How to use Yandex.Cloud securely

This section provides recommendations for using IAM features to ensure the secure operation of Yandex.Cloud services.

Don't grant unnecessary access rights

For critical resources:

  • Assign the minimum required roles. For example, to allow the creation of virtual machines from images in Compute Cloud, assign the compute.images.user role instead of the editor role or higher.

  • Try to assign service roles rather than primitive roles (viewer, editor, admin). Primitive roles apply to resources in any Yandex.Cloud service.

    Use primitive roles if you don't have an applicable service role or if you want to grant a user total access.

  • Assign only the roles you need at the moment. Don't assign roles that might only be needed in the future.

  • Keep in mind that when you assign a role for a folder or cloud, the permissions under this role inherit all the nested resources.

  • Only assign the administrator role or cloud owner role to the people responsible for managing resource access in your project.

    Administrators can revoke one another's access rights, while owners can revoke the owner role from one another. These roles also include all the permissions under the editor role — they let you create, edit, and delete resources.

Protect your Yandex account

  • To better safeguard your resources from unauthorized access, we recommend enabling two-factor authentication in Yandex.Passport. Use this method to secure your own account and ask every user you add to your cloud to enable two-factor authentication as well.

  • Keep your OAuth token a secret, since it can be used to get an IAM token and perform operations in the cloud on your behalf.

    If someone might have discovered your OAuth token, invalidate it and issue a new one.

  • Avoid using your OAuth token for authentication if you can use an IAM token. OAuth tokens are valid for 1 year while IAM tokens are valid for 12 hours. If your token is compromised, the hacker has limited time to use it.

Use service accounts

Use service accounts to automate work with Yandex.Cloud. We recommend doing the following:

  • Control access to your service accounts. The editor role for a service account lets the user perform operations permitted under the service account. If the service account has the administrator role for the cloud, the user can use it to make themselves an administrator.

  • Create separate service accounts for different tasks. This way you can only assign them the roles you actually need. You can revoke roles from a service account or delete it without affecting other service accounts.

  • Name your service accounts according to their intended purposes and permissions.

  • Keep your service account keys a secret — they can be used to perform operations on behalf of your service accounts. Don't keep the service account keys in the source code.

    Periodically revoke old keys and issue new ones. Be sure to do this if you think someone discovered your secret key.

  • Don't use your keys for authentication if you can use IAM tokens. Keys have an unlimited lifetime, while IAM tokens are valid for 12 hours.

  • If you perform operations from inside a VM, link a service account to it. In this case, you don't need to store service account keys on the VM to enable authentication: the IAM token is available from a metadata service link.