Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Authentication and authorization security checklist

Written by
Updated at May 19, 2026

This section provides recommendations for protecting authentication, authorization, and access to Yandex Cloud resources.

Accounts

Protect your Yandex accounts:

  • Enable two-factor authentication for your Yandex ID and for user accounts within the organization.
  • Store your OAuth token in a secret. If your token has been compromised, revoke it and issue a new one. Where possible, use an IAM token: it is valid for 12 hours, whereas an OAuth token, for one year.

Configure MFA for federated and local accounts: Enable multi-factor authentication (MFA) for federated and local accounts and set requirements in MFA policies.

Use an identity federation: Configure a SAML-compatible identity federation to allow your employees to log in to Yandex Cloud using external corporate accounts.

Use user pools for local accounts: User pools allow you to manage local users, domains, access permissions, and authentication settings in a centralized way.

Configure SSO for external systems: Use Yandex Identity Hub applications, if you want Yandex Cloud to act as an identity provider (IdP) for external services.

Roles and resources

Adhere to the least privilege principle: Assign service roles instead of primitive ones and grant only those permissions that are currently required. Keep role inheritance in mind and assign the administrator, owner, and editor roles only to those users who really need them.

Use access policies: Manage permissions for operations in a folder, cloud, or organization for all subject types using access policies.

Assign auditor where data access is not required: This role suits, e.g., external contractors and auditors, helping you observe the least privilege principle.

Protect privileged roles: Assign these roles to federated or local accounts but not Yandex acccounts. This way, you can apply MFA and achieve centralized access management.

  • Limit the use of billing.accounts.owner: Use this role only for initial setup and occasional changes. For day-to-day billing account management, assign the admin, editor, or viewer role to an employee. For a Yandex ID with the billing.accounts.owner role, enable 2FA, set a complex password, and use it only if you have to.

  • Protect organization-manager.organizations.owner: Delegate the role to a federated or local account, then delete the Yandex account with this role from your organization. To protect your reserved Yandex ID, use a complex password and log in only if the federation operates abnormally. See the steps in Deleting a Yandex account from an organization.

Audit access permissions on a regular basis: Check permissions of users and service accounts using CIEM or the Yandex Cloud CLI, revoke excessive roles, and block or delete unused accounts that are over 30 days old.

Use a correct resource model:

  • Group resources by purpose and place them in separate folders or, for stricter isolation, separate clouds.
  • Isolate critical resources (e.g., related to payment or personal data) in separate folders or clouds.
  • Place shared resources (e.g., network and security groups) in a separate folder for shared resources.

Service accounts

Use service accounts for automation: You can check the date and time of the last authentication on the service account page in the management console.

Create separate service accounts for different tasks: This makes it easier to limit roles and revoke access without affecting other processes.

Use impersonation where possible: Impersonation allows you to temporarily act under a service account without generating static credentials.

Use IAM tokens: An IAM token is valid for 12 hours and, therefore, is more secure than long-lived keys. Compromised or excessive tokens should be revoked. For more on issuing a token, see this guide.

Control the use of keys: On the service account page in the management console, track the date and time of the last use of the keys and delete unused ones.

Limit scopes and validity periods of API keys: Create keys only with required scopes and minimum validity periods.

Rotate service account keys regularly: Make sure you rotate authorized and static keys without a validity period manually at least every 90 days. Consider using ephemeral keys or a secure token service to access Object Storage.

Use workload identity federations: Workload identity federations allow you to exchange tokens from external OIDC-compatible systems for IAM tokens without using long-lived credentials.

Use ID tokens for external systems: You can use ID tokens to authenticate service accounts in external OIDC-compatible systems.

Associate a service account with a virtual machine for operations from within the VM: This way, you will not need to store keys on the VM, and the IAM token will be available via the metadata service.

Secrets

Track Yandex Cloud secrets in public sources: The service allows detecting API keys, IAM cookies, IAM tokens, static access keys, OAuth tokens, and Yandex SmartCaptcha server keys. Read more.

Revoke publicly exposed secrets: Revoke and reissue them, check for unauthorized actions, delete redundant resources, and report incidents to support. Read more.

Store keys and tokens in Yandex Lockbox: Store them in Yandex Lockbox secrets and use the secret payload when accessing them.

Use OS Login for centralized SSH access: OS Login enables you to manage access to VMs via Yandex Identity and Access Management and store SSH keys in Yandex Identity Hub profiles. To use the service, enable access at the organization level.

Previous
IaaS security checklist
Next
Kubernetes security