Secure configuration
This section provides recommendations to customers on security settings in Nebius AI services and the use of additional data protection tools.
Default passwords
Nebius AI services do not have default credentials. In each service, the client specifically assigns user passwords and other secrets. However, software managed by the client that is installed on virtual machines or inside containers may contain initial credentials that should be changed (for example, the login admin
with the password admin
).
To automatically verify credentials, we recommend using paid security scanners or the following free tools:
Managing infrastructure
In IaaS services, the customer is responsible for the configuration of their resources.
To check your host compliance with the security standards and best practices, we recommend using the free utility OpenSCAP
Preparing VM images
When deploying a VM instance, we recommend you to:
- Prepare a VM image whose system settings correspond to your information security policy.
- Use this image to create a VM.
- Look up the VM details to check that this image was actually used to create the disk.
Integrity control
Numerous information security standards require integrity control of critical files. To do this, you can use free host-based solutions:
Side-channel attacks
To ensure the best protection against CPU side-channel attacks (for example, Spectre or Meltdown):
- Use full-core VMs (that is, VMs with the CPU share of 100%).
- Use VMs with an even number of cores (2 cores, 4 cores, and so on).
- Make sure to install such updates for the OS and kernel that are protected from side-channel attacks (for example, Kernel page-table isolation for Linux
, applications built with Retpoline ).
Object Storage
Deletion protection and version backups
When processing critical data in buckets, you must ensure that data is protected from deletion and that versions are backed up. This can be achieved by versioning and lifecycle management mechanisms.
Bucket versioning is the ability to store the history of object versions. Each version is a complete copy of an object and occupies space in Object Storage. Using version control protects your data from both unintentional user actions and application faults.
If you delete/modify an object with versioning enabled, a new version of the object with a new ID is effectively created. In the case of deletion, the object becomes unreadable, but its version is kept and can be restored.
For more information about setting up versioning, see the Object Storage documentation, Bucket versioning.
The lifecycle management mechanism allows you to set a policy for deleting or moving data, for example:
- Delete all non-current versions of objects (condition type: NoncurrentVersionExpiration) on expiry of a certain number of days since the version became non-current.
- Delete all current versions of objects (condition type: Expiration) on expiry of a certain number of days since they were uploaded.
For more information about lifecycles, see the Object Storage documentation and Object lifecycles.
The storage period of critical data in a bucket is determined by the client's information security requirements and information security standards. For example, the PCI DSS standard states that audit logs should be stored for at least one year and should be readily available online for at least three months.
Managed Services for Databases
We recommend prohibiting internet access to databases that contain critical data, in particular PCI DSS data or private data.
Do not enable access to databases containing critical data from the management console, or other services, unless explicitly required. You may need access to the database from the management console to send SQL queries to the database and visualize the data structure, use the Nebius AI service network with authentication and TLS encryption. You can enable and disable , or other services in the cluster settings or when creating it in the advanced settings section.