[Yandex Cloud documentation](../../index.md) > [Yandex Smart Web Security](../index.md) > [Step-by-step guides](index.md) > Security profiles > Creating a profile

# Creating a security profile

{% note info %}

To enhance your security, we use HTTP request data to train our machine learning (ML) models. You can disable the use of this data in the [management console](https://console.yandex.cloud) when creating a security profile or later in its settings.

{% endnote %}

![profiles-rules](../../_assets/smartwebsecurity/profiles-rules.svg)

To work with a security profile that connects to a load balancer, you will need a service account with the `monitoring.editor`, `smart-web-security.admin`, `certificate-manager.admin`, and `logging.writer` roles. Learn more in [Assigning roles to a service account](../../iam/operations/sa/assign-role-for-sa.md).

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) where you want to create your [security profile](../concepts/profiles.md).
  1. Navigate to **Smart Web Security**.
  1. In the left-hand panel, select ![shield-check](../../_assets/console-icons/shield-check.svg) **Security profiles**.
  1. Click **Create profile**.
  1. Select one of these creation options:
      * **From a preset template**: This is a recommended option.

        A preset profile includes:
        
        * [Basic default rule](../concepts/rules.md#base-rules) enabled for all traffic with the `Allow` [action type](../concepts/rules.md#rule-action).
        * [Smart Protection rule](../concepts/rules.md#smart-protection-rules), `sp-rule-1`, enabled for all traffic with the `Full protection` action type.
        
      * **From scratch**. This profile includes only the basic default rule enabled for all traffic.

  1. Name the profile.
  1. Optionally, provide a description.
  1. Optionally, add [labels](../../resource-manager/concepts/labels.md) to your profile.
  1. In the **Action for the default base rule** field, select what to do with traffic that does not match any other rule: `Deny` or `Allow`.
  1. Select or create an [ARL profile](arl-profile-create.md) to limit the number of requests.
  1. Select or create a [Yandex SmartCaptcha](../../smartcaptcha/index.md) to verify suspicious requests:

        * `Default`: Managed by Yandex Cloud. This CAPTCHA has the following settings:
          * [Main challenge](../../smartcaptcha/concepts/tasks.md#main-task): **Checkbox**.
          * [Additional challenge](../../smartcaptcha/concepts/tasks.md#additional-task): ![image](../../_assets/console-icons/picture.svg) **Silhouettes**.
          * Additional challenge difficulty: **Easy**.
          * Appearance: **Standard**.
        
          The `Default` CAPTCHA usage fee is included in the cost of Smart Web Security.
        * `Custom CAPTCHA`: You can [customize](../../smartcaptcha/operations/create-captcha.md) CAPTCHA's difficulty, types of main and additional challenges, and appearance.
        
          {% note info %}
        
          To use a custom CAPTCHA, select **Disable domain verification** in its settings.
        
          {% endnote %}
        
          The custom CAPTCHA usage fee is charged according to the SmartCaptcha [pricing policy](../../smartcaptcha/pricing.md).

  1. Select or [create](template-create.md) a response template that will be returned to the client whenever any rule triggers in the profile. The standard Yandex Cloud template is used by default.
  1. Optionally, configure the **Analyze request body (maximum size: 8 KB)** option by selecting an action after the maximum size is exceeded:
     
     * `Do not analyze body`
     * `Block request`
  
  1. Optionally, enable **Write logs** and configure logging:
     1. In the **Send logs to** field, select the logs to write: **Cloud Logging** and **Audit Trails**.
     1. For Cloud Logging, select or create a Cloud Logging [log group](../../logging/concepts/log-group.md) to store your logs.
     1. For logging, you can choose only those requests that triggered:
        * **Base rules**.
        * **Smart Protection** rules.
        * **Web Application Firewall** rules.
        * **Advanced Rate Limiter** rules.
        * All selected rules applied the **DENY and CAPTCHA** action (verdict).
        * All selected rules applied the **ALLOW** action (legitimate requests).
  
     For more information on how to configure logging, see [this guide](configure-logging.md).

  1. Click ![plus-sign](../../_assets/console-icons/plus.svg) **Add rule**.
  1. In the rule creation window:

      1. Name the rule.
      1. Optionally, enter a description.
      1. Set the rule priority. The rule you add will have a higher priority than the preconfigured rules.
      
          {% note info %}
          
          The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:
          * Basic default rule: `1000000`.
          * Smart Protection rule providing full protection: `999900`.
          
          {% endnote %}
      
          Learn more about rule priorities in [Overview of how rules work](../concepts/rules.md#rules-order).
      
      1. Optionally, enable **Only logging (dry run)** if you want only to log data about the traffic matching the specified conditions without applying any actions to it.
      1. Select the rule type:
          * [**Base**](../concepts/rules.md#base-rules): Allows, denies, or forwards traffic to [Yandex SmartCaptcha](../../smartcaptcha/index.md) under specified conditions.
          * [**Smart Protection**](../concepts/rules.md#smart-protection-rules): Sends traffic for automatic processing by machine learning and behavioral analysis algorithms and redirects suspicious requests to Yandex SmartCaptcha for additional verification.
          * [**Web Application Firewall**](../concepts/rules.md#waf-rules): Integrates rules from a WAF profile and redirects suspicious requests to Yandex SmartCaptcha.
      
              For a WAF rule, select or [create a WAF profile](waf-profile-create.md).
      1. Select an [action](../concepts/rules.md#rule-action):
          * For a basic rule:
            * `Deny`.
            * `Allow`.
            * `Show CAPTCHA`: To show the CAPTCHA selected in the security profile.
          * For a Smart Protection or WAF rule:
      
            * `Full protection`: To redirect suspicious requests to SmartCaptcha after verification.
            * `API protection`: To block suspicious requests after verification.
      
      1. Optionally, select or [create](template-create.md) a response template that will be returned to the client whenever a rule triggers. The standard Yandex Cloud template is used by default.
      1. Under **Conditions for traffic**, specify the traffic the rule will apply to:
         * `All traffic`: The rule will be used to analyze the whole traffic.
         * `On condition`: The rule will be used to analyze the traffic specified in the **Conditions** field:
             * `IP`: IP address, IP address range, IP address region, or [address list](../concepts/lists.md).
             * `HTTP header`: HTTP header string.
             * `Request URI`: Request path.
             * `Host`: Domain receiving the request.
             * `HTTP method`: Request method.
             * `Cookie`: Cookie header string.
             * `Bot name`: Names of legitimate bots owned by various companies and services.
             * `Bot category`: Verified bot categories based on their purpose or nature of action.
             * `Verified bot`: Filtering based on whether the bot is verified (`yes` or `no`).
             * `Bot score`: Filtering based on request bot score, from `0` (the lowest, represents a human) to `100` (the highest, represents a bot).
             * `FingerPrint`: SSL/TLS connection [fingerprint](../concepts/botes.md#fingerprint).
         
             You can set multiple conditions by selecting all the condition types you need in the **Conditions** field.
         
             You can also set multiple conditions of the same type by clicking ![plus-sign](../../_assets/console-icons/plus.svg) **and** or ![plus-sign](../../_assets/console-icons/plus.svg) **or** in the section with the condition you need.
         
             To delete a condition, click ![options](../../_assets/console-icons/trash-bin.svg).
      
      1. Click **Add**.

  1. If the `Deny` action is set for the default basic rule and the requests are sent to SmartCaptcha for verification, [add](captcha-rule.md) an allowing rule.
  1. Add all relevant rules to the profile one by one.

      The rules you created will appear in the table under **Security rules**.
  1. Optionally, enable or disable the use of HTTP request info to improve your machine learning models under **Fine-tuning ML models**.
  1. Click **Create**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the [CLI](../../cli/quickstart.md) command for creating a [security profile](../concepts/profiles.md):

     ```bash
     yc smartwebsecurity security-profile create --help
     ```

  1. To create a security profile, run this command:

     ```bash
     yc smartwebsecurity security-profile create \
        --name <security_profile_name> \
        --description "<profile_description>" \
        --labels <label_1_key>=<label_1_value>,<label_2_key>=<label_2_value>,...,<label_n_key>=<label_n_value> \
        --default-action <action> \
        --captcha-id <captcha_ID> \
        --security-rules-file <path_to_file_with_rules>
     ```

     Where:

     * `--name`: Security profile name. This is a required setting. If you specify only the profile name with no other properties, the security profile will include a single [basic rule](../concepts/rules.md#base-rules).
     * `--description`: Text description of the security profile. This is an optional setting.
     * `--labels`: List of [labels](../../resource-manager/concepts/labels.md) to add to the profile in `KEY=VALUE` format. This is an optional setting. For example, `--labels foo=baz,bar=baz'`.
     * `--default-action`: Action to apply to traffic that does not match any other rule. This is an optional setting. The default value is `allow`, which allows all requests to Yandex Smart Web Security. To block requests, set the parameter to `deny`.
     * `--captcha-id`: ID of the CAPTCHA in [Yandex SmartCaptcha](../../smartcaptcha/index.md) to verify suspicious requests. This is an optional setting.
      * `--security-rules-file`: Path to the [YAML](https://en.wikipedia.org/wiki/YAML) file with security rule description. This is an optional setting. Here is an example:

          {% cut "security-rules.yaml" %}
          
          ```yaml
          - name: rule-condition-deny
            description: My first security rule. This rule it's just example to show possibilities of configuration.
            priority: "11111"
            dry_run: true
            rule_condition:
              action: DENY
              condition:
                authority:
                  authorities:
                    - exact_match: example.com
                    - exact_match: example.net
                http_method:
                  http_methods:
                    - exact_match: GET
                    - exact_match: POST
                request_uri:
                  path:
                    prefix_match: /search
                  queries:
                    - key: firstname
                      value:
                        pire_regex_match: .ivan.
                    - key: lastname
                      value:
                        pire_regex_not_match: .petr.
                headers:
                  - name: User-Agent
                    value:
                      pire_regex_match: .curl.
                  - name: Referer
                    value:
                      pire_regex_not_match: .bot.
                source_ip:
                  ip_ranges_match:
                    ip_ranges:
                      - 1.2.33.44
                      - 2.3.4.56
                  ip_ranges_not_match:
                    ip_ranges:
                      - 8.8.0.0/16
                      - 10::1234:1abc:1/64
                  geo_ip_match:
                    locations:
                      - ru
                      - es
                  geo_ip_not_match:
                    locations:
                      - us
                      - fm
                      - gb
          - name: rule-condition-allow
            description: Let's show how to whitelist IP.
            priority: "2"
            rule_condition:
              action: ALLOW
              condition:
                source_ip:
                  ip_ranges_match:
                    ip_ranges:
                      - 44.44.44.44-44.44.44.45
                      - 44.44.44.77
          - name: smart-protection-full
            description: Enable smart protection. Allow to show captcha on /search prefix.
            priority: "11"
            smart_protection:
              mode: FULL
              condition:
                request_uri:
                  path:
                    prefix_match: /search
          - name: smart-protection-api
            description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix.
            priority: "10"
            smart_protection:
              mode: API
              condition:
                request_uri:
                  path:
                    prefix_match: /api
          ```
          
          Where `priority` is the rule [priority](../concepts/rules.md#rules-order).
          
          {% endcut %}

     Result:

     ```text
     id: fev6q4qqnn2q********
     folder_id: b1g07hj5r6i********
     cloud_id: b1gia87mbaom********
     name: my-sample-profile
     description: "my description"
     labels: label1=value1,label2=value2
     default_action: DENY
     created_at: "2024-07-25T19:21:05.039610Z"
     ```

  For more information about the `yc smartwebsecurity security-profile create` command, see the [CLI reference](../../cli/cli-ref/smartwebsecurity/cli-ref/security-profile/create.md).

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the guides on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

  1. In the Terraform configuration file, describe the resources you want to create:

      ```hcl
      resource "yandex_sws_security_profile" "demo-profile-simple" {
        name                             = "<security_profile_name>"
        default_action                   = "DENY"
        captcha_id                       = "<captcha_ID>"
        advanced_rate_limiter_profile_id = "<ARL_profile_ID>"

        # Smart Protection rule
        security_rule {
          name     = "smart-protection"
          priority = 99999

          smart_protection {
            mode = "API"
          }
        }

        # Basic rule
        security_rule {
          name = "base-rule-geo"
          priority = 100000
          rule_condition {
            action = "ALLOW"
            condition {
              source_ip {
                geo_ip_match {
                  locations = ["ru", "kz"]
                }
              }
            }
          }
        }

        # WAF profile rule
        security_rule {
          name     = "waf"
          priority = 88888

          waf {
            mode           = "API"
            waf_profile_id = "<WAF_profile_ID>"
          }
        }
      }
      ```

      Where:
      * `name`: Security profile name.
      * `default_action`: Action for the default basic rule. This action will apply to traffic that does not match any other rule. It can be either `ALLOW` to allow all requests to Yandex Smart Web Security or `DENY` to deny them.
      * `captcha_id`: ID of the CAPTCHA in [Yandex SmartCaptcha](../../smartcaptcha/index.md) to verify suspicious requests. This is an optional setting.
      * `advanced_rate_limiter_profile_id`: [ARL profile](../concepts/arl.md) ID. This is an optional setting.
      * `security_rule`: Security [rule](../concepts/rules.md) description:
         * `name`: Security rule name.
         * `priority`: Rule [priority](../concepts/rules.md#rules-order). The possible values range from 1 to 1,000,000.
         * `smart_protection`: Description of the [Smart Protection rule](../concepts/rules.md#smart-protection-rules) enabled for all traffic with the action type specified in the `mode` parameter.
            * `mode`: [Rule action](../concepts/rules.md#rule-action). It can be either `FULL` to enable full protection, where suspicious requests are challenged with CAPTCHA, or `API` to enable API protection, where suspicious requests are blocked.
         * `waf`: Web application firewall rule description. To add a WAF rule, you must first [create a WAF profile](waf-profile-create.md). The optional setting section contains:
            * `waf_profile_id`: [WAF profile](../concepts/waf.md) ID.

      If you do not specify the `smart_protection` or `waf` rule type, the system will create a basic rule with simple filtering based on conditions specified under `rule_condition`.

      For more information about `yandex_sws_security_profile` properties, see [this Terraform provider guide](../../terraform/resources/sws_security_profile.md).

  1. Create the resources:

       1. In the terminal, navigate to the configuration file directory.
       1. Make sure the configuration is correct using this command:
       
          ```bash
          terraform validate
          ```
       
          If the configuration is valid, you will get this message:
       
          ```bash
          Success! The configuration is valid.
          ```
       
       1. Run this command:
       
          ```bash
          terraform plan
          ```
       
          You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
       1. Apply the configuration changes:
       
          ```bash
          terraform apply
          ```
       
       1. Type `yes` and press **Enter** to confirm the changes.

  Terraform will create all the required resources. You can check the new resources using the [management console](https://console.yandex.cloud) or this [CLI](../../cli/index.md) command:

  ```bash
  yc smartwebsecurity security-profile get <security_profile_ID>
  ```

- API {#api}

  Use the [create](../api-ref/SecurityProfile/create.md) REST API method for the [SecurityProfile](../api-ref/SecurityProfile/index.md) resource or the [SecurityProfileService/Create](../api-ref/grpc/SecurityProfile/create.md) gRPC API call.

{% endlist %}

### Useful links {#see-also}

* [Connecting a security profile to a resource](host-connect.md)
* [Editing basic settings of a security profile](profile-update.md)
* [Deleting a security profile](profile-delete.md)