IaaS security checklist
VM security
✓ Disable the serial console: Do not use the serial console; if you still have to, evaluate your risks and disable it as soon as you are done.
✓ Disable password authentication: Password authentication in Yandex Cloud is disabled by default. Do not enable password-based access unless you have to.
✓ Connect via OS Login: Use OS Login to link your VM user account with the organization user account. To connect to a VM via OS Login, set up OS Login on a new or existing VM instead of the standard SSH connection.
✓ Use a benchmark image to deploy a VM: Prepare a VM image configured according to your organization's security policies and use this image to create VMs.
✓ Set up VM network interfaces: For stable and reliable networks, set up network interfaces on all your new or existing VMs that are stopped, i.e., a subnet, internal and public IP addresses, and security groups. Learn more about security groups and other VM networking concepts in Network security.
For more information on how to set up a secure virtual environment and secure access management, see the respective sections of the Yandex Cloud security standard.
Managing vulnerabilities
✓ Software and OS updates: Install updates manually and use automated update tools.
✓ Automated vulnerability scanning: Use free network scanners, such as nmap, OpenVAS, OWASP ZAP, or host-based agents, such as Wazuh.
✓ Regular backups: Configure scheduled disk snapshots using Yandex Compute Cloud or automatic VM backups using Yandex Cloud Backup.
Network security
✓ Controlled use of public IP addresses: Follow our recommendations to minimize the use of public IP addresses and build a more stable infrastructure.
✓ Security groups: Group resources and restrict network access using security groups. Security groups allow you to:
- Set up access to your cloud infrastructure from trusted IP addresses only.
- Restrict traffic by protocols and other parameters defined in the rules.
✓ Web Application Firewall (WAF): WAF analyzes a web app's incoming HTTP requests according to pre-configured rules. Based on the analysis results, certain actions are applied to HTTP requests. Configure a WAF profile and connect it to your security profile in Yandex Smart Web Security.
✓ Secure remote access: Create a bastion VM to access the infrastructure over control protocols, e.g., SSH or RDP.
✓ Outbound access (NAT): Use a NAT gateway to ensure secure outbound internet access. The gateway translates your IP addresses to a shared address pool. If internet access should be from your controlled IP address pool, use a NAT instance (a dedicated VM).
✓ DDoS protection: When assigning public IP addresses to cloud resources, use Yandex DDoS Protection (L4 DDoS protection). For L7 DDoS protection, use Smart Web Security.
See the example of implementing the architecture and protection of a basic internet service.
Learn more about secure network configuration and use in the respective section of the Yandex Cloud security standard.
Object Storage security
✓ Encryption: Enable bucket encryption (server-side encryption) for protection against accidental or intentional publication of bucket contents.
✓ Limiting access to your bucket:
- If possible, disable public access. To grant access to a specific object, generate a public link with a limited lifetime.
- For flexible configuration of access to a bucket, use IAM, Bucket Policy, or other mechanisms described in Access management methods in Object Storage: Overview. Use ACLs to configure access only as the last resort: if you grant public access to an object via an ACL, all other security checks will be ignored.
✓ Deletion protection: Configure an object lock to protect your data against deletion.
✓ Logging actions with a bucket: Set up logging of actions with a bucket and enable collection of the service's events in Yandex Audit Trails.
✓ Secure use of AWS-compatible tools: Configure access to a storage for AWS-compatible tools using static keys and store the keys in a Yandex Lockbox secret.
✓ Cross-Origin Resource Sharing (CORS): Configure CORS in accordance with your company's security policies. If you are using the bucket to host a static website, enable HTTPS access using a Certificate Manager certificate.
✓ Secure Object Storage configuration:
See the example of implementing a secure Object Storage configuration in Terraform.
Learn more about secure Object Storage configuration and use in the respective section of the Yandex Cloud security standard.