Yandex Cloud infrastructure security standard, version 1.4.2
Introduction
This document offers recommendations for means of technical protection and helps you choose adequate information security measures when deploying information systems in Yandex Cloud.
Yandex Cloud ensures the physical security of data centers. See a detailed description of its physical security measures. If critical data is transmitted outside Yandex Cloud, the customer is responsible for managing physical access at all data processing locations.
The recommendations and security measures mentioned in the standard come with links to the Guides and solutions for setting up secure resource configurations using standard and additional information security tools available to Yandex Cloud users.
The standard also describes the methods and means of verifying compliance with the recommendations, including:
- Management console UI
- Yandex Cloud CLI
- Manually
Scope
These recommendations are addressed to architects, technical specialists, and information security experts who employ the following services to develop protected cloud systems and security policies for the cloud platform:
- Yandex Application Load Balancer
- Yandex Audit Trails
- Yandex Certificate Manager
- Yandex Cloud DNS
- Yandex Cloud Logging
- Yandex Identity Hub
- Yandex Compute Cloud
- Yandex Container Registry
- Yandex Identity and Access Management (IAM)
- Yandex Key Management Service
- Yandex Lockbox
- Yandex Managed Service for ClickHouse®
- Yandex Managed Service for GitLab
- Yandex Managed Service for Kubernetes
- Yandex StoreDoc
- Yandex Managed Service for MySQL®
- Yandex Managed Service for PostgreSQL
- Yandex Managed Service for Valkey™
- Yandex Managed Service for YDB
- Yandex Network Load Balancer
- Yandex Object Storage
- Yandex Resource Manager
- Yandex Smart Web Security
- Yandex SmartCaptcha
- Yandex Virtual Private Cloud
The standard can be used as the basis for developing company-specific recommendations. Not all of the information security measures and recommendations from this document are applicable. Moreover, additional measures and recommendations that are not included in the current standard may be required.
Standard structure
The standard describes recommendations for the following security objectives:
- Authentication and access management
- Network security
- Secure virtual environment configuration.
- Data encryption and key management
- Collecting, monitoring, and analyzing audit logs
- Backup
- Physical security
- Application security
- Kubernetes security
Requirements and preparation
Before you perform checks, make sure that:
- You have the CLI is installed and configured according to this guide.
- You have logged in to the management console.
- The jq utility is installed.
You can automate the audit of compliance with all the recommendations using available solutions from our partners:
- Cloud Advisor: Agentless CNAPP that provides vulnerability scanning, malware detection, configuration auditing, asset inventory, and compliance validation for VMs and containers.
- Neocat: Cloud security management product by Neoflex. Operates as an isolated installation within the user's cloud perimeter and requires no administrator privileges.
Limitation of responsibility
Yandex Cloud uses the shared responsibility concept. Where the lines are drawn for who is responsible for security depends on the services used by the system in the cloud, their usage model, i.e., infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS), and the security tools and policies the cloud provider has in place.
Terms and abbreviations
This document uses the terms and definitions introduced in ISO/IEC 27000:2018 and ISO/IEC 29100:2011.
IDs
Each check has an ID in the following format: ID:IAM1. These IDs are used to create links to standard sections for use in Cloud Security Posture Management (CSPM) tools and do not contain any other information.
ClickHouse® is a registered trademark of ClickHouse, Inc.