Yandex Cloud Security Standard

Written by

Updated at February 11, 2026

Note

This feature is at the Preview stage.

This rule set contains security controls based on the Yandex Cloud Security Standard.

The Yandex Cloud Security Standard provides comprehensive security requirements and best practices for protecting cloud infrastructure and applications deployed on Yandex Cloud platform.

These controls help ensure compliance with security policies and protect against common cloud security threats and vulnerabilities:

Requirement ID	Security standard requirement	CSPM rule check ID
`IAM6`	Service roles are used instead of primitive ones: admin, editor, viewer, auditor	`cspm.access.min-privileges`
`IAM9`	Service accounts are assigned minimum privileges	`cspm.access.sa-privileges`
`IAM12`	A scope is set for service account API keys	`cspm.access.defined-key-scopes`
`IAM22`	No public access for resources in the organization	`cspm.access.public-access`
`NET2`	At least one security group exists in the Yandex Virtual Private Cloud	`cspm.network.network-firewall`
`NET3`	Security groups do not contain overly broad access rules	`cspm.network.network-firewall-scope`
`NET5`	DDoS protection is enabled	`cspm.appsec.ddos-protection.l7`
`ENV1`	Use of the serial console is controlled or disabled	`cspm.access.serial-console`
`ENV7`	No public access to the Yandex Object Storage bucket	`cspm.access.bucket-public-access`
`ENV14`	A Security Group is assigned to managed databases	`cspm.network.db-security-group`
`ENV15`	Managed databases do not have a public IP address assigned	`cspm.network.db-ip`
`ENV16`	Deletion protection is enabled	`cspm.db.db-deletion-protection`
`ENV17`	Yandex DataLens access is disabled unless required	`cspm.access.db-datalens-access`
`ENV18`	Console access to managed databases is disabled	`cspm.access.db-console-access`
`ENV26`	No public access for YDB	`cspm.network.ydb-public`
`ENV28`	ACL by IP address is configured for Yandex Container Registry	`cspm.access.acl-container-registry`
`ENV29`	Yandex Certificate Manager certificate validity is at least 30 days	`cspm.crypto.certificate-validity`
`ENV33`	OS Login is used to access a virtual machine or Kubernetes node	`cspm.access.os-login-onto-hosts.vm`
`ENV34`	Vulnerability scanning is performed at the cloud IP address level	`cspm.active.ip-vulnerability-scan`
`CRYPT1`	Yandex Object Storage data-at-rest encryption with a KMS key is enabled	`cspm.data.object-storage-encryption`
`CRYPT3`	HTTPS is used in Yandex Application Load Balancer	`cspm.appsec.alb-https`
`CRYPT5`	Yandex Cloud CDN uses HTTPS and a custom SSL certificate	`cspm.appsec.cdn-https`
`CRYPT7`	Application-level data encryption is used	`cspm.data.application-encryption`
`CRYPT8`	VM disks and snapshots are encrypted	`cspm.crypto.managed-vm-kms`
`CRYPT11`	KMS key rotation is enabled	`cspm.crypto.keys-rotation`
`CRYPT12`	KMS key deletion protection is enabled	`cspm.crypto.keys-deletion-protection`
`CRYPT13`	Yandex Lockbox is used in the organization for secure secret storage	`cspm.crypto.secrets-lockbox`
`CRYPT14`	Yandex Lockbox secrets are used for Yandex Serverless Containers and Yandex Cloud Functions	`cspm.crypto.secrets-serverless`
`AUDIT1`	Yandex Audit Trails is enabled at the organization level	`cspm.o11y.audit-trails`
`AUDIT8`	Data-plane events are monitored	`cspm.o11y.data-plane-events`
`APPSEC2`	Docker images are scanned upon upload to Yandex Container Registry	`appsec.secure-registry`
`APPSEC3`	Periodic scanning of Docker images stored in Container Registry is performed	`cspm.appsec.periodic-scan`
`APPSEC9`	A Yandex Smart Web Security security profile is used	`cspm.appsec.use-sws`
`APPSEC11`	Advanced Rate Limiter is used	`cspm.appsec.use-arl`
`K8S5`	A secure configuration is used in Yandex Managed Service for Kubernetes	`cspm.k8s.secure-configuration`
`K8S8`	One of the three latest Kubernetes versions is used and updates are monitored	`cspm.k8s.version-update`
`K8S12`	Audit log collection is configured for incident investigations	`cspm.k8s.audit-logs`

Yandex Cloud Security Standard

Was the article helpful?