Deleting a rule from a security profile
You can delete basic rules, as well as Smart Protection and WAF rules, from a security profile. ARL rules are deleted from an ARL profile.
- In the management console, select the folder containing the security profile you need.
- In the list of services, select Smart Web Security.
- Select the profile to delete a rule from.
- On the Security rules tab, in the rule row, click and select Delete.
- Confirm the deletion.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
-
To view a list of current security profiles in the default folder, run this command:
yc smartwebsecurity security-profile listResult:
+----------------------+-------------------+---------------------+----------------+------------+-------------+ | ID | NAME | CREATED | DEFAULT ACTION | CAPTCHA ID | RULES COUNT | +----------------------+-------------------+---------------------+----------------+------------+-------------+ | fev3s055oq64******** | my-new-profile | 2024-08-05 06:57:18 | DENY | | 1 | | fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY | | 2 | +----------------------+-------------------+---------------------+----------------+------------+-------------+ -
Update the security profile by applying the updated YAML configuration with security rules after you delete all irrelevant rules from it:
-
To get the YAML configuration for the current security rules in the profile, run this command, specifying the security profile name or ID:
yc smartwebsecurity security-profile get <security_profile_name_or_ID>Result:
id: fev450d61ucv******** folder_id: b1gt6g8ht345******** cloud_id: b1gia87mbaom******** labels: label1: value1 label2: value2 name: my-new-profile description: my description default_action: DENY security_rules: - name: rule-condition-deny priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb description: My first security rule. This rule it's just example to show possibilities of configuration. - name: rule-condition-allow priority: "2" rule_condition: action: ALLOW condition: source_ip: ip_ranges_match: ip_ranges: - 44.44.44.44-44.44.44.45 - 44.44.44.77 description: Let's show how to whitelist IP. - name: smart-protection-full priority: "11" smart_protection: mode: FULL condition: request_uri: path: prefix_match: /search description: Enable smart protection. Allow to show captcha on /search prefix. - name: smart-protection-api priority: "10" smart_protection: mode: API condition: request_uri: path: prefix_match: /api description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix. created_at: "2024-08-05T17:54:48.898624Z" -
Copy current rule configuration from the
security_rulessection, paste it into any text editor, and save it to a file after removing all irrelevant rules, such as the following:security-rules.yaml
- name: rule-condition-deny description: My first security rule. This rule it's just example to show possibilities of configuration. priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gbAlert
If you change the rules in the security profile, all existing rules will be deleted. This is why the YAML file with the changes must contain the full set of rules that will be in effect in the security profile.
-
To update a security profile, run this command, specifying the profile name or ID:
yc smartwebsecurity security-profile update <security_profile_name_or_ID> \ --security-rules-file <path_to_file_with_security_rules>Where
--security-rules-fileis the path to the YAML file with the description of security rules.Result:
id: fev450d61ucv******** folder_id: b1gt6g8ht345******** cloud_id: b1gia87mbaom******** labels: label1: value1 label2: value2 name: my-new-profile description: my description default_action: DENY security_rules: - name: rule-condition-deny priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb description: My first security rule. This rule it's just example to show possibilities of configuration. created_at: "2024-08-05T17:54:48.898624Z"
-
For more information about the yc smartwebsecurity security-profile update command, see the CLI reference.
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the documentation on the Terraform website or mirror website.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Open the Terraform configuration file and delete the
security_rulesection with the security rule inyandex_sws_security_profiledescription:resource "yandex_sws_security_profile" "demo-profile-simple" { name = "<security_profile_name>" default_action = "DENY" captcha_id = "<captcha_ID>" advanced_rate_limiter_profile_id = "<ARL_profile_ID>" # Smart Protection rule security_rule { name = "smart-protection" priority = 99999 smart_protection { mode = "API" } } #Basic rule security_rule { name = "base-rule-geo" priority = 100000 rule_condition { action = "ALLOW" condition { source_ip { geo_ip_match { locations = ["ru", "kz"] } } } } } # WAF profile rule security_rule { name = "waf" priority = 88888 waf { mode = "API" waf_profile_id = "<WAF_profile_ID>" } } }For more information about the
yandex_sws_security_profileresource parameters in Terraform, see the relevant provider documentation. -
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validateIf the configuration is correct, the following message is returned:
Success! The configuration is valid. -
Run the command:
terraform planThe terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply -
Confirm the changes: type
yesin the terminal and press Enter.
-
You can check the resources' updates using the management console or this CLI command:
yc smartwebsecurity security-profile get <security_profile_ID>
Use the update REST API method for the SecurityProfile resource or the SecurityProfileService/Update gRPC API call.