Skip to main content

Identity & Access Management

Control panel

In Servercore, you can manage user access to the infrastructure. This is accomplished by using Identity and Access Management (IAM), which checks every request and ensures that only users with the appropriate permissions can perform operations on resources.

Access rights to resources are set at the level of user types and roles. Only the Account Owner or users with the iam_admin role can add users and edit their data and roles. To simplify user management, you can organize them into groups.

By default, two-factor authentication is enabled for all users after registration and profile completion two-factor authentication. With two-factor authentication, you need to enter your password and a one-time confirmation code to log in to your account. The confirmation code can be received via an authenticator app or the email address you specified in your profile. Two-factor authentication can only be disabled by the Account Owner. We do not recommend disabling two-factor authentication to avoid risks associated with account compromise.

You can also set up authentication in the control panel using Single Sign-On (SSO) technology. To do this, use identity federations — a centralized service for managing organizational structure, setting up integration with employee directories, and controlling user access to company resources. When using a federation, user data is stored with your Identity Provider (for example, Keycloak, ADFS, and other SAML-compliant providers).

By default, access to the control panel is allowed from any IP address. However, the Account Owner and users with the iam.admin role can set restrictions — users will only be able to log in to the account from IP addresses and subnets that have been added to the allowlist.

If you need to share access to the control panel or resources with someone, do not disclose your credentials. The Account Owner and users with the iam.admin role can create an additional user for control panel access or a service user for programmatic access; see the instruction Access Management in Servercore Products.

Cloud and dedicated servers

You can connect to cloud servers via the console in the control panel, and to dedicated servers — via the KVM console. If you connect to a server via other CLIs, use the following methods to ensure secure remote access to the infrastructure:

Configure SSH connection

For secure connection to a cloud or dedicated Linux server, use SSH keys instead of a login and password. This is a key pair: a private key and a public key. The private key is stored on your local computer, and the public key is placed on the server. After configuring the SSH connection and disabling password access, only devices storing the private key will be able to connect to the server, and the server will be protected against brute-force attacks (bruteforce).

For each administrator, you must create an SSH key pair and place the public key on the cloud or dedicated server. When creating a key, specify a passphrase (passphrase) for additional protection.

After creating SSH keys, create a user and configure the SSH connection — either when creating a server using user data or for an already created server via CLI. If you are using servers with a public IP address, the safest strategy is to configure security settings at the server creation stage using user data.

You can specify user data for a cloud and dedicated server.

Example of creating a user and configuring an SSH connection using user data for Ubuntu 24.04 LTS 64-bit.

#cloud-config
users:
- name: admin
sudo: ['ALL=(ALL) NOPASSWD:ALL']
groups: sudo
shell: /bin/bash
lock_passwd: true
ssh_authorized_keys:
- <<public_ssh_key> admin@test
ssh_pwauth: false

package_update: true

packages:
- ufw

runcmd:
- sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config
- sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
- sed -i 's/^PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
- sed -i 's/^#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config
- systemctl restart ssh
- ufw allow 2222/tcp
- ufw --force enable
- reboot

Where:

  • name: admin — creates a user called admin;
  • sudo: ['ALL=(ALL) NOPASSWD:ALL'] — allows the user to run commands via sudo without a password prompt;
  • groups: sudo — adds the user to the sudo`` group;
  • lock_passwd: true — locks password login for the admin`` user;
  • <public_ssh_key> admin@test in the ssh_authorized_keys section — adds the public SSH key you created earlier. It starts with ssh-rsa.
  • ssh_pwauth: false — disables password login for all users. Access to the server will be possible only via SSH key, and password login will be completely disabled;
  • package_update: true — updates the apt library;
  • packages: ufw — installs the UFW (Uncomplicated Firewall), which is required to restrict access to the SSH port;
  • commands with sed -i in the runcmd section — change the default port 22 to 2222, disable password login and root user connection, and enable key-based authentication.

Recommendations for using RDP connections

To securely connect via RDP to a cloud or dedicated Windows server, do not use a public IP address. We recommend using a VPN for access to such servers, for example, OpenVPN, WireGuard, or IKEv2/IPsec. To do this, place cloud and dedicated servers in private subnets, which are accessible via a separate VPN gateway, or deploy a VPN gateway on the same server.

Use a separate account for each server administrator.

Additional security tools

To protect servers from unauthorized access, we recommend using additional security tools. Examples of free tools:

Two-factor authentication

To protect your services from unauthorized access, we recommend using two-factor authentication for additional user identity verification. The service is provided as licenses for using the Multifactor solution.

The Multifactor solution complies with regulatory requirements:

  • is included in the Unified Register of Russian Software (No. 7046);
  • complies with the international PCI DSS standard;
  • has an FSTEC certificate (No. 5039).

Managed Kubernetes

In a Managed Kubernetes cluster, you can manage access to virtual resources using RBAC Authorization (RBAC). RBAC allows you to assign user roles — create different namespaces for different applications and configure user access to pods within the corresponding namespace.

Managed databases

In all DBMSs except Redis, you can manage database users and their privileges. Read more about user management in the instructions for PostgreSQL, PostgreSQL for 1C, PostgreSQL TimescaleDB, MySQL semi-sync, MySQL sync, and Kafka.

One user is automatically created for the Redis DBMS. The password for this user is set when creating the cluster, and it can be changed after the cluster is created.

S3

Access to S3 resources is regulated by:

When an action request is received in S3, access is first checked based on the role model. If the role model allows access, the access policy is checked; if not, access is denied. With an access policy, everything not explicitly allowed by the policy rules is forbidden.

To grant access via API or FTP, issue keys.

To access objects in a bucket via a custom domain over HTTPS, you need to add a TLS (SSL) certificate. You can issue a certificate from any provider. You can manage certificates via the control panel.