Security checklist
- Network security
- Authentication and access control
- Data encryption and key/secret management
- Secure configuration
- Protection against malicious code
- Managing vulnerabilities
- Collecting, monitoring, and analyzing audit logs
- Physical security
- Backups
- Managing budgets
- Incident response
- Security Yandex Managed Service for Kubernetes
Network security
- Segmentation: Split resources into groups and put them in different folders or, if strict isolation is required, in different VPC. Traffic within a VPC is allowed by default but not allowed between VPCs (only via a VM with two network interfaces in different networks, either VPN or Yandex Cloud Interconnect). Watch our webinar to learn how a network works in Yandex Cloud
. - Network access restriction, security groups: Restrict network access across resources using security groups.
- NGFW from Marketplace: If more robust network protection is required, use NGFW from Yandex Cloud Marketplace or deploy infrastructure on your own by following the setup guide for a high-availability, fault-tolerant network infrastructure with a dedicated DMZ segment and comprehensive protection based on the Next-Generation Firewall.
- Secure access from outside the cloud infrastructure (VPN): If you need remote access to cloud resources, configure a site-to-site VPN (see the setup instructions using the strongSwan daemon) or use Cloud Interconnect (the GOST VPN service is also available).
- Secure remote administrator access (VPN): Set up a VPN connection between remote devices and Yandex Cloud using a solution from Cloud Marketplace. See the setup guide for OpenVPN or deploy infrastructure on your own by following the setup guide for WireGuard VPN.
- Bastion host: Create a bastion VM to access the infrastructure using control protocols (for example, SSH or RDP).
- Outbound access (NAT): Use a NAT gateway to ensure secure outbound internet access. The gateway translates your IP addresses to a shared address pool. If internet access should be from your controlled IP address pool, use a NAT instance (a dedicated VM).
- DDoS protection: When assigning public IP addresses to your cloud resources, use the Yandex DDoS Protection service by clicking the button (L4 DDoS protection). If you need L7 DDoS protection, contact your account manager.
Authentication and access control
-
Centralized management and identity federations: Create an organization in Yandex Cloud Organization and set up Single Sign-On in Yandex Cloud via your IdP server. See the setup instructions for AD FS, Keycloak
, and Google Workspace. -
Federated accounts: Use federated accounts instead of Yandex accounts whenever possible.
-
Principle of least privilege: Assign service roles (for example,
compute.images.user
) instead of primitive roles (viewer
,editor
, oradmin
). See the list of all roles and examples of assigning roles. Watch our webinar to learn how to manage cloud access permissions . -
Terraform Yandex Cloud Yandex Identity and Access Management module: Organize access groups for cloud users.
-
Working with service accounts: Assign a service account to a VM instance and get a token using the metadata service. Set up a local firewall on the VM instance so that only the necessary processes and system users have access to the metadata service (IP address: 169.254.169.254).
-
2FA: For an identity federation, set up 2FA on the side of your IdP. For a Yandex account, set up 2FA using this guide
. -
billing.accounts.owner protection: After performing the initial operations, do not use an account with this role. To manage a billing account, assign the
admin
,editor
, orviewer
role for the billing account to a specific employee with a federated account. -
Organization-manager.organizations.owner protection:
In an identity federationWithout an identity federationGrant the
organization-manager.organizations.owner
role to a federated account and then delete a passport account with this role from your organization. To mitigate the risks of possible federation failures, follow the steps described in Deleting a passport account from an organization.Set a complex password for the Yandex account used to create the organization. Grant the less privileged
organization-manager.admin
role to organization administrators and use the account with theorganization-manager.organizations.owner
role only if you absolutely have to. -
Resource model: Place all critical resources that must be compliant with standards in a separate cloud. Divide resource groups by folders. Host shared resources (such as network and security groups) in a separate shared resource folder.
Data encryption and key/secret management
- Encryption in Yandex Object Storage: Enable bucket encryption (server-side encryption). See the instructions. This encryption protects bucket data from being published on the internet.
- VM disk encryption (if required).
- Client-side encryption (if required): Use data encryption with Key Management Service keys. See an overview of encryption methods.
- Key Management Service key protection: Grant only granular access to individual Key Management Service keys (the
kms.keys.encrypter
,kms.keys.decrypter
, orkms.keys.encrypterDecrypter
roles). Use key rotation. - Secret management: Use secret management services, such as Yandex Lockbox or HashiCorp Vault with Key Management Service support from Cloud Marketplace.
Secure configuration
- Default passwords: Keep track of default passwords in VM software organizationally and technically using various vulnerability scanners.
- Standards and baseline: Configure the OS and software in accordance with the baseline and standards (such as CIS and PCI DSS). To automate compliance, use, for example, OpenSCAP
. - Disabling the serial console: Do not use the serial console; if you still have to, evaluate your risks and disable it once you are done.
- Safe use of Terraform: Use
terraform remote state
based on Object Storage with a lock function in Yandex Managed Service for YDB. You can see a setup example here . Set sensitive = true if required. Do not transfer private data to the configuration; if you still have to, use secret management services or environment variables. You can read more here.
- Integrity control on guest OS: Use free host-based solutions, such as Wazuh or Osquery, or paid solutions from Cloud Marketplace.
- Secure configuration of Object Storage: Use encryption, bucket policies, and ACLs, or versioning for deletion protection, enable built-in access auditing and configure CORS, if required.
- Secure configuration of Yandex Cloud Functions: Provide a service account token via the native authentication mechanism using the assigned service account and metadata. If possible, use private functions.
- Secure configuration of Yandex Container Registry: We do not recommend using privileged containers to run loads. Use the built-in image vulnerability scanner.
- Yandex Certificate Manager: Use Certificate Manager to store, receive, and update TLS certificates from Let's Encrypt® and to upload your own certificates. The service is integrated with Yandex API Gateway, Yandex Application Load Balancer, and Object Storage.
Protection against malicious code
- OS-level protection: Install antivirus solutions from Cloud Marketplace on VMs.
- Network-level protection: Use NGFW/IDS/IPS available in Cloud Marketplace (some of them have built-in sandboxes).
- Container image-level protection: Use the image vulnerability scanner integrated with Container Registry.
Managing vulnerabilities
- Automated vulnerability scanning: Use free network scanners, such as Nmap, OpenVAS, and OWASP ZAP, or host-based solutions, such as Wazuh and Tripwire.
- External security scans: Perform scans according to the rules.
- Software and OS updates: Install updates manually and use automated update tools.
- Web Application Firewall: Install a WAF from Cloud Marketplace or use Managed WAF — contact your account manager to get access.
Collecting, monitoring, and analyzing audit logs
- Yandex Audit Trails: Enable Audit Trails for all clouds and folders.
- Collecting events on the guest OS and applications side: Collect events, for example, free solutions, such as Osquery and Wazuh.
- Collecting Flow logs (if required): For example, using NGFW from Cloud Marketplace or free software (options are available in service plans).
- Exporting Audit Trails events to SIEM.
You can export event data to any SIEM using s3fs, see the instructions. - Use cases.
- Responding to Audit Trails with Cloud Functions:
- Regular status audit: Use the Yandex Cloud CLI for queries to the current state of the cloud infrastructure or the Cloud Advisor partner solution.
Physical security
- Physical security measures: For more information, see the description of Yandex Cloud physical security measures.
Backups
- Regular backups: Configure scheduled creation of disk snapshots using Cloud Functions).
Managing budgets
- Notifications for cost control: Set up notifications for budget thresholds in Yandex Cloud Billing. See this guide for details.
Incident response
- Response procedure: Develop an incident response process. To get additional logs, follow the data request procedure.
Security Yandex Managed Service for Kubernetes
Data encryption and key/secret management
- Server-side encryption: Enable secret encryption in etcd. See the tutorial. Do this at all times, regardless of whether you use secret management services or not.
- Secret management: Use Yandex Lockbox or HashiCorp Vault with Key Management Service support from Cloud Marketplace.
Network security
- Security groups: Configure security groups for Kubernetes. See the instructions. We do not recommend granting public access and public addresses to Kubernetes components.
- Ingress controller: To access Kubernetes services from outside, use a LoadBalancer (internal or external) Ingress controller (HTTPS): Application Load Balancer Ingress Controller or other solutions, such as NGINX Ingress Controller.
- DDoS protection: Create an IP address with DDoS protection and assign it to the service or Ingress controller.
- Network policy: Restrict access at the Kubernetes level using Calico network policies or advanced Cilium network policies.
- Access only from a limited pool of addresses (if required): Assign security groups for the Application Load Balancer Ingress controller and use network policies for other Ingress controllers.
Authentication and access control
- Access control: Configure roles to access Kubernetes. See the instructions. Control access rights of the node group's service account (the
container-registry.images.puller
role is usually enough).
Secure configuration
- Node group configuration according to baseline and standards: Configure node groups according to standards and baseline: NIST, CIS, and other. You can use automated tools, such as kube-bench and kubescape.
- Runtime security and policy engine: Use runtime security solutions, such as Falco, as well as policy engine solutions, such as OPA Gatekeeper and Kyverno.
- Security updates: Select a relevant update channel and enable automatic or manual installation of updates immediately after publication in the selected channel. Also perform timely updates of your own software on node groups.
- Distribution of pods into different node groups: Configure node taints and tolerations + node affinity (by load and degree of privacy).
Collecting, monitoring, and analyzing audit logs
-
Collecting and analyzing audit logs of workloads and node groups: For example, using open-source tools, such as Fluent Bit and Beats.
-
Monitoring abnormal loads: Use Yandex Monitoring.
Backups
- Backups: Configure Kubernetes cluster backups in Object Storage. See the tutorial. Follow the recommendations in Secure configuration of Object Storage.