Vulnerability management
Yandex Cloud is responsible for managing vulnerabilities and security updates in managed services. The client is responsible for managing vulnerabilities and security updates for all other system components.
For an example of the scope of responsibility for managing vulnerabilities and security updates, see Requirement 5 in the PCI DSS responsibility matrix
Scanning for vulnerabilities
We recommend that clients scan their own hosts for vulnerabilities. Cloud resources support the installation of custom virtual images of vulnerability scanners or software agents on hosts. There are many fee-based and free solutions for scanning.
Network scanners scan hosts that are accessible over a network. Generally, authentication can be configured on network scanners. Examples of free network scanners:
Example of a free scanner that operates as an agent on hosts: Wazuh
Performing external security scans
Customers hosting their own software in Yandex Cloud can perform external security scans for the hosted software, including penetration tests. You can run your own scans or use contractors. For more information, see User support policy during vulnerability scanning.
Managing security updates
A client must perform their own security updates within their scope of responsibility. Various automated tools are available for centralized automated OS and software updates.
Yandex Cloud publishes security bulletins to notify customers of newly discovered vulnerabilities and security updates.
Web Application Firewall (WAF)
To mitigate risks associated with web attacks, we recommend using a Web Application Firewall (WAF). A client can install and maintain a WAF independently or use the Managed WAF service.
Installing a WAF on your own
WAF images are available from the Yandex Cloud Marketplace. License types and other required information are available in the product descriptions.
You can also install Wallarm WAF in Managed Service for Kubernetes. See the guide
Managed WAF
A customer receives a cloud WAF as a service from Yandex Cloud. They are provided access to a personal account and the ability to view statistics and perform management. To activate the service and get detailed information, contact your account manager, the sales department, or support