Versions of the standard for securing Yandex Cloud infrastructure
Written by
Updated at October 22, 2024
Changes in version 1.2
Publication date: 25/09/24.
-
Deleted section 6. Vulnerability management.
-
Added the 9. Security Kubernetes section:
- 9.1 The use of sensitive data is limited.
- 9.2 Resources are isolated from each other.
- 9.3 There is no access to the Kubernetes API and node groups from untrusted networks.
- 9.4 Authentication and access management are configured in Managed Service for Kubernetes.
- 9.5 Managed Service for Kubernetes uses a safe configuration.
- 9.6 Data encryption and Managed Service for Kubernetes secret management are done in ESO as a Service format.
- 9.7 Docker images are stored in a Container Registry registry configured for regular image scanning.
- 9.8 One of the three latest Kubernetes versions is used, updates are monitored.
- 9.9 Backup is configured.
- 9.10 Check lists are in place for security when creating and using Docker images.
- 9.11 The Kubernetes security policy is in place.
- 9.12 Audit log collection is set up for incident investigation.
-
Added the following items:
- 1.1.1 User group mapping is set up in an identity federation.
- 1.24 Tracking the date of last access key use in Yandex Identity and Access Management.
- 3.11 Use Yandex Security Token Service to get access keys to Object Storage.
- 3.12 Pre-signed URLs are generated for isolated cases of access to specific objects in Object Storage private buckets.
- 3.32 Connecting to a VM or Kubernetes node via OS Login.
- 4.8 Encryption of disks and virtual machine snapshots is used.
- 5.8 Data events are monitored.
- 8.9 Use a Yandex Smart Web Security security profile.
- 8.10 Use a web application firewall.
- 8.11 Use Advanced Rate Limiter.
- 8.12 Set up approval rules.
-
Updated the following items:
- Added description of data event audit logs in 5.1 Yandex Audit Trails is enabled at the organization level.
- 6.2 Vulnerability scanning is performed at the cloud IP level was moved to section 3. Secure configuration of a virtual environment.
- 6.3 External security scans are performed according to the cloud rules was moved to section 3. Secure configuration of a virtual environment.
- 6.4 The process of security updates is set up was moved to section 3. Secure configuration of a virtual environment.
- 6.5 A web application firewall is used was updated and moved to section 8. Application security.
- In 8.6 Ensure artifact integrity, added a recommendation to save the asymmetric key pair of a Cosign
electronic signature in Yandex Key Management Service and to use the saved key pair for signing artifacts and verifying the signature.
-
Deleted the following items:
- Deleted 4.6 For critical VMs, disk encryption using KMS is set up because now there is a more convenient disk encryption method described in 4.8 Encryption of disks and virtual machine snapshots is used.
Changes in version 1.1
Publication date: 25/09/23.
-
Added the following items:
- 1.20 Impersonation is used wherever possible.
- 1.21 Resource labels are used.
- 1.22 Yandex Cloud security notifications are enabled.
- 1.23 The
auditor
role is used to prevent access to user data. - 3.4.2 Integrity control of a VM runtime environment.
- 3.28 Antivirus protection is used.
- 3.29 Yandex Managed Service for Kubernetes security guidelines are used.
- 4.16 There is a guide for cloud administrators on handling compromised secrets.
-
Updated the following items:
- 1.4, 1.14: Added recommendations for using the
auditor
role. - 1.9: Added recommendations for placing critical service accounts in separate folders.
- 1.12: Added
editor
to the list of privileged roles assigned at the organization, cloud, and folder levels. - 4.7: Added a guide on how to encrypt data in Yandex Managed Service for PostgreSQL and Yandex Managed Service for Greenplum® using
pgcrypto
and KMS. - 4.14: Added recommendations for using Yandex Lockbox in Terraform without writing the information to
.tfstate
.
- 1.4, 1.14: Added recommendations for using the
-
Added section 9. Application security:
- 9.1 Yandex SmartCaptcha is used.
- 9.2 Enabled the scan on push policy for the containerized image vulnerability scanner.
- 9.3 Container images are periodically scanned.
- 9.4 Container images used in a production environment have the last scan date a week ago or less.
- 9.5 Software artifacts are built using attestations.
- 9.6 Artifacts within a pipeline can be signed using Cosign, a third-party command line utility.
- 9.7 Artifacts are checked when deployed in Yandex Managed Service for Kubernetes.
- 9.8 Ready-made secure pipeline blocks are used.