Security Requirements for Yandex.Cloud configuration
Network Security
Virtual machines should be assigned to security groups based on the least privileged principle
VM group templates should have a security group defined based on the least privileged principle
Virtual machines are not allowed to assign a public IP address
The Elasticsearch cluster should be assigned to security group based on the least privileged principle
The Kafka cluster should be assigned to security group based on the least privileged principle
The database (ClickHouse, MongoDB, MySQL, PostgreSQL) should be assigned a security group based on the least privileged principle
The database (ClickHouse, MongoDB, MySQL, PostgreSQL) is not allowed to assign public access
The bucket (ObjectStorage) should not have rules and policies that allow public access
Disks, Snapshots, Images should not be publicly available
Kubernetes cluster should not have a public IP address
The Kubernetes cluster should be assigned a security group with rules assigned based on the least privileged principle
The Control Plane of the cluster should be located in a separate VPC from the workers.
Security group should not allow inbound and outbound connections without IP restriction
Security groups should not allow access from private networks without IP restriction
The security group should not contain a range of ports
Access Control
AD FS with integrated 2FA should be configured for cloud console access. Cloud administrators and maintainers other than the cloud owner should authenticate to the cloud through this AD FS. (optional)
The cloud should not have service accounts and system groups with admin rights
Roles should be assigned according to the principle of the least privileged, excluding the use of the editor role
All users with edit, admin, owner rights added to Yandex.Cloud (not via AD FS with 2FA) should have two-factor authentication configured into their Yandex account
Serial console should be disabled
It is forbidden to store authorization keys in source code. All secrets, keys, passwords, and tokens should be stored in a secure Vault / KMS storage
For each task, a separate service account should be created with the minimum required set of privileges. The name of the service account should reflect its tasks and assigned rights when created
It is impossible to create API keys (instead of those authorized to obtain an IAM token) without agreement with the IS Department
The bucket should not have rules that allow full access, as well as read / write access for all authenticated users
Logging requirements
Audit Trails service should be configured for all supported resources.
Other
If the bucket contains personal data, banking, or commercial secrets, then encryption should be configured for it
Versioning should be configured for the bucket
When creating a Kubernetes cluster in Yandex.Cloud, a network policy should be created based on the principle of the least privileged principle
The Kubernetes cluster should be configured according to CIS (for configuration that available for change by managed kubernetes)
It is desirable to configure updates for the cluster