Editing basic parameters in a security profile
-
In the management console, select the folder containing the security profile.
-
In the list of services, select Smart Web Security.
-
In the row with the profile you need, click and select Edit.
-
In the window that opens, edit the following parameters:
- Name.
- Description.
- Labels. To add a label, click Add label.
- Action for the default base rule:
DenyorAllow. - ARL profile: Select or create an ARL profile.
- Select or create a SmartCaptcha to verify suspicious requests.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
-
View the description of the CLI command for editing security profile basic parameters:
yc smartwebsecurity security-profile update --help -
To view a list of current security profiles in the default folder, run this command:
yc smartwebsecurity security-profile listResult:
+----------------------+-------------------+---------------------+----------------+------------+-------------+ | ID | NAME | CREATED | DEFAULT ACTION | CAPTCHA ID | RULES COUNT | +----------------------+-------------------+---------------------+----------------+------------+-------------+ | fev3s055oq64******** | my-new-profile | 2024-08-05 06:57:18 | DENY | | 1 | | fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY | | 2 | +----------------------+-------------------+---------------------+----------------+------------+-------------+ -
To edit basic parameters for a security profile, run this command:
yc smartwebsecurity security-profile update \ --name <security_profile_name> \ --new-name <new_security_profile_name> \ --description "<profile_description>" \ --labels <label_1_key>=<label_1_value>,<label_2_key>=<label_2_value>,...,<label_n_key>=<label_n_value> \ --default-action <action> \ --captcha-id <captcha_ID> \ --security-rules-file <path_to_file_with_security_rules>Where:
-
--name: Security profile name. This is a required parameter. Instead of the security profile name, you can provide its ID in the--idparameter. -
--new-name: New name for the security profile. This is an optional parameter if the profile name remains unchanged. -
--description: Text description of the security profile. This is an optional parameter. -
--labels: List of labels to add to the profile inKEY=VALUEformat. This is an optional parameter, e.g.,--labels foo=baz,bar=baz'. -
--default-action: Action to perform for the traffic that mismatches the criteria of other rules. This is an optional parameter. The default value isallow, which allows all requests to Yandex Smart Web Security. To block requests, set the parameter todeny. -
--captcha-id: ID of the CAPTCHA in SmartCaptcha to verify suspicious requests. This is an optional parameter. -
--security-rules-file: Path to the YAML file with security rule description. This is an optional parameter. For example:security-rules.yaml
- name: rule-condition-deny description: My first security rule. This rule it's just example to show possibilities of configuration. priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb - name: rule-condition-allow description: Let's show how to whitelist IP. priority: "2" rule_condition: action: ALLOW condition: source_ip: ip_ranges_match: ip_ranges: - 44.44.44.44-44.44.44.45 - 44.44.44.77 - name: smart-protection-full description: Enable smart protection. Allow to show captcha on /search prefix. priority: "11" smart_protection: mode: FULL condition: request_uri: path: prefix_match: /search - name: smart-protection-api description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix. priority: "10" smart_protection: mode: API condition: request_uri: path: prefix_match: /api
Result:
id: fev6q4qqnn2q******** folder_id: b1g07hj5r6i******** cloud_id: b1gia87mbaom******** name: my-sample-profile new-name: my-update-profile description: "my update description" labels: label1=value1,label2=value2 default_action: DENY created_at: "2024-07-25T19:21:05.039610Z" -
For more information about the yc smartwebsecurity security-profile update command, see the CLI reference.
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the documentation on the Terraform website or mirror website.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To update the parameters of a Yandex Smart Web Security security profile created using Terraform:
-
Open the Terraform configuration file and edit the fragment with the profile description.
Example of security profile description in the Terraform configuration
resource "yandex_sws_security_profile" "demo-profile-simple" { name = "<security_profile_name>" default_action = "DENY" captcha_id = "<captcha_ID>" advanced_rate_limiter_profile_id = "<ARL_profile_ID>" # Smart Protection rule security_rule { name = "smart-protection" priority = 99999 smart_protection { mode = "API" } } #Basic rule security_rule { name = "base-rule-geo" priority = 100000 rule_condition { action = "ALLOW" condition { source_ip { geo_ip_match { locations = ["ru", "kz"] } } } } } # WAF profile rule security_rule { name = "waf" priority = 88888 waf { mode = "API" waf_profile_id = "<WAF_profile_ID>" } } }For more information about the
yandex_sws_security_profileresource parameters in Terraform, see the relevant provider documentation. -
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validateIf the configuration is correct, the following message is returned:
Success! The configuration is valid. -
Run the command:
terraform planThe terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply -
Confirm the changes: type
yesin the terminal and press Enter.
-
You can check the resources' updates using the management console or this CLI command:
yc smartwebsecurity security-profile get <security_profile_ID>
Use the update REST API method for the SecurityProfile resource or the SecurityProfileService/Update gRPC API call.