Yandex Cloud Security Standard

Written by

Updated at April 13, 2026

Note

This feature is at the Preview stage.

This rule set contains security controls based on the Yandex Cloud Security Standard.

The Yandex Cloud Security Standard provides comprehensive security requirements and best practices for protecting cloud infrastructure and applications deployed on Yandex Cloud platform.

These controls help ensure compliance with security policies and protect against common cloud security threats and vulnerabilities:

Requirement ID	Security standard requirement	CSPM rule check IDs
Authentication and Access Management
`IAM1`	Identity Federation (Single Sign-On, SSO) is configured	cspm.access.uses-federation
`IAM2`	User group mapping is set up in an identity federation	cspm.access.user-groups-mapping
`IAM4`	The cookie lifetime in a federation is less than 6 hours	cspm.cookie-timeout.organization
`IAM5`	Only appropriate administrators can manage IAM group membership	cspm.access.user-groups-access
`IAM6`	Service roles are used instead of primitive ones: admin, editor, viewer, auditor	cspm.access.min-privileges
`IAM9`	Service accounts are assigned minimum privileges	cspm.access.sa-privileges-org-roles cspm.access.sa-privileges-service-roles
`IAM10`	Only trusted administrators have access to service accounts	cspm.access.privileged-sa-access
`IAM11`	Service account keys are rotated periodically	cspm.crypto.sa-key-rotation
`IAM12`	A scope is set for service account API keys	cspm.access.defined-key-scopes
`IAM16`	Getting a token via AWS IMDSv1 is disabled on the VM	cspm.aws-token
`IAM18`	Only trusted administrators have privileged roles	cspm.access.check-privileged-roles
`IAM22`	No public access for resources in the organization	cspm.access.public-access
`IAM23`	Organization contact information is up to date	cspm.procedure.organization-contacts
`IAM24`	Resource labels are used	cspm.o11y.labeled-resources
`IAM27`	Access permissions of users and service accounts are regularly audited using the Yandex Security Deck CIEM	cspm.access.check-bindings
Network Security
`NET1`	A firewall or security groups are used for cloud resources	cspm.network.firewall
`NET2`	At least one security group exists in the Yandex Virtual Private Cloud	cspm.network.network-firewall
`NET3`	Security groups do not contain overly broad access rules	cspm.network.network-firewall-scope cspm.k8s.network-firewall-scope
`NET4`	Access through control ports is only allowed for trusted IPs	cspm.trusted-ip cspm.trusted-ip-k8s
`NET5`	DDoS protection is enabled	cspm.appsec.ddos-protection.l3 cspm.appsec.ddos-protection.l7
Secure Virtual Environment Configuration
`ENV1`	Use of the serial console is controlled or disabled	cspm.access.serial-console
`ENV7`	No public access to the Object Storage bucket	cspm.access.bucket-public-access
`ENV8`	Object Storage uses bucket policies	cspm.access.bucket-access-policy
`ENV9`	The Object lock feature is enabled in Object Storage	cspm.s3.used-object-lock
`ENV14`	A Security Group is assigned to managed databases	cspm.network.db-security-group
`ENV15`	Managed databases do not have a public IP address assigned	cspm.network.db-ip
`ENV16`	Deletion protection is enabled	cspm.db.db-deletion-protection
`ENV17`	DataLens access is disabled unless required	cspm.access.db-datalens-access
`ENV18`	Console access to managed databases is disabled	cspm.access.db-console-access
`ENV19`	Serverless Containers/Cloud Functions uses the VPC internal network	cspm.network.serverless-uses-vpc
`ENV26`	No public access for YDB	cspm.network.ydb-public
`ENV28`	ACL by IP address is configured for Yandex Container Registry	cspm.access.acl-container-registry
`ENV29`	Yandex Certificate Manager certificate validity is at least 30 days	cspm.crypto.certificate-validity
`ENV33`	OS Login is used to access a virtual machine or Kubernetes node	cspm.access.os-login-onto-hosts.vm
`ENV34`	Vulnerability scanning is performed at the cloud IP address level	cspm.active.ip-vulnerability-scan
`ENV37`	Cloud Backup or scheduled snapshots are used	cspm.compute.snapshot cspm.backup.compute-disks
Data Encryption and Key Management
`CRYPT1`	Object Storage data-at-rest encryption with a KMS key is enabled	cspm.data.object-storage-encryption
`CRYPT2`	HTTPS is enabled for Yandex Object Storage static website hosting	cspm.data.storage-https
`CRYPT3`	HTTPS is used in Yandex Application Load Balancer	cspm.appsec.alb-https
`CRYPT4`	HTTPS and a custom domain are used in Yandex API Gateway	cspm.appsec.api-gateway-https
`CRYPT5`	Yandex Cloud CDN uses HTTPS and a custom SSL certificate	cspm.appsec.cdn-https
`CRYPT7`	Application-level data encryption is used	cspm.data.application-encryption
`CRYPT8`	VM disks and snapshots are encrypted	cspm.crypto.managed-vm-kms
`CRYPT9`	KMS keys are stored in a Hardware Security Module (HSM)	cspm.crypto.keys-hsm
`CRYPT10`	Permissions to manage keys in KMS are granted to controlled users	cspm.access.kms-keys-access
`CRYPT11`	KMS key rotation is enabled	cspm.crypto.keys-rotation
`CRYPT12`	KMS key deletion protection is enabled	cspm.crypto.keys-deletion-protection
`CRYPT13`	Yandex Lockbox is used in the organization for secure secret storage	cspm.crypto.secrets-lockbox
`CRYPT14`	Lockbox secrets are used for Serverless Containers and Cloud Functions	cspm.crypto.secrets-serverless
Collection, Monitoring, and Analysis of Audit Logs
`AUDIT1`	Yandex Audit Trails is enabled at the organization level	cspm.o11y.audit-trails cspm.o11y.audit-trails-no-errors
`AUDIT5`	OS-level audit logs are collected	cspm.o11y.os-logs-audited
`AUDIT8`	Data-plane events are monitored	cspm.o11y.data-plane-events
Application Protection
`APPSEC1`	Yandex SmartCaptcha is used	cspm.appsec.use-smartcaptcha
`APPSEC2`	Docker images are scanned upon upload to Yandex Container Registry	cspm.appsec.secure-registry
`APPSEC3`	Periodic scanning of Docker images stored in Container Registry is performed	cspm.appsec.periodic-scan
`APPSEC4`	Container images used in the production environment have the last scan date of one week ago or less	cspm.appsec.registry-recently-scan
`APPSEC9`	A Smart Web Security security profile is used	cspm.appsec.use-sws
`APPSEC10`	Web Application Firewall is used	cspm.appsec.use-waf
`APPSEC11`	Advanced Rate Limiter is used	cspm.appsec.use-arl
Kubernetes Security
`K8S3`	There is no access to the Kubernetes API	cspm.k8s.api-security
`K8S4`	Authentication and access management are configured in Managed Service for Kubernetes	cspm.k8s.access
`K8S5`	A secure configuration is used in Yandex Managed Service for Kubernetes	cspm.k8s.secure-configuration
`K8S8`	One of the three latest Kubernetes versions is used and updates are monitored	cspm.k8s.version-update
`K8S11`	The Kubernetes security policy is in place	cspm.k8s.kspm
`K8S12`	Audit log collection is configured for incident investigations	cspm.k8s.audit-logs

Yandex Cloud Security Standard

Was the article helpful?