Yandex Cloud Security Baseline

Written by

Updated at February 9, 2026

Note

This feature is at the Preview stage.

This rule set contains security baseline controls which are available for all users and helps protect cloud infrastructure and applications deployed on Yandex Cloud platform.

These controls help ensure a minimum baseline to lower security risks in the cloud infrastructure:

Requirement ID	Security standard requirement	CSPM rule check ID
`IAM1`	Identity Federation (Single Sign-On, SSO) is configured)	`cspm.access.uses-federation`
`IAM22`	No public access for resources in the organization	`cspm.access.public-access`
`NET3`	Security groups do not contain overly broad access rules	`cspm.network.network-firewall-scope`
`ENV1`	Use of the serial console is controlled or disabled	`cspm.access.serial-console`
`CRYPT13`	Yandex Lockbox is used in the organization for secure secret storage	`cspm.crypto.secrets-lockbox`
`CRYPT14`	Yandex Lockbox secrets are used for Yandex Serverless Containers and Yandex Cloud Functions	`cspm.crypto.secrets-serverless`
`AUDIT2`	Yandex Audit Trails events are exported to SIEM systems	`cspm.o11y.logs-exported-to-siem`
`AUDIT8`	Data-plane events are monitored	`cspm.o11y.data-plane-events`
`APPSEC2`	Docker images are scanned upon upload to Yandex Container Registry	`cspm.appsec.upload-policy`
`APPSEC3`	Periodic scanning of Docker images stored in Container Registry is performed	`cspm.appsec.periodic-scan`
`APPSEC9`	A Yandex Smart Web Security security profile is used	`cspm.appsec.use-sws`
`APPSEC11`	Advanced Rate Limiter is used	`cspm.appsec.use-arl`
`K8S8`	One of the three latest Kubernetes versions is used and updates are monitored	`cspm.k8s.version-update`
`K8S12`	Audit log collection is configured for incident investigations	`cspm.k8s.audit-logs`

Yandex Cloud Security Baseline

Was the article helpful?