feat(use-case): security baseline

RoRoJ · RoRoJ · commit 8f03a9e2880f · 2025-11-03T16:33:55.000+01:00
diff --git a/pages/use-cases/security/security-baseline.mdx b/pages/use-cases/security/security-baseline.mdx
@@ -1,16 +1,20 @@
 ---
 title: Security baseline for Scaleway infrastructure
-description: TODO.
-tags: TODO
+description: Establish a strong security foundation with Scaleway. Learn how to secure your infrastructure using VPC, Load Balancer, Edge Services, IAM, Cockpit, Audit Trail, and more. Enforce MFA, identity federation, and least-privilege access for robust cloud protection.
+tags: load-balancer security waf edge-services least-privilege iam cockpit security-groups flexible-ip audit-trail
 dates:
-  validation: 2025-10-31
-  posted: 2025-10-31
+  validation: 2025-11-03
+  posted: 2025-11-03
 ---
 
-Scaleway offers a number of security features for your cloud infrastructure. This document sets out general best practices and advice, and highlights the security features available for different resource types.
+import image from './assets/scaleway-vpc-infra-1.webp'
+
+Scaleway offers a number of security features for your cloud infrastructure. This document sets out general best practices and advice, and highlights the security features available.
 
 ## Network security
 
+A robust network architecture is the foundation of cloud security. This section outlines best practices for securing your Scaleway infrastructure through network segmentation, private connectivity, and traffic control. By leveraging VPCs, Private Networks, security groups, and edge protection like WAFs, you can minimize exposure to threats, enforce least-privilege communication, and protect critical workloads from unauthorized access and distributed attacks.
+
 ### Isolate and protect: strengthen security with VPC and Private Networks
 
 We recommend that you **disable public connectivity** on all of your Scaleway resources, unless it is absolutely required. **Attaching resources to Private Networks**, and limiting their communication to these networks means that attack surface is minimized. The resource is no longer directly exposed to the internet, decreasing the risk of DDoS attacks, or unauthorized access.
@@ -25,44 +29,113 @@ You can use resources such as Public Gateways and Load Balancers to **provide ac
 
 You can set up a Network Access Control List (NACL) for each VPC. This allows you to define rules to limit the flow of traffic between the Private Networks of the VPC according to your needs.
 
-See our use case on [basic infrastructure to leverage VPC isolation](/vpc/reference-content/use-case-basic/) for specific guidance, network diagrams and Terraform templates.
-
 <Lightbox src="scaleway-vpc-infra-1.webp" alt="An architecture diagram shows how a Load Balancer inside a Scaleway VPC is attached to a Private Network. Also attached to the Private Network are three Instances (connected to Block Storage), a Managed Database, and a Public Gateway." />
 
+Find out more:
+
+- [VPC and Private Networks Quickstart](/vpc/quickstart/)
+- [VPC use case: basic infrastructure to leverage VPC isolation](/vpc/reference-content/use-case-basic/)
+- [How to detach a flexible IP from an Instance](/instances/how-to/use-flexips/#how-to-detach-a-flexible-ip-address-from-an-instance)
+
 ### Precision traffic control: secure public interfaces with security groups
 
-Security groups act as virtual firewalls for your Instances, controlling traffic over the public interface. You can define your own custom rules in each security group, to accept or drop inbound / outbound traffic based on protocol, port, and IP range. When you add an Instance to the security group, the rules you define are enforced on all traffic over its flexible (public) IP address.
+Security groups act as **virtual firewalls for your Instances**, controlling traffic over the public interface. You can define your own custom rules in each security group, to accept or drop inbound / outbound traffic based on protocol, port, and IP range. When you add an Instance to the security group, the rules you define are enforced on all traffic over its flexible (public) IP address.
+
+This feature ensures that **only authorized public traffic reaches your servers**, significantly reducing the attack surface. Their flexibility and reusability across multiple Instances make security groups an efficient and scalable way to enforce consistent security policies in your Scaleway infrastructure. 
+
+A default security group is auto-generated for each Availability Zone you create an Instances in. All your Instances within that Availability Zone are automatically added to that default security group. The default security group rules allow all inbound traffic, and drop outbound SMTP traffic. We encourage you to customize your security groups in order to maximize control over your Instances' public interfaces.
+
+Find out more:
 
-This feature ensure that only authorized public traffic reaches your servers, significantly reducing the attack surface. Their flexibility and reusability across multiple Instances make security groups an efficient and scalable way to enforce consistent security policies in your Scaleway infrastructure. 
+- [How to use Instance security groups](/instances/how-to/use-security-groups/)
 
-A default security group is auto-generated for each Availability Zone you create an Instances in. All your Instances within that Availability Zone are automatically added to that default security group. The default security group rules allow all inbound traffic, and drop outbound SMTP traffic. We encourage you to customize your security groups in order to maximise control over your Instances' public interfaces.
+### Protection at the edge: secure applications with Edge Services WAF
 
-## Protection at the edge: secure applications with Edge Services WAF
+Put a Load Balancer in front of your Instances, and benefit also from an Edge Services pipeline that provides additional services for your Load Balanced appliction. Edge Services offers an **inbuilt Web Application Firewall (WAF)**, to provide robust protection against common web-based threats such as SQL injection, cross-site scripting (XSS), and DDoS attacks. 
 
-If you put a Load Balancer in front of your Instances and other resources, you can add an Edge Services pipeline to benefit from an inbuilt Web Application Firewall (WAF). This provides robust protection against common web-based threats such as SQL injection, cross-site scripting (XSS), and DDoS attacks. 
+By filtering malicious traffic at the edge, before it reaches your infrastructure, the WAF helps protect your backend resources by **blocking threats early and minimizing exposure to potential attacks**. Integrated directly with the Load Balancer, the WAF ensures high availability and low-latency inspection of HTTP/HTTPS traffic, enabling real-time threat mitigation without impacting performance. Scaleway Edge Services WAF uses the [OWASP Core Rule Set (CRS)](https://coreruleset.org/). This is an industry standard, open source ruleset for WAF, which protects against multiple categories of attack.
 
-By filtering malicious traffic at the edge, before it reaches your infrastructure, the WAF significantly reduces the attack surface and safeguards your backend resources. Integrated directly with the Load Balancer, the WAF ensures high availability and low-latency inspection of HTTP/HTTPS traffic, enabling real-time threat mitigation without impacting performance. With customizable security rules and managed rule sets, you can tailor protection to your application’s needs while maintaining full control. This setup not only enhances security but also simplifies compliance and improves resilience—keeping your applications secure, stable, and always online.
+You can choose the paranoia level to be used when evaluating requests, and set exclusions to define traffic that shouldn't be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose.
 
-### DDoS protection
+Find out more:
+
+- [Load Balancer Quickstart](/load-balancer/quickstart/)
+- [Edge Services Quickstart](/edge-services/quickstart/)
+- [Understanding Edge Services WAF](/edge-services/reference-content/understanding-waf/)
+
+### Defend at scale: mitigate DDoS attacks
+
+A Denial of Service (DoS) attack is an attack through which someone intentionally overloads a system's resources in order to render it unusable. The goal of such an attack is not to gain unauthorized access to machines or data, but to prevent legitimate users of a service from using it.
+
+**Scaleway will lock any resources (e.g. Instances, Kubernetes clusters, Elastic Metal servers) that are identified as a contributor to a DDoS**. Read our [dedicated advice page](/instances/reference-content/preventing-outgoing-ddos/) on how to protect your resources from being used in an outgoing DDoS attack.
+
+In terms of protecting your Instances from being the **target** of a DDoS attack, consdier:
+
+- Using Scaleway Load Balancers in front of your Instances, with an Edge Services pipeline providing a WAF. This protects your Instances from DDoS attacks as well as other categories of attack.
+- Using Scaleway Security Groups to restrict inbound traffic only to necessary ports, and avoid exposing services like SSH to the public internet.
+- Regularly monitoring your traffic using Scaleway Cockpit, and set up alerts for unusual traffic spikes.
+- Remove public IPs from your Instances wherever possible, and enable communication over Pivate Networks and VPCs.
 
 ## Identity and Access Management
 
-### Permissions and API keys
+Effective access control ensures that only authorized users and systems can interact with your Scaleway infrastructure. This section covers the core principles of Scaleway IAM. By properly configuring users, applications, API keys and permissions, you can prevent unauthorized actions, reduce the risk of credential misuse, and maintain clear accountability across your environment.
+
+### Least privilege by design: secure access with granular permissions
+
+If you want to share access to your Scaleway Organization, then invite other users as Members. You can then **accord fine-grained permissions to each Member**, via IAM policies. Policies determine which permissions and access rights the Member has, e.g. to manage billing, create different types of resources, read-only certain types of resources, and more.
 
-### Two-factor authentication
+You may also want to give access to your Organization and resources not to a specific human user, but to an application or service, e.g. when setting up a production environment. Do this by creating IAM applications. This feature lets you **give programmatic access to resources** by creating API keys that are not linked to a specific human, making your production code more robust.
 
-### Disabling password login; using SSH keys only  
+We always recommend that you **give least-privilege permissions** via IAM, as best practice. This means giving users and applications to permissions they need to perform a task, and no extra permissions beyond that. The Organization Owner has powerful permissions over the whole Organization that go far beyond the permission scope required for most task. Even if you do not need to invite additional Members to your Organization, consider create additional applications whose API keys have least-privilege-only permissions. You can then use these API keys in your applications without exposing the Organization Owner's API key with its full permissions.
+
+Find out more:
+
+- [IAM Quickstart](/iam/quickstart/)
+- [Understanding IAM](/iam/reference-content/overview/)
+
+### Verify identity: require MFA for secure account access
+
+We recommend setting up **M**ulti**f**actor **A**uthentication (MFA) to add an extra layer of security to your Scaleway account. When MFA is enabled, you are prompted to provide a second security measure, in addition to your password, when logging in. This could be via a one-time password accessed via an app, or a secure passkey on your device.
+
+MFA means that even in the the event of a leaked password, your Scaleway account is protected against unauthorized access. 
+
+You can require that all Members of your Scaleway Organization have MFA enabled on their accounts, by enforcing MFA for Members. This allows you to increase the security of your entire Organization, as even compromised passwords are insufficient for access. The risk of account takeover or unauthorized access to your Organization's resources is significantly reduced.
+
+Find out more:
+
+- [How to use MFA](/account/how-to/use-2fa/)
+- [How to enforce security for IAM Members in an Organization](/iam/how-to/enforce-security-requirements-members/)
+
+### Centralize control: set up identity federation
+
+Scaleway supports Identity Federation to provide your teams with secure access to their accounts via Single Sign-On (SSO). Depending on your requirements, you can use either built-in OAuth2 providers or configure SAML for centralized identity management.
+
+This gives you **centralized control over user authentication and access management**, eliminating the need to manage individual credentials within Scaleway. The risk of weak passwords, leaked passwords and shadow accounts is signficantly reduced. Session lifetimes and authentication strength are controlled by your Identity Provider, enabling consistent security policies for not only Scaleway, but across all integrated platforms. This strengthens the overall security of your Scaleway Organization and its resources.
+
+Find out more:
+
+- [How to set up identity federation](/iam/how-to/set-up-identity-federation/)
 
 ## Monitoring and logging
 
-### Cockpit
+Scaleway offers a number of products and features to help you monitor your resources and gain insight into your infrastructure's health and performance. These products enhance security by enabling rapid detection of anomalous activity, unauthorized access attempts and other potential issues. This section covers the main resources Scaleway provides to its users for this purpose.
+
+### Gain full visibility: monitor resources with Scaleway Cockpit
+
+Scaleway Cockpit allows you to monitor your Scaleway infrastructure by giving you insights and contexts into its behavior. It stores metrics, logs, and traces for your Scaleway resources and provides a dedicated dashboarding system on Grafana to visualize this. In addition, Cockpit's alert manager lets you set up alerts which are sent to you when particular events or patterns materialize from your resources. This means you can **get on top of anomalies and potential security issues quickly** and efficiently, in real-time.
+
+Find out more:
 
-### Secret Manager
+- [Cockpit Quickstart](/cockpit/quickstart/)
+- [How to configure alerts for Scaleway resources](/cockpit/how-to/configure-alerts-for-scw-resources/)
 
-### Audit trail
+### Ensure accountability: track changes with Scaleway Audit Trail
 
+Audit Trail is a tool that holds records of events and changes performed within a Scaleway Organization. These events include creation, modification or deletion of users, permissions and API keys, as well as actions taken by users on any of your Scaleway resources. All actions, whether successful, attempted, or failed, are logged by Audit Trail.
 
+Audit Trail helps you **ensure accountability and security** by recording who did what and when within your Scaleway Organization. For each action, the dentity of the user who carried it out, the date of activity, the source IP address, the API method used, and the status of the request are logged. This helps you go deeper into troubleshooting, compliance verification and analysis in the event of a breach.
 
-Enabling firewalls by default (allow only required ports)  
+Find out more:
 
-Enabling automatic security updates
+- [Audit Trail Quickstart](/audit-trail/quickstart/)
+- [Audit Trail product integration](/audit-trail/reference-content/resource-integration-with-adt/)
