Security checklist
Network security
-
Segmentation: Split resources into groups and put them in different folders or, if strict isolation is required, in different VPC. Traffic within a VPC is allowed by default but not allowed between different VPC (only via a VM with two network interfaces in different networks or VPNs).
-
Secure access from outside the cloud infrastructure (VPN): If you need remote access to cloud resources, configure a site-to-site VPN.
-
Secure remote administrator access (VPN): Set up a VPN connection between remote devices and Nebius AI using solutions from Marketplace.
-
Bastion host: Create a bastion VM to access the infrastructure using control protocols (for example, SSH).
-
Outbound access (NAT): Use an NAT gateway to ensure secure outbound internet access. The gateway translates your IP addresses to a shared address pool.
Authentication and access control
- Centralized management and identity federations: Create an organization in Cloud Organization and set up Single Sign-On in Nebius AI via your IdP server. See the setup instructions for AD FS and Google Workspace.
- Federated accounts: Use federated accounts instead of Google accounts whenever possible.
- Working with service accounts: Set up a local firewall on the VM instance so that only the necessary processes and system users have access to the metadata service (IP address: 169.254.169.254).
- 2FA: For an identity federation, set up 2FA on the side of your IdP. For a Google account, set up 2FA using this guide
. - billing.accounts.owner protection: After performing the initial operations, do not use an account with this role. To manage a billing account, assign the
admin
,editor
, orviewer
role for the billing account to a specific employee with a federated account. - resource-manager.clouds.owner protection: Assign the
resource-manager.clouds.owner
role to employees with federated accounts. Set a strong password for the Google account that was used to create the cloud, and use it only when absolutely necessary. Grant administrators less privileged access and useresource-manager.clouds.owner
only when absolutely necessary.
Secure configuration
- Default passwords: Keep track of default passwords in VM software organizationally and technically using various vulnerability scanners.
- Standards and baseline: Configure the OS and software in accordance with the baseline and standards (such as CIS and PCI DSS). To automate compliance, use, for example, OpenSCAP
. - Integrity control on guest OS: Use free host-based solutions, such as Wazuh or Osquery, or paid solutions from Marketplace.
- Secure configuration of Container Registry: We do not recommend using privileged containers to run loads.
Protection against malicious code
- OS-level protection: Install antivirus solutions on VMs.
- Network-level protection: Use NGFW/IDS/IPS.
- Container image-level protection: Use the image vulnerability scanner integrated with Container Registry.
Managing vulnerabilities
- Automated vulnerability scanning: Use free network scanners, such as Nmap, OpenVAS, and OWASP ZAP, or host-based solutions, such as Wazuh and Tripwire.
- External security scans: Perform scans according to the rules.
- Software and OS updates: Install updates manually and use automated update tools.
- Web Application Firewall: Use your own WAF installation.
Collecting, monitoring, and analyzing audit logs
- Collecting events on the guest OS and applications side: Collect events, for example, free solutions, such as Osquery and Wazuh.
- Collecting Flow logs (if required): For example, using a firewall.
- Regular status audit: Use the Nebius AI CLI for queries to the current state of the cloud infrastructure partner solution.
Physical security
- Physical security measures: For more information, see the description of Nebius AI physical security measures.
Backups
- Regular backups: Create disk snapshots at preset intervals.
Incident response
- Response procedure: Develop an incident response process. To get additional logs, follow the data request procedure.
Managed Service for Kubernetes security
Network security
- Ingress controller: To access Kubernetes services from outside, use an external Ingress controller, such as NGINX Ingress Controller
.
Secure configuration
- Node group configuration according to baseline and standards: Configure node groups according to standards and baseline: NIST, CIS, and other. You can use automated tools, such as kube-bench and kubescape.
- Runtime security and policy engine: Use runtime security solutions, such as Falco, as well as policy engine solutions, such as OPA Gatekeeper and Kyverno.
- Security updates: Select a relevant update channel and enable automatic or manual installation of updates immediately after publication in the selected channel. Also perform timely updates of your own software on node groups.
- Distribution of pods into different node groups: Configure node taints and tolerations + node affinity (by load and degree of privacy).
Collecting, monitoring, and analyzing audit logs
- Collecting and analyzing audit logs of workloads and node groups: For example, using open-source tools, such as Fluent Bit and Beats.
Backups
- Backups: Configure Kubernetes cluster backups in Object Storage. See the tutorial. Follow the recommendations in Secure configuration of Object Storage.