Authentication and access control
The platform works with three categories of users:
- Yandex accounts: Accounts in Yandex ID.
- Federated accounts: Accounts in a corporate SAML-compatible identity federation, such as Active Directory.
- Service accounts: Accounts that can be used by a program to manage resources.
Yandex and federated accounts are authenticated in their own systems. Yandex.Cloud has no access to the passwords of these account users and only authenticates service accounts using IAM.
User access to cloud resources is regulated by roles. Yandex.Cloud services may provide different levels of granularity while granting permissions: in some cases, a role can be assigned directly to a service resource, in other cases, permissions are only granted at the level of the folder or cloud where the service resource is located.
This ensures interaction of different categories of resources, roles, and users in the Yandex.Cloud infrastructure. Access to resources is managed by Yandex Identity and Access Management. IAM controls each request and makes sure that all operations with resources are only run by users who have the appropriate permissions.
This section provides recommendations on how to ensure safe operations with Yandex.Cloud services:
- Centralized management and identity federations.
- Minimum privileges and security policy.
- Using service accounts.
- Two-factor authentication.
- Managing privileged users.
- Providing Yandex.Cloud access to contractors.
- Differentiating access to resources.
To simplify and automate role-based access management, the Yandex Cloud IAM module (based on Terraform) was designed. It lets you create permission groups for cloud users and has a number of other convenient features. For more information about the IAM module and its use cases, see the solution.
Centralized management and identity federations
Yandex Cloud Organization is a single service for managing the organizational structure, setting up integration with the employee catalog and differentiating user access to the organization's cloud resources.
For the purpose of centralized account management use SAML-compatible identity federations. By using identity federations, a company can set up Single Sign-On, which is authentication in Yandex.Cloud via their IdP server. With this approach, employees can use their corporate accounts that are subject to the company's security policies, such as:
- Revoking and blocking accounts.
- Password policies.
- Limiting the number of unsuccessful login attempts.
- Blocking access sessions upon expiry of a preset user's idle time.
- Two-factor authentication.
Use federated accounts instead of Yandex ID accounts whenever possible.
Minimum privileges and security policy
The principle of minimum privileges requires assigning users the minimum required roles.
We don't recommend using primitive roles like
viewer that are valid in all services. To ensure more selective access control and implementation of the principle of minimum privileges, use service roles that only contain permissions for a certain type of resources in the specified service.
When a new user is added to the cloud, they are automatically assigned the role of a cloud member:
resource-manager.clouds.member. This role is necessary for working with the cloud and does not give any privileges.
Using service accounts
A service account is an account that can be used by a program to manage resources in Yandex.Cloud.
A service account is used to make requests as an application. Do not use employee accounts instead of service accounts. If, for example, an employee quits or moves to a different department, their account permissions are disabled, which may lead to an application failure.
When using service accounts:
Apply the mechanism of assigning a service account to a VM and getting a token via the metadata service.
Set up a local firewall on the VM instance so that only the necessary processes and system users have access to the metadata service (IP address:
Example of blocking access for all users except the specified one (in this case,
sudo iptables --append OUTPUT --proto tcp --destination 169.254.169.254 --match owner ! --uid-owner root --jump REJECT
Store the service account keys and manage them in compliance with the standard requirements.
Follow the principle of minimum privileges and assign to the service account only those roles that are needed to run the application.
You can grant permissions to use a service account under another user or service account.
Follow the principle of minimum privileges for the service account as a resource: assign the roles for using and managing your service accounts to a minimum number of users that really need these roles.
Security standards require two-factor authentication (2FA) for accessing the infrastructure. Therefore, access to the Yandex.Cloud management console is based on 2FA.
To enable two-factor authentication, contact an identity provider that supports 2FA and set up a SAML-compliant identity federation.
To set up 2FA for a Yandex ID account, follow the instruction.
Managing privileged users
Yandex.Cloud privileged users include accounts with the following roles:
adminassigned for a billing account.
adminassigned for a cloud.
adminassigned for a folder.
billing.accounts.owner role is granted automatically when creating a billing account and can't be reassigned to another user. The role lets you perform any action with the billing account. The
billing.accounts.owner role can only be assigned to a Yandex ID account. An account with the
billing.accounts.owner role is used when setting up payment methods and adding clouds.
Make sure to properly secure this account, since it has significant privileges and can't be federated with a corporate account.
The most appropriate approach would be to not use this account on a regular basis:
- Only use it for initial setup and updates.
- For the duration that this account is actively used, be sure to enable two-factor authentication (2FA) in Yandex ID.
- After that, if you don't use the bank card payment method (only available for this role), set a strong password for this account (generated using specialized software), disable 2FA, and refrain from using this account unnecessarily.
- Change the password to a newly generated one each time you use the account.
We recommend disabling 2FA only for this account and if it is not assigned to a specific employee. This lets you avoid linking this critical account to a personal device.
To manage a billing account, assign the
editor role for the billing account to a dedicated employee with a federated account. To view billing data, assign the
viewer role for the billing account to a dedicated employee with a federated account.
resource-manager.clouds.owner role is assigned automatically when you create a cloud. A user with this role can perform any operation with the cloud or its resources and grant cloud access to other users: assign roles and revoke them.
resource-manager.clouds.owner role to one or more employees with a federated account. Set a strong password for the Yandex ID account that was used to create the cloud, and use it only when absolutely necessary (for example, if the federated access fails).
Be sure to fully protect your federated account with the
- Enable two-factor authentication.
- Disable authentication from devices beyond the company's control.
- Configure login attempt monitoring and set alert thresholds.
To view the list of IDs of the current accounts with the
resource-manager.clouds.owner role, run the following script:
yc resource-manager cloud list-access-bindings --id b1gkmtuljp4d2k3g5aph --format json | jq -r '. | select(.role_id=="resource-manager.clouds.owner") | .subject.id'
Assign federated accounts the
admin roles for clouds, folders and billing accounts. Minimize the number of accounts with these roles and regularly review the expedience of these roles for the accounts they are assigned to.
Specifics of authentication in managed database services
To use a database at the application level, in addition to IAM service roles, a separate user is created: the database owner. The following password policy applies to this user:
- The password must include numbers, uppercase letters, lowercase letters and special characters.
- It must be at least 8 characters long.
Providing Yandex.Cloud access to contractors
If you grant third-party contractors access to your clouds, make sure to follow these security measures:
- Assign permissions to contractor employees based on the principle of minimum privileges.
- If possible, create a separate account for third-party employees in your corporate IdP and assign the necessary policies to this account.
- Make sure they handle their account secrets carefully.
- Review the expedience of granting external users access to your cloud infrastructure.
When developing an access model for your infrastructure, we recommend the following approach:
- Place any critical resources in a separate cloud. These include resources related to the processing of payment data, personal data and trade secret data.
- Host the resource groups that require different administrative permissions in different folders (DMZ, CDE, security, backoffice and so on).
- Host the shared resources (such as network and security groups) in a separate shared resource folder.