[Yandex Cloud documentation](../index.md) > [Security in Yandex Cloud](index.md) > Security tools available to cloud service users

# Security tools available to cloud service users

## Authentication systems {#auth-syst}

The following types of accounts are currently available to Yandex Cloud users:

* [Yandex accounts](#passport-accounts)
* [Federated accounts](#fed-accounts)
* [Service accounts](#service-accounts)

### Yandex ID accounts {#passport-accounts}

[Yandex ID](https://yandex.com/support/passport/index.html) enables authentication and authorization of Yandex users and stores users' personal data. For authentication with your Yandex ID, use your username and password or your PIN and the Yandex.Key app if two-factor authentication is set up. If you pass authentication, Yandex ID sets a cookie for the yandex.TLD domain in your browser. Yandex.ID authenticates users, sets the cookies, and stores the cryptographic keys to control cookie integrity. 

The set cookie is used by IAM to authenticate the user and issue them an IAM token to access the Yandex Cloud API. IAM stores the cryptographic keys used to control IAM token integrity.

To use the CLI, Yandex ID issues users an OAuth token. It's stored on the user's disk and used to get a temporary IAM token. In all cases, IAM tokens are valid for 24 hours and OAuth tokens are valid for one year from the date of issue. Yandex ID stores the cryptographic keys used to control OAuth token integrity.

{% note info "OAuth token authentication is deprecated" %}

This authentication method is no longer supported. Consider using [IAM tokens](../iam/concepts/authorization/iam-token.md) or [API keys](../iam/concepts/authorization/api-key.md).

{% endnote %}

### Federated accounts {#fed-accounts}

If an [identity federation](../iam/concepts/federations.md) is used, the IAM service accepts a signed SAML token from a third-party identity provider. This token contains information about the authenticated user.

SAML token cryptographic signature keys are stored by the customer's identity provider. Therefore, it's the customer's responsibility to manage, use, and store the key safely. The public part of the key used for verifying the SAML token signature is set by the customer when configuring the identity federation and is then stored in IAM.

After receiving and verifying the SAML token signature, IAM creates and extends a user session using cookies. IAM stores and manages the cryptographic keys used to control cookie integrity.

### Service accounts {#service-accounts}

[Service accounts](../iam/concepts/users/service-accounts.md) are a special type of account for accessing Yandex Cloud resources on behalf of an application. Service account authentication can be done using the following types of keys:

* Authorized keys: RSA keys that are generated in IAM. Such keys can be downloaded by the user only once after their creation. IAM only stores the public part of the key. Its private part stays with the user. It is the user's responsibility to keep the private part safe. See [Authorized keys](../iam/concepts/authorization/key.md). 
* Static keys used to access Message Queue (YMQ) and Yandex Object Storage. Copies of static keys are issued to the user immediately after they're created by IAM. Static keys are stored in IAM and used to check the integrity of requests to YMQ and Yandex Object Storage. See [Static access keys compatible with the AWS API](../iam/concepts/authorization/access-key.md). 
* API keys used to access the Yandex Cloud API. API keys are used in some services for simplified authentication. See [API key](../iam/concepts/authorization/api-key.md). 

{% note info %}

Creating service accounts and their [keys](../iam/concepts/users/service-accounts.md#sa-key) may be prohibited by [access policies](../iam/concepts/access-control/access-policies.md) at the [folder](../resource-manager/concepts/resources-hierarchy.md#folder), [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), or [organization](../organization/concepts/organization.md) level.

{% endnote %}

## Network security {#network-sec}

To protect the cloud network infrastructure hosted in Yandex Cloud, we recommend managing incoming and outgoing traffic and dividing the virtual networks of the Yandex Cloud environment into segments based on tasks.

For incoming traffic management, you should use a load balancer and VMs without public IPs. This reduces the attack surface and limits traffic to VMs using the appropriate protocols. You can integrate a network load balancer with Yandex DDoS Protection to safeguard your service from DDoS attacks. We recommend using virtual images or cloud services with a Web Application Firewall (WAF) to protect against Layer 7 (L7) DDoS attacks.

For outgoing traffic management, we recommend using VMs without public IPs and granting them internet access through a NAT instance that functions as a network gateway or proxy server.

For access control in Yandex Cloud, you can create a separate network for each of your development teams or each environment (development, testing, and production). With this approach, we recommend using network device images available on Cloud Marketplace to link networks to each other and control network flows between segments. 

We also recommend connecting to your local infrastructure or the internet using a VPN instance, network images from Cloud Marketplace, or Yandex Cloud Interconnect.

## Additional data protection tools {#more-tools}

Yandex Cloud protects customer data using cryptography tools. The user can additionally secure their data using KMS (Key Management Service). It's designed to manage the user's cryptographic keys in Yandex Cloud and provides additional data encryption features. 

Read more in the [Yandex Key Management Service documentation](../kms/index.md).