management console UI
- Using the Yandex Cloud CLI
- Manually
What is new in version 1.1
List of changes to version 1.1. compared to version 1.0:
-
Added the following items:
- 1.20 Impersonation is used wherever possible.
- 1.21 Resource labels are used.
- 1.22 Yandex Cloud security notifications are enabled.
- 1.23 The
auditor
role is used to prevent access to user data. - 3.4.2 Integrity control of a VM runtime environment.
- 3.28 Antivirus protection is used.
- 3.29 Yandex Managed Service for Kubernetes security guidelines are used.
- 4.16 There is a guide for cloud administrators on handling compromised secrets.
-
Updated the following items:
- 1.4, 1.14 Added recommendations for using the
auditor
role. - 1.9 Added recommendations for placing critical service accounts in separate folders.
- 1.12 Added
editor
to the list of privileged roles assigned at the organization, cloud, and folder levels. - 4.7 Added a guide on how to encrypt data in Yandex Managed Service for PostgreSQL and Yandex Managed Service for Greenplum® using
pgcrypto
and KMS. - 4.13 Added recommendations for using Yandex Lockbox in Terraform without writing the information to
.tfstate
.
- 1.4, 1.14 Added recommendations for using the
-
Added the 9. Application security section:
- 9.1 Yandex SmartCaptcha is used.
- 9.2 Enabled the scan on push policy for the containerized image vulnerability scanner.
- 9.3 Container images are periodically scanned.
- 9.4 Container images used in a production environment have the last scan date a week ago or less.
- 9.5 Software artifacts are built using attestations.
- 9.6 Artifacts within a pipeline can be signed using Cosign, a third-party command line utility.
- 9.7 Artifacts are checked when deployed in Yandex Managed Service for Kubernetes.
- 9.8 Ready-made blocks of a secure pipeline are used.
Scope
The recommendations are designed for solution architects, technical specialists, and information security experts who use the following services when developing secure cloud systems and security policies to work with the cloud platform:
- Identity and Access Management (IAM)
- Application Load Balancer
- Audit Trails
- Certificate Manager
- Cloud DNS
- Cloud Logging
- Compute Cloud
- Key Management Service
- Yandex Lockbox
- Managed Service for ClickHouse®
- Managed Service for GitLab
- Managed Service for MongoDB
- Managed Service for MySQL
- Managed Service for PostgreSQL
- Managed Service for Redis
- Network Load Balancer
- Object Storage
- Cloud Organization
- Resource Manager
- Virtual Private Cloud
- Managed Service for YDB
The standard can be used as the basis for developing company-specific recommendations. Not all of the information security measures and recommendations from this document are applicable. Moreover, additional measures and recommendations that are not included in the current standard may be required.
Structure of the standard
The standard describes recommendations for the following security objectives:
- Authentication and access control
- Network security
- Secure configuration of a virtual environment
- Data encryption and key management
- Collecting, monitoring, and analyzing audit logs
- Vulnerability management
- Backups
- Physical security
- Application security
Requirements to meet before you start
Before you perform checks, make sure that:
- You have the YC CLI installed and set up according to the instructions.
- You have logged in to the management console
. - The jq utility is installed.
You can automate the audit of compliance with all the recommendations using available solutions from our partners:
- Neocat: Product for cloud security management from Neoflex. It is used as an isolated installation within the user cloud perimeter and no administrator privileges need to be granted.
- Cloud Advisor: Agentless platform that identifies and prioritizes cloud security risks, helps you reduce costs, ensure compliance with regulatory requirements, and manage your cloud infrastructure.
Responsibility limitation
Yandex Cloud uses the concept of Shared responsibility. Where the lines are drawn for who is responsible for security depends on the services used by the system in the cloud, their usage model, i.e., infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS), and the security tools and policies the cloud provider has in place.
Terms and abbreviations
This document uses the terms and definitions introduced in ISO/IEC 27000:2018 and ISO/IEC 29100:2011, as well as the terms from the Yandex Cloud glossary.
ClickHouse® is a registered trademark of ClickHouse, Inc