Versions of the standard for securing Yandex Cloud infrastructure

Changes in version 1.2Changes in version 1.2

Publication date: 25/09/24.

• Deleted section 6. Vulnerability management.

• Added the 9. Security Kubernetes section:

  • 9.1 The use of sensitive data is limited.
  • 9.2 Resources are isolated from each other.
  • 9.3 No access to the Kubernetes API and node groups from untrusted networks.
  • 9.4 Authentication and access management configured in Managed Service for Kubernetes.
  • 9.5 Managed Service for Kubernetes uses a safe configuration.
  • 9.6 Data encryption and Managed Service for Kubernetes secret management are done in ESO as a Service format.
  • 9.7 Docker images are stored in a Container Registry registry configured for regular image scanning.
  • 9.8 One of the three latest Kubernetes versions is used with update monitoring.
  • 9.9 Backup is configured.
  • 9.10 Check lists are used for secure creation and use of Docker images.
  • 9.11 The Kubernetes security policy is used.
  • 9.12 Audit log collection is set up for incident investigation.

• Added the following items:

  • 1.1.1 User group mapping is set up in an identity federation.
  • 1.24 Tracking the date of last access key use in Yandex Identity and Access Management.
  • 3.11 Use Yandex Security Token Service to get access keys to Object Storage.
  • 3.12 Pre-signed URLs are generated for isolated cases of access to specific objects in Object Storage private buckets.
  • 3.32 Connecting to a VM or Kubernetes node via OS Login.
  • 4.8 Encryption of disks and virtual machine snapshots is used.
  • 5.8 Data events are monitored.
  • 8.9 Use a Yandex Smart Web Security security profile.
  • 8.10 Use a web application firewall.
  • 8.11 Use Advanced Rate Limiter.
  • 8.12 Set up approval rules.

• Updated the following items:

  • Added description of data event audit logs in 5.1 Yandex Audit Trails is enabled at the organization level.
  • 6.2 Vulnerability scanning is performed at the cloud IP level was moved to section 3. Secure configuration of a virtual environment.
  • 6.3 External security scans are performed according to the cloud rules was moved to section 3. Secure configuration of a virtual environment.
  • 6.4 The process of security updates is set up was moved to section 3. Secure configuration of a virtual environment.
    • 6.5 A web application firewall is used was updated and moved to section 8. Application security.
  • In 8.6 Ensure artifact integrity, added a recommendation to save the asymmetric key pair of a Cosign electronic signature in Yandex Key Management Service and to use the saved key pair for signing artifacts and verifying the signature.

• Deleted the following items:

  • Deleted 4.6 For critical VMs, disk encryption using KMS is set up because now there is a more convenient disk encryption method described in 4.8 Encryption of disks and virtual machine snapshots is used.

Changes in version 1.1Changes in version 1.1

Publication date: 25/09/23.

• Added the following items:

  • 1.20 Impersonation is used wherever possible.
  • 1.21 Resource labels are used.
  • 1.22 Yandex Cloud security notifications are enabled.
  • 1.23 The auditor role is used to prevent access to user data.
  • 3.4.2 Integrity control of a VM runtime environment.
  • 3.28 Antivirus protection is used.
  • 3.29 Yandex Managed Service for Kubernetes security guidelines are used.
  • 4.16 There is a guide for cloud administrators on handling compromised secrets.

• Updated the following items:

  • 1.4, 1.14: Added recommendations for using the auditor role.
  • 1.9: Added recommendations for placing critical service accounts in separate folders.
  • 1.12: Added editor to the list of privileged roles assigned at the organization, cloud, and folder levels.
  • 4.7: Added a guide on how to encrypt data in Yandex Managed Service for PostgreSQL and Yandex Managed Service for Greenplum® using pgcrypto and KMS.
  • 4.14: Added recommendations for using Yandex Lockbox in Terraform without writing the information to .tfstate.

• Added section 9. Application security:

  • 9.1 Yandex SmartCaptcha is used.
  • 9.2 Enabled the scan on push policy for the containerized image vulnerability scanner.
  • 9.3 Container images are periodically scanned.
  • 9.4 Container images used in a production environment have the last scan date a week ago or less.
  • 9.5 Software artifacts are built using attestations.
  • 9.6 Artifacts within a pipeline can be signed using Cosign, a third-party command line utility.
  • 9.7 Artifacts are checked when deployed in Yandex Managed Service for Kubernetes.
  • 9.8 Ready-made secure pipeline blocks are used.