Yandex Cloud basic security rules
Note
This feature is at the Preview stage.
This rule set contains the basic security checks for protection of the cloud infrastructure and applications deployed in Yandex Cloud.
These rules help mitigate risks from basic security threats in cloud environments:
|
Requirement ID |
Security standard requirement |
Check ID in the CSPM module |
|
Authentication and access management (IAM) |
||
|
IAM5 |
Only appropriate administrators can manage IAM group membership |
|
|
IAM22 |
There is no public access to resources within the organization |
|
|
IAM27 |
||
|
Network security (NET) |
||
|
NET3 |
||
|
Secure virtual environment configuration (ENV) |
||
|
ENV1 |
||
|
Data encryption and key management (CRYPT) |
||
|
CRYPT9 |
||
|
CRYPT13 |
The organization uses Yandex Lockbox for secure secret storage |
|
|
CRYPT14 |
For Yandex Serverless Containers and Yandex Cloud Functions, Yandex Lockbox secrets are used |
|
|
Collecting, monitoring, and analyzing audit logs (AUDIT) |
||
|
AUDIT1 |
||
|
AUDIT8 |
||
|
Application security (APPSEC) |
||
|
APPSEC1 |
||
|
APPSEC2 |
Docker images are scanned when uploaded to Yandex Container Registry |
|
|
APPSEC3 |
Docker images stored in Container Registry are regularly scanned |
|
|
APPSEC9 |
||
|
APPSEC10 |
||
|
APPSEC11 |
||
|
Kubernetes security (K8S) |
||
|
K8S8 |
One of the three latest Kubernetes versions is used, updates are monitored |
|
|
K8S11 |
||
|
K8S12 |
||