Yandex Cloud infrastructure security standard 1.2
Introduction
This document provides recommendations for technical protection measures and helps you choose information security measures when deploying information systems in Yandex Cloud.
The recommendations and security measures described in the standard have links to the Guides and solutions for setting up secure resource configurations with standard and additional information security tools available to Yandex Cloud users.
The standard also describes different methods and tools for verifying recommendation compliance, such as:
- Using the management console UI
- Using the Yandex Cloud CLI
- Manually
Scope
The recommendations are designed for solution architects, technical specialists, and information security experts who use the following services when developing secure cloud systems and security policies to work with the cloud platform:
- Application Load Balancer
- Audit Trails
- Certificate Manager
- Cloud DNS
- Cloud Logging
- Cloud Organization
- Compute Cloud
- Identity and Access Management (IAM)
- Key Management Service
- Managed Service for ClickHouse®
- Managed Service for GitLab
- Managed Service for Kubernetes
- Managed Service for MongoDB
- Managed Service for MySQL®
- Managed Service for PostgreSQL
- Managed Service for Redis
- Managed Service for YDB
- Network Load Balancer
- Object Storage
- Resource Manager
- Virtual Private Cloud
- Yandex Lockbox
The standard can be used as the basis for developing company-specific recommendations. Not all of the information security measures and recommendations from this document are applicable. Moreover, additional measures and recommendations that are not included in the current standard may be required.
Standard structure
The standard describes recommendations for the following security objectives:
- Authentication and access management
- Network security
- Secure configuration of a virtual environment
- Data encryption and key management
- Collecting, monitoring, and analyzing audit logs
- Backup
- Physical security
- Application security
- Kubernetes security
Requirements and preparation
Before you perform checks, make sure that:
- You have the YC CLI installed and set up according to the instructions.
- You have logged in to the management console.
- The jq utility is installed.
You can automate the audit of compliance with all the recommendations using available solutions from our partners:
- Neocat: Product for cloud security management from Neoflex. It is used as an isolated installation within the user cloud perimeter and no administrator privileges need to be granted.
- Cloud Advisor: Agentless platform that identifies and prioritizes cloud security risks, helps you reduce costs, ensure compliance with regulatory requirements, and manage your cloud infrastructure.
Responsibility limitation
Yandex Cloud uses the concept of Shared responsibility. Where the lines are drawn for who is responsible for security depends on the services used by the system in the cloud, their usage model, i.e., infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS), and the security tools and policies the cloud provider has in place.
Terms and abbreviations
This document uses the terms and definitions introduced in ISO/IEC 27000:2018 and ISO/IEC 29100:2011, as well as the terms from the Yandex Cloud glossary.
ClickHouse® is a registered trademark of ClickHouse, Inc.