Versions of Yandex Cloud infrastructure security standard

Changes in version 1.3.0Changes in version 1.3.0

Publication date: 08/04/24.

• Deleted 3.20 Side-channel attacks in Cloud Functions are addressed due to the minimum level of risk.

• Added the following items:

  • 2.7 Employees use Yandex Cloud Desktop for remote access.
  • 2.8 Secure Yandex Browser is used for remote access to Cloud Desktop.
  • 3.1 Antivirus protection is used.
  • 3.7 The corporate Yandex Cloud users have the Yandex Cloud Certified Security Specialist certification.
  • 3.29 Requirements for application protection in Yandex Container Registry are met.
  • 3.30 Privileged containers are not used in Yandex Container Solution.
  • 3.40 Access management in API Gateway is configured.
  • 3.41 Networking is configured in API Gateway.
  • 3.42 Recommendations for using custom domains are followed.
  • 3.43 Recommendations for using Websocket are followed.
  • 3.44 API gateway interaction with {yandex-cloud} services is configured.
  • 3.46 Authorization in the API gateway is configured.
  • 3.47 Authorization context is used.
  • 3.48 Logging is on.
  • 5.9 The Security Deck Access Transparency module is enabled to check actions Yandex Cloud employees take in your infrastructure.
  • 6.2 When creating a registry in Yandex Container Registry, keep the safe registry settings by default.
  • 6.14 Trusted and unwanted IP addresses are grouped into lists.

• Under 3. Secure virtual environment configuration:

  • Renamed the Yandex Cloud Functions subsection (formerly Cloud Functions and Yandex API Gateway).
  • Added the Yandex API Gateway section (items 3.40 - 3.48).
  • Changed the numbering of some items in this section due to adding new subsections and items.

• Updated the following items:

  • In 1.5 Service roles are used instead of primitive roles: admin, editor, viewer, auditor, added commands for checks via the CLI in PowerShell.
  • In 1.10 Service account keys are rotated on a regular basis, added commands for checks via the CLI in PowerShell.
  • In 1.10 Service account keys are rotated on a regular basis, added automatic scripts for checks via the CLI in Bash and PowerShell.
  • In 1.17 Only trusted administrators have privileged roles, added commands for checks via the CLI in PowerShell.
  • In 1.18 Strong passwords are set for local users of managed databases, added a recommendation on using Yandex Lockbox generated secrets.
  • In 1.20 The proper resource model is used, extended the description of the resource model and recommendation on how to use it.
  • In 1.21 There is no public access to your organization's resources, added commands for checks via the CLI in PowerShell.
  • In 1.25 Tracking the date of last service account authentication and last access key use in Yandex Identity and Access Management, added commands for checks via the CLI.
  • In 2.1 Cloud objects use a firewall or security groups, updated the description of the principle of using custom VM disk images (the BYOI principle).
  • Renumbered items in 2.9 Outbound internet access control is performed (formerly 3.19) and 2.10 DNS queries are not provided to third-party recursive resolvers (formerly 2.8).
  • Renumbered an item in 3.11 Logging of actions with buckets is enabled in Object Storage (formerly 3.9), clarified the description of bucket operation logging in Audit Trails, fixed punctuation.
  • Renumbered item 3.19 Access from the management console is disabled in managed databases (formerly 3.17), extended the command for checks in Bash, and added a command for checks in PowerShell.
  • Renumbered item 3.21 Functions are configured in terms of access control, secret and environment variable management, and DBMS connection (formerly 3.19), clarified the recommendation on storing secrets and sensitive data in Yandex Lockbox and accessing DB cluster hosts from a function.
  • In 3.28 ACL by IP address is set up for Yandex Container Registry, added commands for checks via the CLI in PowerShell.
  • Renumbered item 3.34 Yandex Managed Service for Kubernetes security guidelines are used (formerly 3.31) and updated the link to the recommendations in Kubernetes security requirements.
  • Renumbered item 3.38 The security updates process has been set up (formerly 3.35) and added a link to security bulletins.
  • In At-rest encryption, added the check of encrypted VM disks via the CLI and the guide for replacing unencrypted disks with encrypted ones, added a link to the key rotation concept in the corporate information security policy.
  • In 4.3 Yandex Application Load Balancer uses HTTPS:
    • Fixed the link to Listener setup description in the Yandex Application Load Balancer tutorials.
    • Fixed the link to the Yandex Application Load Balancer HTTPS listener guide.
    • Added a command for checks via the CLI in PowerShell.
  • In 4.13 The organization uses Yandex Lockbox for secure secret storage, shortened the listed of secret storage services and the description of how to use them in Terraform and the management console.
  • In 4.16 There is a guide for cloud administrators on handling compromised secrets, rearranged the list of cloud secrets for detection.
  • In 5.2 Yandex Audit Trails events are exported to SIEM systems, shortened the listed of SIEM systems for which Yandex Cloud audit log export solutions are ready.
  • In 5.8 Data events are monitored, replaced the list of supported services with a link to Data event reference.
  • Due to a new item in 6. Application protection, renumbered items 6.2 - 6.13.
  • In 6.10 A Yandex Smart Web Security security profile is used, clarified the threat models Yandex Smart Web Security provides protection from.
  • In 6.12 Advanced Rate Limiter is used, clarified the definition of Advanced Rate Limiter (ARL).

Changes in version 1.3Changes in version 1.3

Publication date: 27/12/24.

• Deleted Section 6. Backup. The section's content was moved to Section 3. Secure virtual environment configuration.

• Deleted Section 7. Physical security. Moved its contents to Introduction.

• Added the following items:

  • 1.11 Service account API keys have specified scopes.
  • 1.25 The date of the last service account authentication and the last use of the access keys in Yandex Identity and Access Management are tracked.
  • 1.26 Access permissions of users and service accounts are regularly audited using the Yandex Security Deck CIEM.

• Updated the following items:

  • Added Yandex Container Registry, Yandex Smart Web Security, and Yandex SmartCaptcha to Scope.
  • Added information about using Smart Web Security to 2.5 DDoS protection is enabled.
  • Renumbered item 3.18 Serverless Containers/Cloud Functions uses the VPC internal network (formerly 3.22) and updated it with info on networking restrictions between functions and user resources.
  • Renumbered and renamed item 3.19 Functions are configured in terms of access control, secret and environment variable management, and DBMS connection (formerly 3.18 Public cloud functions are only used in exceptional cases). Updated the item with information about assigning roles for a function, working with secrets and environment variables from a function, and accessing managed Yandex Managed Service for PostgreSQL and Yandex Managed Service for ClickHouse® databases from a function.
  • Renumbered item 3.20 Side-channel attacks in Cloud Functions are addressed (formerly 3.19)
  • Renumbered item 3.21 Aspects of time synchronization in Cloud Functions are addressed (formerly 3.20) and updated it with info on how functions get time data.
  • Renumbered item 3.22 Aspects of header management in Cloud Functions are addressed (formerly 3.21) and updated it with a description of how to invoke a function with the ?integration=raw query parameter.
  • Added the following to 4.2 HTTPS for static website hosting is enabled in Yandex Object Storage:
    • Checks via the CLI
    • Link to the HTTPS setup guide
  • In item 5.4 The Object Storage bucket that stores the Yandex Audit Trails audit logs has been hardened, added links to best security practices.
  • In 5.8 Data events are monitored, expanded the list of services for which you can track events on this level.
  • In item 6.9 A Yandex Smart Web Security security profile is used, added checks via the CLI.

Changes in version 1.2Changes in version 1.2

Publication date: 25/09/24.

• Deleted Section 6. Vulnerability management.

• Added Section 7. Kubernetes security:

  • 7.1 The use of sensitive data is limited.
  • 7.2 Resources are isolated from each other.
  • 7.3 There is no access to the Kubernetes API and node groups from untrusted networks.
  • 7.4 Authentication and access management are configured in Managed Service for Kubernetes.
  • 7.5 Managed Service for Kubernetes uses a safe configuration.
  • 7.6 Data encryption and Managed Service for Kubernetes secret management are done in ESO as a Service format.
  • 7.7 Docker images are stored in a Container Registry registry configured for regular image scanning.
  • 7.8 One of the three latest Kubernetes versions is used, updates are monitored.
  • 7.9 Backup is configured.
  • 7.10 Check lists are in place for security when creating and using Docker images.
  • 7.11 The Kubernetes security policy is in place.
  • 7.12 Audit log collection is set up for incident investigation.

• Added the following items:

  • 1.1.1 User group mapping is set up in an identity federation.
  • 1.24 Tracking the date of last access key use in Yandex Identity and Access Management.
  • 3.11 Yandex Security Token Service is used to get access keys to Object Storage.
  • 3.12 Pre-signed URLs are generated for isolated cases of access to specific objects in Object Storage private buckets.
  • 3.32 OS Login is used for connection to a VM or Kubernetes node.
  • 4.8 Encryption of disks and virtual machine snapshots is used.
  • 5.8 Data events are monitored.
  • 8.9 A Yandex Smart Web Security security profile is used.
  • 8.10 A web application firewall is used.
  • 8.11 Advanced Rate Limiter is used.
  • 8.12 Approval rules are configured.

• Updated the following items:

  • In 5.1 Yandex Audit Trails is enabled at the organization level, added description of data event audit logs.
  • 6.2 Vulnerability scanning is performed at the cloud IP level was moved to Section 3. Secure virtual environment configuration.
  • 6.3 External security scans are performed according to the cloud rules was moved to Section 3. Secure virtual environment configuration.
  • 6.4 The security update process has been set up was moved to Section 3. Secure virtual environment configuration.
  • 6.5 A web application firewall is used was updated and moved to Section 8. Application security.
  • In 8.6 Ensure artifact integrity, added a recommendation to save the asymmetric key pair of a Cosign electronic signature in Yandex Key Management Service and to use the saved key pair for signing artifacts and verifying the signature.

• Deleted the following items:

  • Deleted 4.6 For critical VMs, disk encryption using KMS is set up because now there is a more convenient disk encryption method described in 4.8 Encryption of disks and virtual machine snapshots is used.

Changes in version 1.1Changes in version 1.1

Publication date: 25/09/23.

• Added the following items:

  • 1.20 Impersonation is used wherever possible.
  • 1.21 Resource labels are used.
  • 1.22 Yandex Cloud security notifications are enabled.
  • 1.23 The auditor role is used to prevent access to user data.
  • 3.4.2 Integrity control of a VM runtime environment.
  • 3.28 Antivirus protection is used.
  • 3.29 Yandex Managed Service for Kubernetes security guidelines are used.
  • 4.16 There is a guide for cloud administrators on handling compromised secrets.

• Updated the following items:

  • 1.4, 1.14: Added recommendations for using the auditor role.
  • 1.9: Added recommendations for placing critical service accounts in separate folders.
  • 1.12: Added editor to the list of privileged roles assigned at the organization, cloud, and folder levels.
  • 4.7: Added a guide on how to encrypt data in Yandex Managed Service for PostgreSQL and Yandex Managed Service for Greenplum® using pgcrypto and KMS.
  • 4.14: Added recommendations for using Yandex Lockbox in Terraform without writing the information to .tfstate.

• Added Section 9. Application security:

  • 9.1 Yandex SmartCaptcha is used.
  • 9.2 Enabled the scan on push policy for the containerized image vulnerability scanner.
  • 9.3 Container images are periodically scanned.
  • 9.4 Container images used in a production environment have the last scan date a week ago or less.
  • 9.5 Software artifacts are built using attestations.
  • 9.6 Artifacts within a pipeline can be signed using Cosign, a third-party command line utility.
  • 9.7 Artifacts are checked when deployed in Yandex Managed Service for Kubernetes.
  • 9.8 Ready-made secure pipeline blocks are used.