Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Getting started with Yandex Security Deck

Written by
Updated at November 10, 2025

Security Deck offers tools for data security and compliance with regulatory requirements and industry standards.

Note

This feature is in the Preview stage. To get access, contact tech support or your account manager.

Getting started

To get started with Security Deck in Yandex Cloud:

  1. If you have not signed up to Yandex Cloud yet, go to the management console and follow the instructions.

  2. In Yandex Cloud Billing, make sure you have a billing account linked and its status is ACTIVE or TRIAL_ACTIVE. If you do not have a billing account yet, create one.

  3. If you do not have a folder yet, create one.

  4. Make sure you have the necessary permissions to work with the Security Deck modules. You optimal roles are:

    • security-deck.admin for the folder to contain Security Deck resources and modules.
    • auditor for the organization, cloud, or folder the workspace will control the security of.

  5. Create a service account and assign to it the security-deck.worker role for the organization, cloud, or folder the workspace will control the security of.

Create a Security Deck workspace

A workspace is a container holding the Security Deck module settings and resources, a list of controlled resources, control parameters, and other settings. Workspaces allow for more granular management of Yandex Cloud infrastructure security.

To create your first Security Deck workspace:

  1. Go to Yandex Security Deck.
  2. In the left-hand panel, select Workspace and click Create workspace.

  3. In the window that opens, select Creating and configuring workspace in the Main parameters section:

    1. Under Workspace name, enter a name for the new workspace. Follow these naming requirements:

      • It must be from 1 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

      Provide a brief description for the new workspace, if required.

    2. Under Resource storage folder, select the folder to store Security Deck resources for the new workspace.

      For security reasons, we recommend storing Security Deck resources in a separate cloud and folder restricted only to security staff.

      Note

      Once the workspace is created, you cannot change this folder.

    3. Under Payment for resources, add a billing account to use to pay for security module resources the workspace consumes.

    4. Under Alert sink, select the alert sink to receive all alerts generated in the workspace.

      Create a new alert sink if needed. Do it by clicking Create sink. In the window that opens, enter enter a name for the sink Create.

    5. Click Create and continue to proceed to the next step and configure the workspace resources.

  4. In the Resources section that opens:

    1. Under Workspace resources, select the connector to use in the workspace being created to access the controlled resources.

      If needed, create a new connector:

      1. Click Create connector and in the window that opens:

        1. In the Name field, enter a name for the connector.

        2. Optionally, give the connector's description in the Description field.

        3. Select the service account for access to cloud resources in the Service account field.

          In the section below, you can see which resources the selected service account has access to.

          Make sure to assign the security-deck.worker role to this service account for the resources controlled in the workspace being created.

        4. Click Create connector.

    2. In the connector section that appears, click Select cloud/catalog to select the resources (clouds and folders) whose security will be managed in the new workspace:

      1. Select the resources whose security you want to manage in the workspace. You can only select the resources that are accessible to the previously selected service account.
      2. Click Save selection.

    3. Click Save and continue.

  5. In the Security compliance section that opens:

    1. Under Rule sets, select the industry standards and regulations the resources you chose at the previous step will be benchmarked against.

      • Yandex Cloud basic security rules: Minimum set of security requirements ensuring basic protection of cloud infrastructure and applications deployed on the Yandex Cloud platform.
      • Yandex Cloud cloud infrastructure protection standard: Standard providing comprehensive security requirements and best practices for protection of the cloud infrastructure and applications deployed on the Yandex Cloud platform. These elements help ensure security policy compliance and protection against common threats and vulnerabilities in the cloud environment.
      • Kubernetes Pod Security Standards (Restricted): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Restricted profile. A restricted profile is the most secure and provides the highest detection efficiency for container-based attacks. It applies strict security policies that may require modifying applications to ensure compliance. A restricted profile is recommended for security-critical applications and environments where maximum security is required.
      • Kubernetes Pod Security Standards (Baseline): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Baseline profile. A baseline profile is designed for easy implementation and provides common best practices for container security. It prevents the most common security issues in containers while maintaining compatibility with most applications. The baseline profile is a good starting point for organizations just getting started with container security.
      • Microsoft Threat Matrix for Kubernetes: This standard contains security controls based on the Microsoft Threat Matrix for Kubernetes, which is a framework that helps security teams understand and fend off threats specific to Kubernetes environments. It provides a comprehensive approach to attack methods and defensive strategies tailored for container orchestration platforms.

      You can select several standards at the same time. The Control modules section will display the Security Deck modules, which will be activated in the new workspace to check your resources for compliance with the selected standards and regulations.

    2. Click Save and continue.

  6. Optionally, in the Participants section that opens, add users who will have access to the workspace being created and assign them roles in this workspace:

    1. Click Add participants and in the window that opens:

      1. Select the user from the list. If required, use the search bar.
      2. In the window that opens, click Add role and select the role you want to assign to the user. You can assign multiple roles.
      3. Click Save.

    2. Click Finish to complete creating the Security Deck workspace.

    You do not have to add additional users to the workspace. In this case, the workspace will only be available to its creator.

Yandex Security Deck modules

Security Deck includes the following modules:

To use any of the modules, navigate to the Security Deck interface and select the module you need in the left-hand panel. On the page that opens, you can learn more about the tool's features and terms of use. To use the module you select, complete the required setup.

Yandex Cloud Detection and Response

Yandex Cloud Detection and Response (YCDR) is a module that monitors and responds to Yandex Cloud infrastructure incidents. YCDR is built around Yandex Cloud's in-house Security Operations Center (SOC). Our information security team will monitor the service for potential threats. YCDR relies on a proprietary SIEM platform and Security Data Lake for big data analysis algorithms and tools.

Data Security Posture Management (DSPM)

Data Security Posture Management, or DSPM, helps you quickly detect sensitive information stored in Yandex Object Storage buckets for timely action to protect it from unauthorized access or leaks. To learn more, see Data Security Posture Management (DSPM).

To get started with the DSPM module, follow the guides on how to create a data source and a scan for bucket information.

Kubernetes Security Posture Management (KSPM)

Kubernetes Security Posture Management (KSPM) ensures the security of containerized applications and images they use.

The KSPM module automatically identifies all Kubernetes clusters and containers in the specified workspace, and deploys security components in them as defined in the configuration. New clusters automatically get security coverage, without requiring manual search or installation of any components.

The module continuously assesses workloads for misconfigurations and provides runtime security monitoring through sensors that detect attacks targeting nodes and containers.

Cloud Infrastructure Entitlement Management (CIEM)

Security Deck Cloud Infrastructure Entitlement Management provides a centralized view of the full list of accesses to the organization's resources available to subjects: users, service accounts, user groups, system groups, and public groups. The tool also makes it easy to revoke excessive access permissions from subjects. To learn more, see Cloud Infrastructure Entitlement Management (CIEM).

To get started with the CIEM module, follow the guides for viewing and revoking accesses.

Cloud Security Posture Management (CSPM)

Cloud Security Posture Management (CSPM) is a tool that monitors infrastructure security level based on security standards, such as Yandex Cloud's Cloud Infrastructure Security Standard.

In a given workspace, Cloud Security Posture Management (CSPM) checks the cloud infrastructure and applications deployed on the Yandex Cloud platform for compliance with comprehensive security requirements and best practices. The module's rules and exceptions help ensure compliance with security policies and protection against common threats and vulnerabilities in the cloud environment.

Access Transparency

Access Transparency is an automated tool you can use to view analytical data about actions by Yandex Cloud engineers involving the organization's resources, whether when processing requests, addressing security issues, or during maintenance.

The tool ensures operations are transparent and provides control over actions by Yandex Cloud engineers: a specially trained YandexGPT-based model automatically analyzes their action logs and escalates issues, if any, so that a Yandex Cloud information security specialist can check the session.

To connect and use Access Transparency, your organization must be linked to a billing account. Follow this guide to link your organization to a billing account.

Once your organization links a billing account, select it in the Access Transparency module.

For more information, see Access Transparency.

What's next

Next
All guides