Handling secrets that are available in the public domain

Yandex Cloud automatically scans the public domain for secrets. Keep track of how secrets are used to ensure the safety of your data and infrastructure. If your secrets are compromised:

1. Revoke and reissue secrets.
2. Check for any unauthorized actions.
3. Delete unauthorized resources.
4. Contact support.
5. Follow our recommendations on building a secure infrastructure.

Revoke and reissue secretsRevoke and reissue secrets

IAM tokenIAM token

To prevent a hacker from using your token:

1. Revoke the compromised IAM token.

2. Create a new IAM token.

   • For a Yandex account.
   • For a service account.
   • For a federated account.

OAuth tokenOAuth token

You can revoke an OAuth token. In this case, the IAM tokens obtained using the OAuth token will remain valid. Therefore, you must also revoke all such IAM tokens.

To prevent a hacker from using your token:

1. Revoke the OAuth token.
2. Revoke all IAM tokens obtained using the compromised OAuth token.
3. Get a new OAuth token.

Authorized keyAuthorized key

If you need to prevent damage from a compromised key as quickly as possible, delete the service account.

If the continuity of the process that the service account is part of is more important to you, reissue authorized keys:

1. Create a new authorized key for the service account.
2. Grant the new authorized key to the services and users using it.
3. Get an IAM token for the new authorized key.
4. Delete the old authorized key.

Once you delete the authorized key, the respective IAM token becomes invalid. That is enough to prevent any threat from the compromised key.

JWTJWT

Follow the steps described in the Authorized key section.

Static keyStatic key

1. Create a new static key for the service account.
2. Grant the new static key to the services and users using it.
3. Delete the old static key.

API keyAPI key

1. Create a new API key for the service account.
2. Grant the new API key to the services and users using it.
3. Delete the old API key.

SmartCaptcha server keySmartCaptcha server key

Create a new CAPTCHA and, on the website page, replace the old CAPTCHA, whose server key was compromised, with the new one.

CookieCookie

Disable cookies:

1. Change your Yandex ID password.
2. Log in to Yandex ID with your new password.

Check for any unauthorized actionsCheck for any unauthorized actions

Analyze access to your Yandex Cloud resources:

1. Analyze log records Cloud Logging.
2. Search for events in a bucket and search for events in a log group in Audit Trails.
3. Make sure that all events, including those related to secret leakage, are consistent with expectations.

Delete unauthorized resourcesDelete unauthorized resources

1. Check that Yandex Cloud does not contain any resources that you have not created, such as a VM, data store, database, function, API gateway, etc.
2. Delete unauthorized resources.

Contact supportContact support

Report the incident to the support. This will help us enhance secret protection in future Yandex Cloud releases.

You can learn more about the support terms here.

Follow our recommendations on building a secure infrastructureFollow our recommendations on building a secure infrastructure

1. Make sure secrets are separated from the source code. This will help you avoid adding them to public repositories, such as GitHub, along with the code and making them vulnerable.
2. Manage secrets in your cloud.
3. Collect, monitor, and analyze audit logs.