Contact UsGet started

Creating a security profile

Written by
Updated at December 18, 2024

  1. In the management console, select the folder where you want to create your security profile.

  2. In the list of services, select Smart Web Security.

  3. Click Create.

  4. Select one of the creation options:

    • From a preset template (recommended). A preset profile includes:

    • From scratch. This profile includes only the basic default rule enabled for all traffic.

  5. Enter the profile name.

  6. (Optional) Enter a description.

  7. (Optional) Add labels for your profile.

  8. In the Action for the default base rule field, select an action to be applied to the traffic that mismatches the criteria of other rules: Deny or Allow.

  9. Select or create an ARL profile to limit the number of requests.

  10. Select or create a Yandex SmartCaptcha to verify suspicious requests:

    • Default: Managed on the Yandex Cloud side, captcha parameters:

      The Default captcha usage fee is included in the cost of Smart Web Security.

    • Custom captcha: You can customize captcha difficulty, types of main and additional challenges, and appearance.

      Note

      To use a custom captcha, select Disable domain verification in its settings.

      The custom captcha usage fee is charged according to SmartCaptcha pricing policy.

  11. Click Add rule.

  12. In the rule creation window:

    1. Enter a name for the rule.

    2. (optional) Enter a description.

    3. Set the rule priority. The rule you add will have a higher priority than the preconfigured rules.

      Note

      The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:

      • Basic default rule: 1000000.
      • Smart Protection rule providing full protection: 999900.

    4. (Optional) Enable Only logging (dry run) if you want only to log data about the traffic fulfilling the specified conditions without applying any actions to it.

    5. Select the rule type:

      • Base: Rule that allows, denies, or sends traffic to Yandex SmartCaptcha under specified conditions.

      • Smart Protection: Sends traffic for automatic processing by machine learning and behavioral analysis algorithms. Suspicious requests are sent to Yandex SmartCaptcha for additional verification.

      • Web Application Firewall: Integrates rules from a WAF profile. Suspicious requests are sent to Yandex SmartCaptcha.

        For a WAF rule, select or create a WAF profile.

    6. Select an action:

      • For the basic rule:

        • Deny.
        • Allow.
        • Show captcha: Show the captcha selected in the security profile.

      • For a Smart Protection or WAF rule:

        • Full protection: After verification, suspicious requests are sent to SmartCaptcha.
        • API protection: After verification, suspicious requests are blocked.

    7. Under Conditions for traffic, specify which traffic the rule will be used to analyze:

      • All traffic: The rule will be used to analyze the whole traffic.

      • On condition: The rule will be used to analyze the traffic specified in the Conditions field:

        • IP: IP address, IP address range, or IP address region.
        • HTTP header: HTTP header string.
        • Request URI: Request path.
        • Host: Domain receiving the request.
        • HTTP method: Request method.
        • Cookie: Cookie header string.

        You can set multiple conditions. To do this, select all the condition types you need in the Conditions field.

        You can also set multiple conditions of the same type. To do this, click and or or in the section with the condition you need.

        To delete a condition, click .

    8. Click Add.

  13. Add all relevant rules to the profile one by one.

    The rules you created will appear under Security rules in the table.

  14. Click Create.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command for creating a security profile:

    yc smartwebsecurity security-profile create --help

  2. To create a security profile, run this command:

    yc smartwebsecurity security-profile create \
   --name <security_profile_name> \
   --description "<profile_description>" \
   --labels <label_1_key>=<label_1_value>,<label_2_key>=<label_2_value>,...,<label_n_key>=<label_n_value> \
   --default-action <action> \
   --captcha-id <captcha_ID> \
   --security-rules-file <path_to_file_with_rules>

    Where:

    • --name: Security profile name. This is a required parameter. If you specify only the profile name without additional parameters, a single basic rule will be created in the security profile.

    • --description: Text description of the security profile. This is an optional parameter.

    • --labels: List of labels to add to the profile in KEY=VALUE format. This is an optional parameter, e.g., --labels foo=baz,bar=baz'.

    • --default-action: Action to perform for the traffic that mismatches the criteria of other rules. This is an optional parameter. The default value is allow, which allows all requests to Yandex Smart Web Security. To block requests, set the parameter to deny.

    • --captcha-id: ID of the CAPTCHA in Yandex SmartCaptcha to verify suspicious requests. This is an optional parameter.

    • --security-rules-file: Path to the YAML file with security rule description. This is an optional parameter. For example:

      security-rules.yaml
      - name: rule-condition-deny
  description: My first security rule. This rule it's just example to show possibilities of configuration.
  priority: "11111"
  dry_run: true
  rule_condition:
    action: DENY
    condition:
      authority:
        authorities:
          - exact_match: example.com
          - exact_match: example.net
      http_method:
        http_methods:
          - exact_match: GET
          - exact_match: POST
      request_uri:
        path:
          prefix_match: /search
        queries:
          - key: firstname
            value:
              pire_regex_match: .ivan.
          - key: lastname
            value:
              pire_regex_not_match: .petr.
      headers:
        - name: User-Agent
          value:
            pire_regex_match: .curl.
        - name: Referer
          value:
            pire_regex_not_match: .bot.
      source_ip:
        ip_ranges_match:
          ip_ranges:
            - 1.2.33.44
            - 2.3.4.56
        ip_ranges_not_match:
          ip_ranges:
            - 8.8.0.0/16
            - 10::1234:1abc:1/64
        geo_ip_match:
          locations:
            - ru
            - es
        geo_ip_not_match:
          locations:
            - us
            - fm
            - gb
- name: rule-condition-allow
  description: Let's show how to whitelist IP.
  priority: "2"
  rule_condition:
    action: ALLOW
    condition:
      source_ip:
        ip_ranges_match:
          ip_ranges:
            - 44.44.44.44-44.44.44.45
            - 44.44.44.77
- name: smart-protection-full
  description: Enable smart protection. Allow to show captcha on /search prefix.
  priority: "11"
  smart_protection:
    mode: FULL
    condition:
      request_uri:
        path:
          prefix_match: /search
- name: smart-protection-api
  description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix.
  priority: "10"
  smart_protection:
    mode: API
    condition:
      request_uri:
        path:
          prefix_match: /api

    Result:

    id: fev6q4qqnn2q********
folder_id: b1g07hj5r6i********
cloud_id: b1gia87mbaom********
name: my-sample-profile
description: "my description"
labels: label1=value1,label2=value2
default_action: DENY
created_at: "2024-07-25T19:21:05.039610Z"

For more information about the yc smartwebsecurity security-profile create command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. In the Terraform configuration file, describe the parameters of the resources you want to create:

    resource "yandex_sws_security_profile" "demo-profile-simple" {
  name                             = "<security_profile_name>"
  default_action                   = "DENY"
  captcha_id                       = "<captcha_ID>"
  advanced_rate_limiter_profile_id = "<ARL_profile_ID>"

  # Smart Protection rule
  security_rule {
    name     = "smart-protection"
    priority = 99999

    smart_protection {
      mode = "API"
    }
  }

  # Basic rule
  security_rule {
    name = "base-rule-geo"
    priority = 100000
    rule_condition {
      action = "ALLOW"
      condition {
        source_ip {
          geo_ip_match {
            locations = ["ru", "kz"]
          }
        }
      }
    }
  }

  # WAF profile rule
  security_rule {
    name     = "waf"
    priority = 88888

    waf {
      mode           = "API"
      waf_profile_id = "<WAF_profile_ID>"
    }
  }
}

    Where:

    • name: Security profile name.
    • default_action: Action for the default basic rule. The action will apply to traffic not covered by the other rules. The possible values are ALLOW (allows all requests to the service) and DENY (denies them).
    • captcha_id: ID of the CAPTCHA in Yandex SmartCaptcha to verify suspicious requests. This is an optional parameter.
    • advanced_rate_limiter_profile_id: ARL profile security ID. This is an optional parameter.
    • security_rule: Security rule description:
      • name: Security rule name.
      • priority: Rule priority. Possible values: from 1 to 1,000,000.
      • smart_protection: Description of the Smart Protection rule enabled for all traffic with the action type specified in the mode parameter.
        • mode: Rule action. The possible values are FULL, which means full protection (suspicious requests are sent to CAPTCHA), or API, which means API protection (suspicious requests are blocked).
      • waf: Web Application Firewall rule description. To add a WAF rule, you must first create a WAF profile. The optional parameter block contains:

    If you do not specify the smart_protection or waf rule type, a basic rule will be created with simple filtering based on conditions specified under rule_condition.

    For more information about the yandex_sws_security_profile resource parameters in Terraform, see the relevant provider documentation.

  2. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

Terraform will create all the required resources. You can check the new resources using the management console or this CLI command:

yc smartwebsecurity security-profile get <security_profile_ID>

Use the create REST API method for the SecurityProfile resource or the SecurityProfileService/Create gRPC API call.

See also

Previous
All guides
Next
Editing basic profile settings