Yandex Cloud infrastructure security standard 1.3.0
Introduction
This document provides recommendations for technical protection measures and helps you choose information security measures when deploying information systems in Yandex Cloud.
Yandex Cloud ensures the physical security of data centers. See a detailed description of its physical security measures. If critical data is transmitted outside Yandex Cloud, the customer is responsible for managing physical access at all data processing locations.
The recommendations and security measures described in the standard have links to the Guides and solutions for setting up secure resource configurations with standard and additional information security tools available to Yandex Cloud users.
The standard also describes different methods and tools for verifying recommendation compliance, such as:
- Using the management console UI
- Using the Yandex Cloud CLI
- Manually
Scope
The recommendations are designed for solution architects, technical specialists, and information security experts who use the following services when developing secure cloud systems and security policies to work with the cloud platform:
- Yandex Application Load Balancer
- Yandex Audit Trails
- Yandex Certificate Manager
- Yandex Cloud DNS
- Yandex Cloud Logging
- Yandex Cloud Organization
- Yandex Compute Cloud
- Yandex Container Registry
- Yandex Identity and Access Management (IAM)
- Yandex Key Management Service
- Yandex Lockbox
- Yandex Managed Service for ClickHouse®
- Yandex Managed Service for GitLab
- Yandex Managed Service for Kubernetes
- Yandex Managed Service for MongoDB
- Yandex Managed Service for MySQL®
- Yandex Managed Service for PostgreSQL
- Yandex Managed Service for Valkey™
- Yandex Managed Service for YDB
- Yandex Network Load Balancer
- Yandex Object Storage
- Yandex Resource Manager
- Yandex Smart Web Security
- Yandex SmartCaptcha
- Yandex Virtual Private Cloud
The standard can be used as the basis for developing company-specific recommendations. Not all of the information security measures and recommendations from this document are applicable. Moreover, additional measures and recommendations that are not included in the current standard may be required.
Standard structure
The standard describes recommendations for the following security objectives:
- Authentication and access management
- Network security
- Secure configuration of a virtual environment
- Data encryption and key management
- Collecting, monitoring, and analyzing audit logs
- Backup
- Physical security
- Application security
- Kubernetes security
Requirements and preparation
Before you perform checks, make sure that:
- You have the YC CLI installed and set up according to the instructions.
- You have logged in to the management console.
- The jq utility is installed.
You can automate the audit of compliance with all the recommendations using available solutions from our partners:
- Neocat: Product for cloud security management from Neoflex. It is used as an isolated installation within the user cloud perimeter and no administrator privileges need to be granted.
- Cloud Advisor: Agentless platform that identifies and prioritizes cloud security risks, helps you reduce costs, ensure compliance with regulatory requirements, and manage your cloud infrastructure.
Responsibility limitation
Yandex Cloud uses the concept of Shared responsibility. Where the lines are drawn for who is responsible for security depends on the services used by the system in the cloud, their usage model, i.e., infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS), and the security tools and policies the cloud provider has in place.
Terms and abbreviations
This document uses the terms and definitions introduced in ISO/IEC 27000:2018 and ISO/IEC 29100:2011, as well as the terms from the Yandex Cloud .
ClickHouse® is a registered trademark of ClickHouse, Inc.