Caoimhin89/yc-solution-library-for-security

🔐 Yandex.Cloud Security Solution Library

Yandex.Cloud Security Solution Library is a set of examples and recommendations collected in a public repository on GitHub. Its purpose is to help companies build a secure infrastructure in the cloud and meet the requirements of various regulators and standards. Yandex.Cloud team has selected the most common tasks that arise when building security in the cloud. They have tested and described relevant scenarios in detail.

Brief webinar

☑️ Yandex.Cloud Security Checklist

Checklist for security in the Yandex.Cloud infrastructure

https://cloud.yandex.com/en/docs/overview/security/domains/checklist

List of solutions

• 🕸 Network security
  • Example of setting up Security Groups (dev/stage/prod): Terraform
  • Example of installing a VM instance with a firewall (NGFW): Check Point
  • Example of installing two VM instances with an NGFW Check Point: Active-Active
  • Example of installing two NGFW Check Point VMs: Active-Passive
  • An example of creating a site-to-site VPN connection to Yandex.Cloud: Terraform
• 🔑 Authentication and access control
  • IAM module with usage examples
• 🦠 Protection against malicious code
  • Deploying Kaspersky Antivirus in Yandex.Cloud (Compute Instance, COI)
• 🐞 Vulnerability management
  • Fault-tolerant operation of PT Application Firewall based on Yandex.Cloud
  • Installing a vulnerable web application (DVWA) in Yandex.Cloud using Terraform for Managed WAF testing
  • Testing AntiDDos system using Yandex Load Testing
• 🔏 Data encryption and key and secret management
  • Encrypting secrets with KMS when transferring the keys to the COI VM container Yandex.Cloud: Terraform
  • Encrypting a VM disk in the cloud using YC KMS
  • Yandex Cloud Lockbox password solution
• 🔎 Collecting, monitoring, and analyzing audit logs
  • Collecting, monitoring and analyzing audit logs in Yandex Managed Service for Elasticsearch (ELK)
  • Collecting, monitoring, and analyzing audit logs in an external SIEM ArcSight
  • Collecting, monitoring, and analyzing audit logs in an external Splunk
  • Use cases and important security events in audit logs
  • Trails-function-detector: Alerts and response to Information Security events in Audit Trails using Cloud Logging and Cloud Functions + Telegram
  • Monitoring Audit Trails and events in Yandex Cloud Monitoring
• 👮 Secure configuration
  • Example of a secure configuration for Yandex Cloud Object Storage: Terraform

• Kubernetes security
  • Authentication and access control in Managed Kubernetes:
    • Example of setting up role-based models and policies in Yandex Managed Service for Kubernetes
  • Collecting, monitoring, and analyzing audit logs:
    • Analyzing K8s security logs in ELK: audit logs, Policy Engine, Falco
    • Exporting Cilium Flow Logs to Object Storage (S3)
    • Export of kubernetes audit logs to s3/object storage
    • Export of kubernetes audit logs to Yandex Data Streams/Kinesis Data Streams
  • Data encryption and key/secret management in Managed Kubernetes
    • Secret Management with Secret Manager (Lockbox, Vault)
  • Secure configuration of Managed Kubernetes:
    • Osquery and kubequery in K8s: Osquery (protecting K8s nodes), kubequery (analyzing the configuration of the entire K8s)
  • CVE mitigations:
    • CVE-2022-0185
    • CVE-2021-4034
  • Feature comparison table of k8s security solution
  • Starboard integration with Yandex Cloud Container Registry to scan running images

• CI/CD Security
  • Secure CI/CD on Managed GitLab:
    • Webinar+materials: Detection of Log4shell and other vulnerabilities in CI / CD based on Managed GitLab:
      • Vulnerability detection in CI/CD (Ultimate license)
      • Vulnerability detection in CI/CD (Free license)
      • Security in Gtilab instance check-list
  • Speech about compliance and devsesop

• Terraform security
  • Scan tf manifests with checkov
  • Terraform state in Yandex.Cloud using Object Storage

Feedback

• Improvements, bugs, contribute: Please start using github issue/pr
• Questions, wishes, consultations: Write to us in telegram https://t.me/YandexCloudSecurity

Reference architecture