Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Creating a security profile

Written by
Updated at December 2, 2025

Note

To enhance your security, we use HTTP request data to train our machine learning (ML) models. You can disable the use of this data in the management console when creating a security profile or later in its settings.

To work with a security profile that connects to a load balancer, you will need a service account with the monitoring.editor, smart-web-security.admin, certificate-manager.admin, and logging.writer roles. For more information, see Assigning roles to a service account.

  1. In the management console, select the folder where you want to create your security profile.

  2. In the list of services, select Smart Web Security.

  3. Click Create profile.

  4. Select one of these creation options:

    • From a preset template: This is a recommended option.

      A preset profile includes:

    • From scratch. This profile includes only the basic default rule enabled for all traffic.

  5. Name the profile.

  6. Optionally, provide a description.

  7. Optionally, add labels to your profile.

  8. In the Action for the default base rule field, select what to do with traffic that does not match any other rule: Deny or Allow.

  9. Select or create an ARL profile to limit the number of requests.

  10. Select or create a Yandex SmartCaptcha to verify suspicious requests:

    • Default: Managed by Yandex Cloud. This CAPTCHA has the following settings:

      The Default CAPTCHA usage fee is included in the cost of Smart Web Security.

    • Custom CAPTCHA: You can customize CAPTCHA's difficulty, types of main and additional challenges, and appearance.

      Note

      To use a custom CAPTCHA, select Disable domain verification in its settings.

      The custom CAPTCHA usage fee is charged according to the SmartCaptcha pricing policy.

  11. Optionally, configure the Analyze request body (maximum size: 8 KB) option by selecting an action after the maximum size is exceeded:

    • Do not analyze body
    • Block request

  12. Optionally, enable Write logs and configure logging:

    1. In the Send logs to field, select the logs to write: Cloud Logging and Audit Trails.
    2. For Cloud Logging, select or create a Cloud Logging log group to store your logs.
    3. For logging, you can choose only those requests that triggered:
      • Base rules.
      • Smart Protection rules.
      • Web Application Firewall rules.
      • Advanced Rate Limiter rules.
      • All selected rules applied the DENY and CAPTCHA action (verdict).
      • All selected rules applied the ALLOW action (legitimate requests).

    For more information on how to configure logging, see this guide.

  13. Click Add rule.

  14. In the rule creation window:

    1. Name the rule.

    2. Optionally, provide a description.

    3. Set the rule priority. The rule you add will have a higher priority than the preconfigured rules.

      Note

      The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:

      • Basic default rule: 1000000.
      • Smart Protection rule providing full protection: 999900.

    4. Optionally, enable Only logging (dry run) if you want only to log data about the traffic matching the specified conditions without applying any actions to it.

    5. Select the rule type:

      • Base: Allows, denies, or forwards traffic to Yandex SmartCaptcha under specified conditions.

      • Smart Protection: Sends traffic for automatic processing by machine learning and behavioral analysis algorithms and redirects suspicious requests to Yandex SmartCaptcha for additional verification.

      • Web Application Firewall: Integrates rules from a WAF profile and redirects suspicious requests to Yandex SmartCaptcha.

        For a WAF rule, select or create a WAF profile.

    6. Select an action:

      • For a basic rule:

        • Deny.
        • Allow.
        • Show CAPTCHA: To show the CAPTCHA selected in the security profile.

      • For a Smart Protection or WAF rule:

        • Full protection: To redirect suspicious requests to SmartCaptcha after verification.
        • API protection: To block suspicious requests after verification.

    7. Under Conditions for traffic, specify the traffic the rule will apply to:

      • All traffic: Rule will apply to all traffic.

      • On condition: Rule will apply to the traffic defined in the Conditions field:

        • IP: IP address, IP address range, IP address region, or address list.
        • HTTP header: HTTP header string.
        • Request URI: Request path.
        • Host: Domain receiving the request.
        • HTTP method: Request method.
        • Cookie: Cookie header string.

        You can set multiple conditions by selecting all the condition types you need in the Conditions field.

        You can also set multiple conditions of the same type by clicking and or or in the section with the condition you need.

        To delete a condition, click .

    8. Click Add.

  15. If the Deny action is set for the default basic rule and the requests are sent to SmartCaptcha for verification, add an allowing rule.

  16. Add all relevant rules to the profile one by one.

    The rules you created will appear in the table under Security rules.

  17. Optionally, enable or disable the use of HTTP request info to improve your machine learning models under Fine-tuning ML models.

  18. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command for creating a security profile:

    yc smartwebsecurity security-profile create --help

  2. To create a security profile, run this command:

    yc smartwebsecurity security-profile create \
   --name <security_profile_name> \
   --description "<profile_description>" \
   --labels <label_1_key>=<label_1_value>,<label_2_key>=<label_2_value>,...,<label_n_key>=<label_n_value> \
   --default-action <action> \
   --captcha-id <CAPTCHA_ID> \
   --security-rules-file <path_to_file_with_rules>

    Where:

    • --name: Security profile name. This is a required setting. If you specify only the profile name with no other properties, the security profile will include a single basic rule.

    • --description: Text description of the security profile. This is an optional setting.

    • --labels: List of labels to add to the profile in KEY=VALUE format. This is an optional setting. For example, --labels foo=baz,bar=baz'.

    • --default-action: Action to apply to traffic that does not match any other rule. This is an optional setting. The default value is allow, which allows all requests to Yandex Smart Web Security. To block requests, set the parameter to deny.

    • --captcha-id: ID of the CAPTCHA in Yandex SmartCaptcha to verify suspicious requests. This is an optional setting.

    • --security-rules-file: Path to the YAML file with security rule description. This is an optional setting. Here is an example:

      security-rules.yaml
      - name: rule-condition-deny
  description: My first security rule. This rule it's just example to show possibilities of configuration.
  priority: "11111"
  dry_run: true
  rule_condition:
    action: DENY
    condition:
      authority:
        authorities:
          - exact_match: example.com
          - exact_match: example.net
      http_method:
        http_methods:
          - exact_match: GET
          - exact_match: POST
      request_uri:
        path:
          prefix_match: /search
        queries:
          - key: firstname
            value:
              pire_regex_match: .ivan.
          - key: lastname
            value:
              pire_regex_not_match: .petr.
      headers:
        - name: User-Agent
          value:
            pire_regex_match: .curl.
        - name: Referer
          value:
            pire_regex_not_match: .bot.
      source_ip:
        ip_ranges_match:
          ip_ranges:
            - 1.2.33.44
            - 2.3.4.56
        ip_ranges_not_match:
          ip_ranges:
            - 8.8.0.0/16
            - 10::1234:1abc:1/64
        geo_ip_match:
          locations:
            - ru
            - es
        geo_ip_not_match:
          locations:
            - us
            - fm
            - gb
- name: rule-condition-allow
  description: Let's show how to whitelist IP.
  priority: "2"
  rule_condition:
    action: ALLOW
    condition:
      source_ip:
        ip_ranges_match:
          ip_ranges:
            - 44.44.44.44-44.44.44.45
            - 44.44.44.77
- name: smart-protection-full
  description: Enable smart protection. Allow to show captcha on /search prefix.
  priority: "11"
  smart_protection:
    mode: FULL
    condition:
      request_uri:
        path:
          prefix_match: /search
- name: smart-protection-api
  description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix.
  priority: "10"
  smart_protection:
    mode: API
    condition:
      request_uri:
        path:
          prefix_match: /api

    Result:

    id: fev6q4qqnn2q********
folder_id: b1g07hj5r6i********
cloud_id: b1gia87mbaom********
name: my-sample-profile
description: "my description"
labels: label1=value1,label2=value2
default_action: DENY
created_at: "2024-07-25T19:21:05.039610Z"

For more information about the yc smartwebsecurity security-profile create command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the Terraform configuration file, describe the resources you want to create:

    resource "yandex_sws_security_profile" "demo-profile-simple" {
  name                             = "<security_profile_name>"
  default_action                   = "DENY"
  captcha_id                       = "<CAPTCHA_ID>"
  advanced_rate_limiter_profile_id = "<ARL_profile_ID>"

  # Smart Protection rule
  security_rule {
    name     = "smart-protection"
    priority = 99999

    smart_protection {
      mode = "API"
    }
  }

  # Basic rule
  security_rule {
    name = "base-rule-geo"
    priority = 100000
    rule_condition {
      action = "ALLOW"
      condition {
        source_ip {
          geo_ip_match {
            locations = ["ru", "kz"]
          }
        }
      }
    }
  }

  # WAF profile rule
  security_rule {
    name     = "waf"
    priority = 88888

    waf {
      mode           = "API"
      waf_profile_id = "<WAF_profile_ID>"
    }
  }
}

    Where:

    • name: Security profile name.
    • default_action: Action for the default basic rule. This action will apply to traffic that does not match any other rule. It can be either ALLOW to allow all requests to Yandex Smart Web Security or DENY to deny them.
    • captcha_id: ID of the CAPTCHA in Yandex SmartCaptcha to verify suspicious requests. This is an optional setting.
    • advanced_rate_limiter_profile_id: ARL profile ID. This is an optional setting.
    • security_rule: Security rule description:
      • name: Security rule name.
      • priority: Rule priority. The possible values range from 1 to 1,000,000.
      • smart_protection: Description of the Smart Protection rule enabled for all traffic with the action type specified in the mode parameter.
        • mode: Rule action. It can be either FULL to enable full protection, where suspicious requests are challenged with CAPTCHA, or API to enable API protection, where suspicious requests are blocked.
      • waf: Web application firewall rule description. To add a WAF rule, you must first create a WAF profile. The optional setting section contains:

    If you do not specify the smart_protection or waf rule type, the system will create a basic rule with simple filtering based on conditions specified under rule_condition.

    For more information about yandex_sws_security_profile properties, see this Terraform provider article.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

Terraform will create all the required resources. You can check the new resources using the management console or this CLI command:

yc smartwebsecurity security-profile get <security_profile_ID>

Use the create REST API method for the SecurityProfile resource or the SecurityProfileService/Create gRPC API call.

See also

Previous
All guides
Next
Editing basic profile settings