Skip to content

The 30 OVH Cloud security checks Black Cat runs

Black Cat SSPM evaluates 30 security policies against your OVH Cloud configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

criticalMFA Not Enabled

Enable multi-factor authentication on the OVHcloud account

mediumOnly SMS MFA Enabled

Add a TOTP or U2F second factor in addition to SMS-based MFA

highNo IP Restrictions

Configure IP access restrictions to limit Control Panel access to trusted networks

highAPI Credential No Expiry

Set an expiration date for OVHcloud API credentials to limit long-lived access

mediumAPI Credential Never Used

Revoke API credentials that have never been used to reduce unused access surface

highAPI Credential Overly Permissive

Replace wildcard API credential rules with specific path and method restrictions

lowIdentity User Disabled Not Removed

Delete disabled identity sub-users to eliminate latent access risk

mediumIdentity User No Group

Assign identity sub-users to appropriate groups to enforce group-based access policies

infoIdentity User MFA Not Enabled

Enable multi-factor authentication for OVHcloud identity sub-users

criticalIAM Policy Wildcard Actions

Replace wildcard actions in IAM policies with explicit least-privilege action lists

highIAM Policy Wildcard Resources

Scope IAM policies to specific resource URNs instead of wildcard resource targets

mediumExcessive OAuth2 Clients

Review and remove unused OAuth2 service accounts to maintain credential hygiene

highWeak SSH Key Algorithm

Replace RSA or DSA SSH keys with Ed25519 or ECDSA keys for stronger cryptographic security

highSSH Key Size Too Small

Replace undersized RSA SSH keys with keys of at least 2048 bits or switch to Ed25519

mediumAPI Credential OVH Support Access

Review and revoke API credentials that grant OVH support access to your account

mediumIAM Policy Excessive Identities

Use identity groups instead of assigning many individual identities to a single IAM policy

highIdentity User Password Never Changed

Require the identity user to change their password from the initial credential

configuration

mediumDeveloper Mode Enabled

Disable developer mode on the OVHcloud account when not actively needed

lowIAM Policy No Identities

Assign identities to unused IAM policies or delete them to reduce configuration clutter

lowOAuth2 Client No Description

Add a meaningful description to OAuth2 service accounts to aid security reviews

criticalCloud Project Suspended

Investigate and resolve the suspended Public Cloud project to restore normal operations

lowInstance Using Default Image

Replace stock OS images with hardened or custom images for new instances

lowInstance In Shelved State

Unshelve active instances or delete shelved instances that are no longer needed

mediumInstance Rescue Mode

Reboot the instance out of rescue mode to restore normal boot security controls

data protection

criticalStorage Container Public

Set the Object Storage container to private to prevent unauthenticated public access

mediumStorage Container No Lifecycle

Configure lifecycle rules on Object Storage containers to expire or transition objects automatically

mediumStorage Container Versioning Disabled

Enable object versioning on Object Storage containers to protect against accidental deletion

highStorage Container Permissive CORS

Restrict CORS origins on Object Storage containers to specific trusted domains

network

highAPI Credential No IP Restriction

Add IP restrictions to API credentials to limit access to known source addresses

network security

mediumInstance Has Public IP

Remove public IP from the instance and route access through a private network or bastion host

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial