Versions of the standard for securing Yandex Cloud infrastructure

Changes in version 1.3.0Changes in version 1.3.0

Publication date: 27/12/24.

• Deleted Section 6. Backup. The section's content was moved to Section 3. Secure configuration of a virtual environment.

• Deleted Section 7. Physical security. The section's content was moved to Section Introduction.

• Added the following items:

  • 1.11 Service account API keys have specified scopes.
  • 1.25 Tracking the date of last service account authentication and last access key use in Yandex Identity and Access Management.
  • 1.26 Access permissions of users and service accounts are regularly audited using the Yandex Security Deck CIEM.

• Updated the following items:

  • Added Yandex Container Registry, Yandex Smart Web Security, and Yandex SmartCaptcha to Scope.
  • Added Smart Web Security usage info to 2.5 DDoS protection is enabled.
  • Renumbered item 3.18 Serverless Containers/Cloud Functions uses the internal VPC network (formerly 3.22) and updated it with info about restrictions on networking between functions and user resources.
  • Renumbered and renamed item 3.19 Functions are configured for access differentiation, secret and environment variable management, and DBMS connection (formerly 3.18 Public cloud functions are only used in exceptional cases). Updated the item with information about assigning roles for a function, working with secrets and environment variables from a function, and accessing managed Yandex Managed Service for PostgreSQL and Yandex Managed Service for ClickHouse® databases from a function.
  • Renumbered item 3.20 Side-channel attacks in Cloud Functions are addressed (formerly 3.19).
  • Renumbered item 3.21 Special aspects of time synchronization in Cloud Functions are addressed (formerly 3.20) and updated it with info on how functions are getting time data.
  • Renumbered item 3.22 Special aspects of header management in Cloud Functions are addressed (formerly 3.21) and updated it with a description of how to invoke a function with the ?integration=raw query parameter.
  • Added the following to 4.2 HTTPS is enabled for hosting static websites in Yandex Object Storage:
    • Checks via the CLI
    • Link to HTTPS configuration guide
  • Added links to best security practices to 5.4 Hardening of the Object Storage bucket that stores Yandex Audit Trails audit logs is done.
  • In 5.8 Data events are monitored, expanded the list of services for which you can track events on this level.
  • In 6.9 Use a Yandex Smart Web Security profile, added checks via the CLI.

Changes in version 1.2Changes in version 1.2

Publication date: 25/09/24.

• Deleted Section 6. Vulnerability management.

• Added Section 7. Kubernetes security:

  • 7.1 The use of sensitive data is limited.
  • 7.2 Resources are isolated from each other.
  • 7.3 There is no access to the Kubernetes API and node groups from untrusted networks.
  • 7.4 Authentication and access management are configured in Managed Service for Kubernetes.
  • 7.5 Managed Service for Kubernetes uses a safe configuration.
  • 7.6 Data encryption and Managed Service for Kubernetes secret management are done in ESO as a Service format.
  • 7.7 Docker images are stored in a Container Registry registry configured for regular image scanning.
  • 7.8 One of the three latest Kubernetes versions is used, updates are monitored.
  • 7.9 Backup is configured.
  • 7.10 Check lists are in place for security when creating and using Docker images.
  • 7.11 The Kubernetes security policy is in place.
  • 7.12 Audit log collection is set up for incident investigation.

• Added the following items:

  • 1.1.1 User group mapping is set up in an identity federation.
  • 1.24 Tracking the date of last access key use in Yandex Identity and Access Management.
  • 3.11 Yandex Security Token Service is used for getting access keys to Object Storage.
  • 3.12 Pre-signed URLs are generated for isolated cases of access to specific objects in Object Storage private buckets.
  • 3.32 OS Login is used for connection to a VM or Kubernetes node.
  • 4.8 Encryption of disks and virtual machine snapshots is used.
  • 5.8 Data events are monitored.
  • 8.9 Yandex Smart Web Security security profile is used.
  • 8.10 A web application firewall is used.
  • 8.11 Advanced Rate Limiter is used.
  • 8.12 Approval rules are set.

• Updated the following items:

  • In 5.1 Yandex Audit Trails is enabled at the organization level, added description of data event audit logs.
  • 6.2 Vulnerability scanning is performed at the cloud IP level was moved to Section 3. Secure configuration of a virtual environment.
  • 6.3 External security scans are performed according to the cloud rules was moved to Section 3. Secure configuration of a virtual environment.
  • 6.4 The process of security updates is set up was moved to Section 3. Secure configuration of a virtual environment.
  • 6.5 A web application firewall is used was updated and moved to Section 8. Application security.
  • In 8.6 Ensure artifact integrity, added a recommendation to save the asymmetric key pair of a Cosign electronic signature in Yandex Key Management Service and to use the saved key pair for signing artifacts and verifying the signature.

• Deleted the following items:

  • Deleted 4.6 For critical VMs, disk encryption using KMS is set up because now there is a more convenient disk encryption method described in 4.8 Encryption of disks and virtual machine snapshots is used.

Changes in version 1.1Changes in version 1.1

Publication date: 25/09/23.

• Added the following items:

  • 1.20 Impersonation is used wherever possible.
  • 1.21 Resource labels are used.
  • 1.22 Yandex Cloud security notifications are enabled.
  • 1.23 The auditor role is used to prevent access to user data.
  • 3.4.2 Integrity control of a VM runtime environment.
  • 3.28 Antivirus protection is used.
  • 3.29 Yandex Managed Service for Kubernetes security guidelines are used.
  • 4.16 There is a guide for cloud administrators on handling compromised secrets.

• Updated the following items:

  • 1.4, 1.14: Added recommendations for using the auditor role.
  • 1.9: Added recommendations for placing critical service accounts in separate folders.
  • 1.12: Added editor to the list of privileged roles assigned at the organization, cloud, and folder levels.
  • 4.7: Added a guide on how to encrypt data in Yandex Managed Service for PostgreSQL and Yandex Managed Service for Greenplum® using pgcrypto and KMS.
  • 4.14: Added recommendations for using Yandex Lockbox in Terraform without writing the information to .tfstate.

• Added Section 9. Application security:

  • 9.1 Yandex SmartCaptcha is used.
  • 9.2 Enabled the scan on push policy for the containerized image vulnerability scanner.
  • 9.3 Container images are periodically scanned.
  • 9.4 Container images used in a production environment have the last scan date a week ago or less.
  • 9.5 Software artifacts are built using attestations.
  • 9.6 Artifacts within a pipeline can be signed using Cosign, a third-party command line utility.
  • 9.7 Artifacts are checked when deployed in Yandex Managed Service for Kubernetes.
  • 9.8 Ready-made secure pipeline blocks are used.