Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.
Written by
Updated at February 24, 2026

CSPM — Cloud Security Posture Management

Rules for checking cloud resource configuration.

ACL by IP address is set up for Yandex Container Registry

kind

severity

ID

automatic

medium

access.acl-container-registry

Description

Automatic verification

This control automatically checks for ACL settings on Container Registry instances.

It is recommended that you limit access to your Container Registry to specific IPs.

  1. In the management console, select the cloud or folder to check the registry in.
  2. In the list of services, select Container Registry.
  3. In the settings of the specific registry, go to the Access for IP address tab.
  4. If specific IPs to allow access for are set in the parameters, the recommendation is fulfilled. Otherwise, proceed to "Guides and solutions to use".

Guides and solutions

Guides and solutions to use:

  1. In the management console, select the cloud or folder to check the VMs in.
  2. In the list of services, select Compute Cloud.
  3. Open the settings of a specific VM with a Container Optimized Image.
  4. In the Docker container's Settings, disable the Privileged mode parameter.

No public access to the Object Storage bucket

kind

severity

ID

manual

medium

access.bucket-public-access

Description

Manual check

Make sure that the found buckets actually require public access. Please change the status manually.

Attention

This control does not automatically check access when IAM roles are modified or when public access is specified via anonymous_access_flags. Manual verification is required.

It is recommended to assign minimum roles for a bucket using IAM and supplementing or itemizing them using a bucket policy (for example, to restrict access to the bucket by IP, grant granular permissions for objects, and so on).

Access to Object Storage resources is verified at three levels:

Verification procedure:

  1. If a request passes the IAM check, the next step is the bucket policy check.
  2. Bucket policy rules are checked in the following order:
    1. If the request meets at least one of the Deny rules, access is denied.
    2. If the request meets at least one of the Allow rules, access will be allowed.
    3. If the request does not meet any of the rules, access will be denied.
  3. If the request fails the IAM or bucket policy check, access verification is performed based on an object's ACL.

In IAM, a bucket inherits the same access permissions as those of the folder and cloud where it is located. For more information, see Inheritance of bucket access permissions by Yandex Cloud public groups. Therefore, we recommend that you only assign the minimum required roles to certain buckets or objects in Object Storage.

Bucket policies are used for additional data protection, for example, to restrict access to a bucket by IP, issue granular permissions to objects, and so on.

With ACLs, you can grant access to an object bypassing IAM verification and bucket policies. We recommend setting strict ACLs for buckets.

Example of a secure Object Storage configuration: Terraform

Guides and solutions

Guides and solutions to use:

  • It is recommended to assign minimum roles for a bucket using IAM and supplementing or itemizing them using a bucket policy (for example, to restrict access to the bucket by IP, grant granular permissions for objects, and so on).
  • If public access is required, it is recommended to use DSPM to monitor the presence of sensitive data in buckets.

Public IP addresses are not assigned to virtual machines

kind

severity

ID

manual

medium

access.compute-public-ip

Description

Manual verification

Make sure that the found virtual machines actually require a public IP address. Manually mark the control as completed.

Virtual machines with public IP addresses are accessible from the internet. It is recommended to use public IP addresses only for resources that require direct access from the internet (e.g., NAT instances or bastion hosts). For other resources, it is recommended to use private IP addresses and organize access through VPN or bastion hosts.

Guides and solutions

  • Make sure that virtual machines with public IP addresses actually require direct internet access.
  • For resources that do not require direct internet access, use private IP addresses.
  • Organize access to resources with private IP addresses through VPN or bastion hosts.

Access from the management console is disabled in managed databases

kind

severity

ID

automatic

low

access.db-console-access

Description

Automatic verification

This control automatically checks for management console access settings on managed database clusters.

You may need access to the database from the management console to send SQL queries to the database and visualize the data structure.

We recommend that you enable this type of access only if needed, because it raises information security risks. In normal mode, use a standard DB connection as a DB user.

Guides and solutions

Guides and solutions to use:

  1. In the management console, select the cloud or folder to disable access from the management console in.
  2. In the list of services, select a service or services with managed databases.
  3. In the object settings, go to the Advanced settings tab.
  4. In the object parameters, disable Access from console.

The setting for access from DataLens is not active if not needed

kind

severity

ID

automatic

low

access.db-datalens-access

Description

Automatic verification

This control automatically checks for DataLens access settings on managed database clusters.

Do not enable access to databases containing critical data from the management console, DataLens, or other services unless you have to. Access from DataLens may be required for data analysis and visualization. For such access, the Yandex Cloud service network is used, with authentication and TLS encryption. You can enable and disable access from DataLens or other services in the cluster settings or when creating it in the advanced settings section.

Guides and solutions

Instructions and solutions for implementation:

  1. In the management console, select the cloud or folder where you want to disable access from DataLens.
  2. In the list of services, select the service(s) where the managed databases are located.
  3. In the object settings, go to the tab Additional settings.
  4. In the object's parameters, disable the Access from DataLens option.

The minimum required scopes for service account API keys are defined

kind

severity

ID

manual

medium

access.defined-key-scopes

Description

A scope is the total of the actions a service account is allowed to perform with the service's resources. A service can have more than one scope. You cannot use an API key with specified scopes in other services or scopes.

In addition to service account access permissions, you can define scopes to restrict the use of API keys. Configuring scope limits and expiration dates will reduce the risk of unauthorized use of your keys. Assign only the strictly required scopes to API keys.

more details: <https://yandex.cloud/en/docs/security/standard/authentication#api-key-scopes>

Guides and solutions

Guides and solutions to use:

Create an API key with a specified scope.

Service roles are used instead of primitive roles: admin, editor, viewer

kind

severity

ID

manual

medium

access.min-privileges

Description

This rule requires manual check. After checking the necessity for the privileges, please change the rule status.

The principle of least privilege (see best practices) requires assigning users the minimum required roles. We do not recommend using primitive roles, such as admin, editor and viewer that are valid for all services, because this contradicts the principle of least privilege. To ensure more selective access control and implementation of the principle of least privilege, use service roles that only contain permissions for a certain type of resources in a given service. You can see the list of all service roles in the Yandex Cloud roles reference: link.

Use the auditor role without data access wherever possible.

Guides and solutions

Guides and solutions to use:

OS Login is used for connection to a VM or Kubernetes node

kind

severity

ID

automatic

low

access.os-login-onto-hosts.vm

Description

Automatic verification

This control automatically checks for OS Login usage on virtual machines and Kubernetes nodes.

OS Login is a convenient way to manage connections to VMs over SSH via the CLI or a standard SSH client with an SSH certificate or SSH key, which you first need to add to the OS Login profile of organization user or service account in Yandex Identity Hub.

OS Login links the account of a virtual machine user with that of an organization or service account user. To manage access to virtual machines, enable the OS Login access option at the organization level and then activate OS Login access on each virtual machine separately.

Thus, you can easily manage access to virtual machines by assigning appropriate roles to users or service accounts. If you revoke the roles from a user or service account, they will lose access to all virtual machines with OS Login access enabled.

Guides and solutions

Guides and solutions to use:

There is no public access to your organization's resources

kind

severity

ID

manual

high

access.public-access

Description

Manual verification

This rule requires manual check. After checking the necessity for the public access, please change the rule status.

Yandex Cloud allows you to grant public access to your resources. You can grant public access by assigning access permissions to public groups (All authenticated users, All users).

Public group details:

  • All authenticated users: All authenticated users. This means all registered Yandex Cloud users or service accounts, both from your clouds and other users' clouds.

  • All users: Any user. No authentication is required.

Warning

Now All users is only supported in the following services: Object Storage (if ACL-based access management is used), Container Registry, and Cloud Functions. For other services, assigning a role to the All users group is equivalent to assigning a role to All authenticated users.

Make sure that these groups have no public access to your resources: clouds, folder, buckets, and more.

Guides and solutions

Guides and solutions to use:

  • If you detect that All users and All authenticated users have the access permissions that they should not have, remove these permissions using CIEM module.

Service accounts have minimum privileges granted

kind

severity

ID

manual

high

access.sa-privileges

Description

Manual verification

This rule requires manual check. After auditing the required privileges, please change the rule status.

Follow the principle of least privilege and assign to the service account only the roles necessary to run the application.

Guides and solutions

Guides and solutions to use:

  • Use Yandex Security Deck to view the full list of a service account's access permissions.
  • Use Security Deck to revoke the service account's excessive access permissions.
  • Remove the excessive permissions from the service account using IAM.

The serial console is either controlled or not used

kind

severity

ID

automatic

medium

access.serial-console

Description

Automatic verification

This control automatically checks for serial console access on virtual machines.

On VMs, access to the serial console is disabled by default. For risks of using the serial console, see Getting started with a serial console in the Yandex Compute Cloud documentation.

When working with a serial console:

  • Make sure that critical data is not output to the serial console.
  • If SSH access to the serial console is enabled, make sure that both the credentials management routine and the password used to log in to the operating system locally are as per the regulatory standards. For example, in an infrastructure for storing payment card data, passwords must meet the PCI DSS requirements: they must contain both letters and numbers, be at least 7 characters long, and be changed at least once every 90 days.
  • It is not recommend using access to the serial console unless it is absolutely necessary.

Evaluate the risk of enabling access through the serial console, considering the following factors:

  • The VM will be accessible for management from the internet even if there is no external IP address.
  • A user successfully authenticated in the Yandex Cloud management console with appropriate VM permissions will be able to access the VM's serial console from the Yandex Cloud management console. Access to the VM's serial console from an SSH client (e.g., Putty) or CLI is also possible by authenticating via an SSH key. Therefore, it is necessary to carefully control the SSH key and terminate the web session to reduce the risks of its interception.
  • The session will be available simultaneously to all users who have the right to access the serial console.
  • Actions of one user will be visible to other users if they are viewing the serial console output at the same time.
  • An unfinished session can be used by another user.

We recommend enabling the serial console only in case of extreme necessity, granting such access to a narrow circle of people, and using strong passwords to access the VM.

Do not forget to disable access after working with the serial console.

Guides and solutions

Guides and solutions to use:

Identity federation (single sign-on, SSO) is configured

kind

severity

ID

manual

medium

access.uses-federation

Description

For the purpose of centralized account management, use SAML-compatible identity federations. By using identity federations, a company can set up Single Sign-On, which is authentication in Yandex Cloud via their IdP server. With this approach, employees can use their corporate accounts that are subject to the company's security policies, such as:

  • Revoking and blocking accounts.
  • Password policies.
  • Limiting the number of unsuccessful login attempts.
  • Blocking access sessions upon expiry of a preset user's idle time.
  • Two-factor authentication.

Yandex Identity Hub is a single service for managing the organizational structure, setting up integration with the employee catalog, and differentiating user access to the organization's cloud resources.

Tip

Use federated accounts instead of Yandex ID accounts whenever possible. Keep in mind that there is a separate role, organization-manager.federations.admin, you can use to manage a federation.

To make sure all authentication requests from Yandex Cloud contain a digital signature, enable the Sign authentication requests option. To complete the configuration, download and install a Yandex Cloud certificate. You can download the certificate in the Sign authentication requests field immediately after creating a federation.

Guides and solutions

Guides and solutions to use:

Vulnerability scanning is performed at the cloud IP level

kind

severity

ID

manual

medium

active.ip-vulnerability-scan

Description

Manual check

If a periodic scan of the outer perimeter is performed, mark the rule as completed.

We recommend that customers should scan their hosts for vulnerabilities by themselves. Cloud resources support the installation of custom virtual images of vulnerability scanners or software agents on hosts. There are many paid and free scanning solutions on the market.

Network scanners scan hosts that are accessible over a network. Generally, authentication can be configured on network scanners.

Examples of free network scanners:

Example of a free scanner operating as an agent on hosts: Wazuh. Wazuh can also be used as a host-based intrusion detection system (IDS).

You can also use a solution from Cloud Marketplace.

Guides and solutions

Guides and solutions to use:

In Yandex Application Load Balancer, HTTPS is used

kind

severity

ID

automatic

high

appsec.alb-https

Description

Automatic verification

This control automatically checks for HTTPS listener settings on Application Load Balancer.

Application Load Balancer service supports an HTTPS listener with loading a certificate from Certificate Manager. See the listener configuration description in the Yandex Application Load Balancer documentation.

Guides and solutions

Yandex API Gateway uses HTTPS and its own domain

kind

severity

ID

automatic

medium

appsec.api-gateway-https

Description

Automatic verification

This control automatically checks for HTTPS configuration and custom domain setup on API Gateways.

API Gateway supports secure connections over HTTPS. You can link your own domain and upload your own security certificate to access your API gateway over HTTPS.

Guides and solutions

Guides and solutions to use:

  • In the management console, select the cloud or folder to enable domains and certificates in.
  • In the list of services, select API Gateway → Gateway settings → Domains.
  • Enable the domains and certificates.

Yandex Cloud CDN uses HTTPS and its own SSL certificate

kind

severity

ID

automatic

low

appsec.cdn-https

Description

Automatic verification

This control automatically checks for HTTPS configuration and SSL certificates on CDN resources.

Cloud CDN supports secure connections to origins over HTTPS. You can also upload your own security certificate to access your CDN resource over HTTPS.

Guides and solutions

Guides and solutions to use:

Application DDoS protection is enabled (L7)

kind

severity

ID

automatic

high

appsec.ddos-protection.l7

Description

Automatic verification

This control automatically checks Smart Web Security security profiles for ALB.

Manual verification

If an external DDoS protection software is used, please change the status manually.

Yandex Cloud provides basic and advanced DDoS protection as well as protection at the application level with Yandex Smart Web Security. Make sure to use at least basic protection.

Yandex Smart Web Security is a service for protection against DDoS attacks and bots at application level L7 of the OSI model. Smart Web Security connects to Yandex Application Load Balancer. In a nutshell, the service checks the HTTP requests sent to the protected resource against the rules configured in the security profile. Depending on the results of the check, the requests are forwarded to the protected resource, blocked, or sent to Yandex SmartCaptcha for additional verification.

Yandex DDoS Protection is a Virtual Private Cloud component that safeguards cloud resources from DDoS attacks. DDoS Protection is provided in partnership with Curator. You can enable it yourself for an external IP address through cloud administration tools. Supported up to OSI L4.

Advanced DDoS protection is available at OSI layers 3, 4, and 7. You can also track load and attack metrics and enable Solidwall WAF in your Curator account. To enable advanced protection, contact your manager or technical support.

Guides and solutions

Guides and solutions to use:

Docker images are scanned when uploaded to Container Registry

kind

severity

ID

automatic

high

appsec.periodic-scan

Description

Automatic verification

This control automatically checks for Docker image scanning policies in Container Registry.

When creating a new registry, use the default options to make sure it meets the Yandex Cloud security standard:

  • Docker images are automatically scanned as they are uploaded to the registry.

  • Docker images in the registry are regularly re-scanned, i.e., every 7 days with an option to switch to daily scanning in the settings.

How to manually check rule:

  1. In the management console, select the folder the registry with Docker images belongs to.

  2. Select the appropriate registry in Container Registry.

  3. Navigate to the Vulnerability scanner tab and click Edit settings.

  4. Make sure that scheduled Docker image scans are enabled with a frequency of at least once a week.

Guides and solutions

Guides and solutions to use:

When creating a registry in Yandex Container Registry, keep the safe registry settings by default

kind

severity

ID

automatic

medium

appsec.upload-policy

Description

Automatic verification

This control automatically checks for safe default settings in Container Registry configurations.

When creating a new registry, use the default options to make sure it meets the Yandex Cloud security standard:

  • Docker images are automatically scanned as they are uploaded to the registry.

  • Docker images in the registry are regularly re-scanned, i.e., every 7 days with an option to switch to daily scanning in the settings.

Guides and solutions

Guides and solutions to use:

  • In the management console, select the folder where you want to create a registry.
  • In the list of services, select Container Registry.
  • Click Create registry.
  • In the Name field, enter a name for the registry. The naming requirements are as follows:
    • It must be from 2 to 63 characters long.
    • It can only contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.
  • Under Automatic scanning:
    • Keep Scan Docker images on push enabled to scan Docker images at their upload to the repository.
    • Keep Scan all Docker images in the registry enabled. Adjust the scanning frequency if you need to.
  • Click Create registry.

Advanced rate limiter is implemented

kind

severity

ID

automatic

medium

appsec.use-arl

Description

Automatic verification

This control automatically checks for Advanced Rate Limiter configuration.

Manual Check

This rule checks only the built-in information security features in Yandex Cloud. If an applied protection is used, please manually mark the rule as completed.

Advanced Rate Limiter (ARL) is a Yandex Smart Web Security module used to monitor and limit web app loads. It allows you to set a limit on the number of HTTP requests over a certain period of time. All requests above the limit will get blocked. You can set a single limit for all traffic or configure specific limits to segment requests by certain parameters. For the purpose of limits, you can count requests one by one or group them together based on specified property.

You need to connect your ARL profile to the security profile in Smart Web Security.

Guides and solutions

Guides and solutions to use:

Yandex SmartCaptcha is used

kind

severity

ID

automatic

low

appsec.use-smartcaptcha

Description

Automatic verification

This control automatically checks for Yandex SmartCaptcha usage in applications.

To mitigate the risks associated with automated attacks on applications, we recommend using Yandex SmartCaptcha. The service checks user requests with its ML algorithms and only shows challenges to those users whose requests it considers suspicious. You do not have to place the "I'm not a robot" button on the page.

Guides and solutions

Guides and solutions to use:

Yandex Smart Web Security profile is used

kind

severity

ID

automatic

high

appsec.use-sws

Description

Automatic verification

This control automatically checks for Yandex Smart Web Security profile configuration.

Yandex Smart Web Security protects you against DDoS attacks, web attacks, and bots at application level L7 of the OSI model. Smart Web Security connects to Yandex Application Load Balancer.

In a nutshell, the service checks the HTTP requests sent to the protected resource against the rules configured in the security profile. Depending on the results of the check, the requests are forwarded to the protected resource, blocked, or sent to Yandex SmartCaptcha for additional verification.

Manual Check

This rule checks only the built-in information security features in Yandex Cloud. If an applied protection is used, please manually mark the rule as completed.

Guides and solutions

Guides and solutions to use:

Web application firewall is implemented

kind

severity

ID

automatic

medium

appsec.use-waf

Description

Automatic verification

This control automatically checks for Web Application Firewall configuration.

Manual Check

This rule checks only the built-in information security features in Yandex Cloud. If an applied protection is used, please manually mark the rule as completed.

To mitigate risks associated with web attacks, we recommend using the Yandex Smart Web Security web application firewall (WAF). A web application firewall analyzes HTTP requests to a web app according to pre-configured rules. Based on the analysis results, certain actions are applied to HTTP requests.

You can manage the web application firewall using a WAF profile that connects to a security profile in Smart Web Security as a separate rule.

Guides and solutions

Guides and solutions to use:

Cloud Backup or scheduled snapshots are used

kind

severity

ID

automatic

high

compute.snapshot

Description

Automatic verification

This control automatically checks for backup and snapshot configurations on virtual machines.

Make sure to back up all VMs in your organization using one of these options:

  • Scheduled snapshots
  • Cloud Backup

Performing a check in the management console:

  1. In the management console, select the cloud or folder to check the VMs in.
  2. In the list of services, select Compute Cloud.
  3. Make sure that the scheduled snapshot policy is set up on the VMs.
  4. In the list of services, select Cloud Backup.
  5. Make sure that it is enabled.

Guides and solutions

Guides and solutions to use:

The Yandex Certificate Manager certificate is valid for at least 30 days

kind

severity

ID

automatic

medium

crypto.certificate-validity

Description

Automatic verification

This control automatically checks certificate validity periods in Yandex Certificate Manager.

You can use Yandex Certificate Manager to manage TLS certificates for your API gateways in the API Gateway, as well as your websites and buckets in Object Storage. Application Load Balancer is integrated with Certificate Manager for storing and installing certificates. We recommend that you use Certificate Manager to obtain your certificates and rotate them automatically.

When using TLS in your application, we recommend that you limit the list of your trusted root certificate authorities (root CA).

When using certificate pinning, keep in mind that Let's Encrypt certificates are valid for 90 days.

Guides and solutions

Data encryption at the application level is used

kind

severity

ID

manual

medium

crypto.data.application-encryption

Description

Manual check

If client-side encryption is implemented, mark the rule as completed.

For client-side encryption before uploading data to a Yandex Object Storage bucket, you can use the following approaches:

  • Integrating Object Storage with the Key Management Service service for client-side encryption. For more information, see "Recommended cryptographic libraries".

  • Using third-party client-side encryption libraries prior to sending data to Object Storage. If you use third-party data encryption libraries and your own key management methods, make sure your operation scheme, algorithms, and key lenghts comply with regulatory requirements.

Guides and solutions

For client-side encryption, we recommend that you use the following libraries:

For a comparison of libraries, see the KMS documentation, Which encryption method should I choose?: https://yandex.cloud/en/docs/kms/tutorials/encrypt

Deletion protection is enabled for KMS keys

kind

severity

ID

automatic

high

crypto.keys-deletion-protection

Description

Automatic verification

This control automatically checks for deletion protection settings on KMS keys.

Deleting a KMS key always means destroying data. Therefore, make sure to protect the keys against accidental deletion. KMS has the necessary feature.

Guides and solutions

The Key Management Service keys are stored in the hardware Security module(HSM)

kind

severity

ID

manual

medium

crypto.keys-hsm

Description

Manual check

This rule requires manual verification of HSM key storage settings.

In production environments, we recommend using separate keys whose every cryptographic operation will only be handled inside a HSM. For more information, see Hardware security module (HSM) https://yandex.cloud/en/docs/kms/concepts/hsm.

To use the HSM, when creating a key, select AES-256 HSM as the algorithm type. The HSM will handle all operations with this key internally, and no additional actions are required.

It is recommended to use HSMs for KMS keys to enhance the security level.

Guides and solutions

Key rotation is enabled for KMS keys

kind

severity

ID

automatic

high

crypto.keys-rotation

Description

Automatic verification

This control automatically checks for key rotation settings on KMS keys.

To improve the security of your infrastructure, we recommend that you categorize your encryption keys into two groups:

  • Keys for services that process critical data but do not store it, such as Message Queue or Cloud Functions.

  • Keys for services storing critical data, e.g., Managed Services for Databases.

For the first group, we recommend that you set up automatic key rotation with a rotation period longer than the data processing period in these services. When the rotation period expires, the old key versions must be deleted. In the case of automatic rotation and the deletion of old key versions, previously processed data cannot be restored and decrypted.

For data storage services, we recommend that you either manually rotate keys or use automatic key rotation, depending on your internal procedures for processing critical data.

A secure value for AES-GCM mode is encryption using 4294967296 (= 232) blocks. Having reached this number of encrypted blocks, you need to create a new DEK version. For more information about the AES-GCM operating mode, see the NIST materials.

Note

Destroying any version of a key means destroying all data encrypted with it. You can protect a key against deletion by setting the deletionProtection parameter. However, it does not protect against deleting individual versions.

For more information about key rotation, see the KMS documentation, Key version.

Guides and solutions

Encryption of disks and virtual machine snapshots is used

kind

severity

ID

manual

medium

crypto.managed-vm-kms

Description

Manual check

This rule requires manual verification of disk encryption settings.

By default, all data on Yandex Compute Cloud disks is encrypted at the storage database level using a system key. This protects your data from being compromised in the event of a physical theft of disks from Yandex Cloud data centers.

We also recommend encrypting disks and disk snapshots using Yandex Key Management Service custom symmetric keys. This approach allows you to:

  • Protect against the potential threats of data isolation breach and compromise at the virtual infrastructure level.

  • Control the encryption and lifecycle of KMS keys, as well as manage them. For more information, see Key management.

  • Improve access control to the data on your disk by setting permissions for KMS keys. For more information, see Configuring access permissions for a symmetric encryption key.

  • Use Yandex Audit Trails to track encryption and decryption operations performed using your KMS key. For more information, see Key usage audit.

You can encrypt the following types of disks:

  • Network SSD (network-ssd)
  • Network HDD (network-hdd)
  • Non-replicated SSD (network-ssd-nonreplicated)
  • Ultra-fast network storage with three replicas (SSD) (network-ssd-io-m3)

Guides and solutions

Service account keys are rotated on a regular basis

kind

severity

ID

automatic

high

crypto.sa-key-rotation

Description

Yandex Cloud allows you to create the following access keys for service accounts:

It is recommended to rotate keys with unlimited validity yourself: delete and generate new ones. You can check out the date when a key was created in its properties. Perform key rotation at least once in 90 days.

This control checks the last update date. In cases where it is impossible to determine the last update date (for example, when starting CSPM for the first time), it is recommended that the control is performed manually.

Guides and solutions

Follow the guide for rotating keys depending on their type.

Use secret encryption for Container Optimized Image

kind

severity

ID

automatic

high

crypto.secrets-coi

Description

Automatic verification

This control automatically checks for secret encryption in Container Optimized Image configurations.

KMS supports the encryption of secrets used in a Terraform configuration, e.g., for transferring secrets to a VM in encrypted form. See Encrypting secrets in Hashicorp Terraform in the KMS documentation. It is not safe to openly provide secrets through environment variables, because they are displayed in the VM properties.

Guides and solutions

The organization uses Yandex Lockbox for secure secret storage

kind

severity

ID

automatic

low

crypto.secrets-lockbox

Description

Automatic verification

This control automatically checks for the use of Yandex Lockbox for secret storage.

Critical data and access secrets (authentication tokens, API keys, and encryption keys, etc.) should not be used in plain text in code, cloud object names and descriptions, VM metadata, etc. Use secret storage services instead, e.g., Lockbox.

Lockbox securely stores secrets in an encrypted form only. Encryption is performed using KMS. For secret access control, use service roles.

Note

When working in Terraform, we recommend using a script to fill in the contents of a secret. This ensures that its contents do not remain in the .tfstate file.

Guides and solutions

Lockbox secrets are used for Serverless Containers and Cloud Functions

kind

severity

ID

automatic

medium

crypto.secrets-serverless

Description

Automatic verification

This control automatically checks for the use of Lockbox secrets in serverless functions and containers.

When working with Serverless Containers or Cloud Functions, it is often necessary to use a secret (such as a token or password).

If you specify secret information in environment variables, it can be viewed by any cloud user with permissions to view and use a function, which causes information security risks.

We recommend using Serverless integration with Lockbox for that. You can use a specific secret from Yandex Lockbox and a service account with access rights to this secret to use it in a function or container.

Make sure that the secrets are used as described above.

Guides and solutions

At-rest encryption with a KMS key is enabled in Yandex Object Storage

kind

severity

ID

automatic

medium

data.object-storage-encryption

Description

Automatic verification

This control automatically checks for encryption settings on Object Storage buckets.

To protect critical data in Yandex Object Storage, we recommend using bucket server-side encryption with Yandex Key Management Service keys. This encryption method protects against accidental or intentional publication of the bucket content on the web. For more information, see Encryption in the Object Storage documentation.

Guides and solutions

HTTPS for static website hosting is enabled in Yandex Object Storage

kind

severity

ID

automatic

high

data.storage-https

Description

Automatic verification

This control automatically checks for HTTPS settings on Object Storage static websites.

Object Storage supports secure connections over HTTPS. You can upload your own security certificate if a connection to your Object Storage website requires HTTPS access. Integration with Certificate Manager is also supported. See the instructions in the Object Storage documentation:

When using Object Storage, make sure that support for TLS protocols below version 1.2 is disabled at the client level. Use the aws:securetransport bucket policy to make sure running without TLS is disabled for the bucket.

Guides and solutions

Deletion protection is enabled

kind

severity

ID

automatic

low

db.db-deletion-protection

Description

Automatic verification

This control automatically checks for deletion protection on managed database clusters.

In Yandex Cloud managed databases, you can enable deletion protection. The deletion protection feature safeguards the cluster against accidental deletion by a user. Even with cluster deletion protection enabled, one can still connect to the cluster manually and delete the data.

Guides and solutions

  1. In the management console, select the cloud or folder to enable deletion protection in.
  2. In the list of services, select a service or services with managed databases.
  3. In the object settings, go to the Advanced settings tab.
  4. In the object parameters, enable Deletion protection.

Audit log collection for Kubernetes is set up for incident investigation

kind

severity

ID

manual

high

k8s.audit-logs

Description

Manual check

This rule requires manual verification of Kubernetes audit log collection configuration.

Events available to the user in the Managed Service for Kubernetes service can be classified as levels:

  • Kubernetes API events (Kubernetes audit logging)
  • Kubernetes node events
  • Kubernetes pod events
  • Kubernetes metrics
  • Kubernetes flow logs

In Managed Service for Kubernetes, you can audit the current role model used in the service. To do this, open the Kubernetes cluster page in the management console, and go to the Access management tab.

You can also use:

Guides and solutions

Kubernetes backup is configured

kind

severity

ID

manual

high

k8s.backup

Description

Manual check

This rule requires manual verification of Kubernetes backup configuration.

To ensure continuous operation and data protection, we recommend using backups in Managed Service for Kubernetes. With backups, you can quickly recover the service without experiencing any data or time loss in the wake of a malfunction or accident. The Yandex Cloud infrastructure provides secure storage and replication for data in Kubernetes clusters. However, you can back up data from Kubernetes cluster node groups at any time and store them in Yandex Object Storage or other types of storage.

Guides and solutions

Managed Service for Kubernetes uses secure configuration

kind

severity

ID

manual

medium

k8s.kubernetes-safe-config

Description

Manual check

Please check if you have implemented controls for node group settings.

In Managed Service for Kubernetes, the user is fully in control of all node group settings, but only partially in control of the master settings. The user is responsible for the whole cluster's security.

The CIS Kubernetes Benchmark standard is designed to build a secure Kubernetes configuration, including node configurations. In Yandex Cloud, the Kubernetes node groups are deployed by default with the configuration that complies with CIS Kubernetes Benchmark.

Guides and solutions

  • Using the kube-bench tool, check whether the node group configuration is compliant with CIS Kubernetes Benchmark. The tool officially supports the Yandex Cloud node groups.
  • Starboard Operator is a free tool that helps you automate scanning of images for vulnerabilities and checking that the configuration is compliant with CIS Kubernetes Benchmark. Starboard Operator supports integration with kube-bench and is used for its automatic startup.

One of the three latest Kubernetes versions is used, updates are monitored

kind

severity

ID

manual

medium

k8s.version-update

Description

Manual check

This rule requires manual verification of Kubernetes version and update monitoring.

For Kubernetes, both automatic and manual updates are available for clusters and node groups. You can request a manual update of the Kubernetes cluster or its nodes to the latest supported version at any time. Manual updates bypass any configured maintenance windows and maintenance exceptions. Kubernetes issues updates in a regular manner. To meet the Information Security standards:

  • Select a relevant update channel and enable either automatic installation of updates, or manual installation immediately after publication in the selected channel.

  • Check that the update settings meet the Information Security standards.

  • Use one of the three latest Kubernetes versions, because updates (including security updates) are only released for these versions.

Guides and solutions

A security group is assigned in managed databases

kind

severity

ID

automatic

high

network.db-ip

Description

Automatic verification

This control automatically checks for security group assignment on managed database clusters.

We recommend prohibiting internet access to databases that contain critical data, in particular PCI DSS data or private data. Configure security groups to only allow connections to the DBMS from particular IP addresses. To do this, follow the steps in Creating a security group. You can specify a security group in the cluster settings or when creating the cluster in the network settings section.

Guides and solutions

No public IP address is assigned in managed databases

kind

severity

ID

automatic

medium

network.db-security-group

Description

Automatic verification

This control automatically checks for public IP address assignment on managed database clusters.

Assigning a public IP to a managed database raises information security risks. We do not recommend assigning an external IP unless it is absolutely necessary.

Remove public access if it is not required.

Guides and solutions

Network DDoS protection is enabled (L3)

kind

severity

ID

automatic

high

network.ddos-protection.l3

Description

Automatic verification

This control automatically checks for DDoS protection at the network level (L3).

Manual verification

If an external DDoS protection software is used, please change the status manually.

Yandex Cloud provides basic and advanced DDoS protection as well as protection at the application level with Yandex Smart Web Security. Make sure to use at least basic protection.

Yandex Smart Web Security (SWS) is a service for protection against DDoS attacks and bots at application level L7 of the OSI model. SWS connects to Yandex Application Load Balancer. The service validates HTTP requests to the protected resource against rules configured in the security profile. Depending on results, requests are forwarded, blocked, or sent to Yandex SmartCaptcha.

Yandex DDoS Protection is a Virtual Private Cloud component that safeguards cloud resources from DDoS attacks. DDoS Protection is provided in partnership with Curator. You can enable it yourself for an external IP address through cloud administration tools. Supported up to OSI L4.

Advanced DDoS protection is available at OSI layers 3, 4, and 7. You can also track load and attack metrics and enable Solidwall WAF in your Curator account. To enable advanced protection, contact your manager or technical support.

Guides and solutions

Cloud resources are protected by a firewall or security groups

kind

severity

ID

automatic

high

network.firewall

Description

Automatic verification

This control automatically checks security groups availability for the following types of resources:
enum <resource-type>

Manual verification

This rule requires manual check. After checking and update, please change the rule status.

With built-in security groups, you can manage VM access to resources and security groups in Yandex Cloud or resources on the internet. A security group is a set of rules for incoming and outgoing traffic that can be assigned to a VM's network interface. Security groups work like a stateful firewall: they monitor the status of sessions and, if a rule allows a session to be created, they automatically allow response traffic. For a guide on how to set up security groups, see Creating a security group. You can specify a security group in the VM settings.

You can use security groups to protect:

You can manage network access without security groups, e.g., by using a separate VM as a firewall based on an NGFW image from Yandex Cloud Marketplace or a custom image. Using the NGFW can be critical to customers if they need the following features:

  • Logging network connections.
  • Streaming traffic analysis for malicious content.
  • Detecting network attacks by signature.
  • Other features of conventional NGFW solutions.

Make sure that your clouds use any of the following:

Guides and solutions

Security groups have no access rule that is too broad

kind

severity

ID

automatic

high

network.network-firewall-scope

Description

Automatic verification

This control automatically checks security groups for overly broad access rules.

A security group lets you grant network access to absolutely any IP address on the internet as well as across all port ranges. A dangerous rule looks as follows:

  • Port range: 0 to 65535 or empty.
  • Protocol: Any or TCP/UDP.
  • Source: CIDR.
  • CIDR blocks: 0.0.0.0/0 (access from any IP address) or ::/0 (ipv6).

Warning

If no port range is set, it is considered that access is granted across all ports (0-65535).

Make sure to only allow access through the ports that your application requires to run and from the IPs to connect to your objects from.

Guides and solutions

In Virtual Private Cloud, a security group is created; the default security group is not used

kind

severity

ID

automatic

medium

network.network-firewall

Description

Automatic verification

This control automatically checks for the presence of custom security groups in VPC networks.

A security group (SG) is a resource created at the cloud network level. Once created, a security group can be used in Yandex Cloud services to control network access to an object it applies to.

A default security group (DSG) is created automatically while creating a new cloud network. The default security group has the following properties:

  • It will allow any network traffic, both egress and ingress, in the new cloud network.
  • It applies to traffic passing through all subnets in the network where the DSG is created.
  • It is only used if no security group is explicitly assigned to the object yet.
  • You cannot delete the DSG: it is deleted automatically when deleting the network.

The default security group is a convenient but insecure mechanism that automatically allows all network traffic (incoming and outgoing) for your network objects. While simplifying the initial setup, such openness creates significant risks:

  • Attackers can get access to resources through public interfaces.
  • Uncontrolled traffic makes your network more vulnerable to DDoS attacks and port scanning.
  • The DSG remains active until you assign another security group to the object.

We recommend you to create a security group of your own with rules explicitly allowing only the traffic you need (e.g., HTTP/HTTPS for web servers or SSH for administration) and assign this group to your cloud objects VMs, Kubernetes clusters, etc.) to override the DSG.

This is important because without your rules cloud resources remain open to all and any connections from the internet, whereas security groups of your own enable the principle of least privilege, thus reducing the attack surface.

You can combine security groups by assigning up to five groups per object for more flexible access control.

Guides and solutions

  • Create a security group in each Virtual Private Cloud with restricted access rules, so that it can be assigned to cloud objects.

DNS queries are not provided to third-party recursive resolvers

kind

severity

ID

manual

low

network.recursive-dns-resolvers

Description

Manual verification

This rule requires manual check. After auditing the required privileges, please change the rule status.

To increase fault tolerance, some traffic may be routed to third-party recursive resolvers. To avoid this, contact support

Guides and solutions

No public access to managed YDB

kind

severity

ID

automatic

low

network.ydb-public

Description

Automatic verification

This control automatically checks for public access settings on YDB clusters.

When accessing the database in dedicated mode, we recommend that you use it inside VPC and disable public access to it from the internet. In serverless mode, the database can be accessed from the internet. You must therefore take this into account when modeling threats to your infrastructure. For more information about the operating modes, see the Serverless and dedicated modes section in the Managed Service for YDB documentation.

When setting up database permissions, use the principle of least privilege.

Guides and solutions

  • For more information about the operating modes, see the Serverless and dedicated modes section in the Managed Service for YDB documentation
  • When setting up database permissions, use the principle of least privilege.

Audit logs are collected at the application level

kind

severity

ID

manual

medium

o11y.application-logs-audited

Description

Manual check

Make sure that audit logs from your virtual machines OS are collected and change the rule status.

Customers may collect events that occur at the level of applications deployed on Compute Cloud resources on their own. For example, save application logs to files and transfer them to a SIEM system using the tools listed in the subsection above.

Guides and solutions

  • Enable audit log collection in your unmanaged DBMS:
    • Enable logging of all authentication actions (successful and failed)
    • Activate logging of data modification operations (INSERT, UPDATE, DELETE)
    • Configure logging of schema modification operations (ALTER, CREATE, DROP)
    • Record permission and privilege changes
    • Configure events to track queries

Yandex Audit Trails is enabled at the organization level

kind

severity

ID

automatic

high

o11y.audit-trails

Description

Automatic verification

This control automatically checks for Yandex Audit Trails service configuration at the organization level.

The main tool for collecting Yandex Cloud level logs is Yandex Audit Trails. This service allows you to collect audit logs about events happening to Yandex Cloud resources and upload these logs to Yandex Object Storage buckets or Cloud Logging log groups for further analysis or export. For information on how to start collecting logs, see this guide.

Audit Trails audit logs may contain two types of events: management events and data events.

Management events are actions you take to configure Yandex Cloud resources, such as creating, updating, or deleting infrastructure components, users, or policies. Data events are updates and actions performed on data and resources within Yandex Cloud services. By default, Audit Trails does not log data events. You need to enable collection of data event audit logs individually for each supported service.

To learn more, see Comparing management and data event logs.

To collect metrics, analyze Yandex Cloud-level events, and set up notifications, we recommend using Yandex Monitoring. For example, it can help you track spikes in Compute Cloud workload, Application Load Balancer RPS, or significant changes in Identity and Access Management event statistics.

You can also use Monitoring to monitor the health of the Audit Trails service itself and track security events. You can export metrics to a SIEM system via the API, see this guide.

Solution: Monitoring Audit Trails and security events using Monitoring

You can export audit logs to Cloud Logging or Data Streams log group and to a customer's SIEM system to analyze information about events and incidents.

List of important Yandex Cloud-level events to search for in audit logs:

Solution: Searching for important security events in audit logs

Guides and solutions

  • You can enable Yandex Audit Trails at the folder, cloud, and organization level. We recommend enabling Yandex Audit Trails at the level of the entire organization. Thus you will be able to collect audit logs in a centralized manner, e.g., to a separate security cloud

Yandex Audit Trails events are exported to SIEM systems

kind

severity

ID

manual

medium

o11y.logs-exported-to-siem

Description

Manual check

Make sure that audit logs from Yandex Audit Trails are exported for analysis to a SIEM system or analyzed in the cloud using one of the available methods. and change the rule status.

Solutions for exporting Yandex Cloud audit logs are available for the following SIEM systems:

  • ArcSight: Collecting, monitoring, and analyzing audit logs in ArcSight SIEM

  • Splunk: Collecting, monitoring, and analyzing audit logs in Splunk SIEM

  • MaxPatrol SIEM: Collecting, monitoring, and analyzing audit logs in MaxPatrol SIEM

  • Wazuh: Collecting, monitoring, and analyzing audit logs in Wazuh

  • KUMA: Collecting, monitoring, and analyzing audit logs in KUMA

You can set up export to any SIEM using GeeseFS or s3fs. These utilities allow mounting a Yandex Object Storage bucket as a VM local disk. Next, you need to install a SIEM connector on the VM and configure reading JSON files from the bucket. You can also use utilities compatible with AWS Kinesis datastreams if sending audit logs to Yandex Data Streams.

If you have no SIEM, you can also analyze audit logs manually using Yandex Cloud event search in Yandex Query, Cloud Logging, or Object Storage.

Guides and solutions

  • You can set up export to any SIEM using GeeseFS or s3fs. These utilities allow mounting a Yandex Object Storage bucket as a VM local disk. Next, you need to install a SIEM connector on the VM and configure reading JSON files from the bucket. You can also use utilities compatible with AWS Kinesis datastreams if sending audit logs to Yandex Data Streams.

  • If you have no SIEM, you can also analyze audit logs manually using Yandex Cloud event search in Yandex Query, Cloud Logging, or Object Storage: https://yandex.cloud/en/docs/audit-trails/tutorials/search-events-audit-logs/

Audit logs are collected at the OS level

kind

severity

ID

manual

high

o11y.os-logs-audited

Description

Manual check

Make sure that audit logs from your virtual machines OS are collected and change the rule status.

When using IaaS cloud services and Kubernetes node groups, the customer is responsible for ensuring OS security and collecting OS-level events on their own.

Free tools for collecting standard OS-generated events and exporting them to the customer's SIEM system include:

  • Osquery
  • [Filebeat (ELK)(https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html)
  • Wazuh

Additional event generation options can be implemented using Auditd for Linux or Sysmon for Windows.

You can collect Linux system metrics (CPU, RAM, and disk space usage) with Unified Agent in Monitoring.

You can also export OS events to Cloud Logging using a Fluent Bit plugin or to Data Streams.

To describe events to be searched for in audit logs, we recommend using Sigma format, which is supported by popular SIEM systems. The Sigma repository contains a library of events described in this format.

To get the exact time of OS- and application-level events, configure clock synchronization by following this guide.

We additionally recommend to increase the logging level inside virtual machines to at least VERBOSE.

Guides and solutions

  • Free tools for collecting standard OS-generated events and exporting them to the customer's SIEM system include:
  • Additional event generation options can be implemented using Auditd for Linux or Sysmon for Windows
  • You can collect Linux system metrics with Unified Agent in Monitoring
  • You can also export OS events to Cloud Logging using a Fluent Bit plugin
  • To describe events to be searched for in audit logs, we recommend using Sigma format
  • To get the exact time of OS- and application-level events, configure clock synchronization
  • We additionally recommend to increase the logging level inside virtual machines to at least VERBOSE

There is a guide for cloud administrators on handling compromised secrets

kind

severity

ID

manual

information

procedure.admin-secrets-leak-mitigation

Description

Manual check

Please follow the recommendations and change the rule status.

In Yandex Cloud, the Secret Scanning Service is enabled for everyone by default.
It detects structured cloud secrets that are available in the public domain in the following sources:

  • Public GitHub repositories
  • Yandex search index
  • Helm charts in the Kubernetes marketplace

The following cloud secrets are detected:

  • Yandex Cloud Session Cookie
  • Yandex Cloud IAM token
  • Yandex Cloud API Key
  • Yandex Passport OAuth token
  • Yandex Cloud AWS API compatible Access Secret
  • Yandex Cloud SmartCaptcha Server Key
  • Lockbox structured secrets

The service automatically notifies a customer of any found secrets belonging to their infrastructure:

Guides and solutions

Contact information of the person in charge of your organization is valid

kind

severity

ID

manual

low

procedure.organization-contacts

Description

Manual verification

This rule requires manual check. After checking and update, please change the rule status.

When registering a cloud in Yandex Cloud, customers enter their contact information. For example, an email address is used for notifications about incidents, scheduled maintenance activities, and so on.

For instance, if abnormal activities in the customer's organization are detected on the cloud side or the IAM cloud keys get available in external GitHub repositories, the customer receives a notification. This feature is implemented thanks to Yandex Cloud participating in the Github Secret scanning partner program and analyzing secrets in Yandex search. If any keys are compromised in a public repository, delete the secret from the repository and its history, as well as revoke the keys.

Make sure the contact information is valid and messages are sent to multiple persons in charge from the specified email address.

Guides and solutions

Specify up-to-date contact information using the guide.

Integrity control is in place

kind

severity

ID

manual

low

runtime.vm-environment-integrity

Description

Manual verification

Collect data about using integrity control from different points. Make sure that critical VMs have identity documents signed. Please change the status manually.

File integrity control

Numerous information security standards require integrity control of critical files. To do this, you can use free host-based solutions:

Paid solutions are also available in Yandex Cloud marketplace, such as Kaspersky Security.

VM runtime environment integrity control

If you need to control a VM runtime environment (e.g., for access from the VM to a secure repository only when run in the Yandex Cloud CLI cloud), there is the identity document mechanism. When you create a VM, an identity document that stores information about the VM is generated. It contains the IDs of the VM, Yandex Cloud Marketplace product, disk image, etc. This document is signed with a Yandex Cloud certificate. The document and its signature are available to VM processes through the metadata service. Thus, the processes identify the VM runtime environment, disk image, etc., to restrict access to the resources under monitoring.

Guides and solutions

  • Collect data about using the Terraform best security practices from different points.
Previous
All Rules
Next
Authentication