The 30 OVH Cloud security checks Black Cat runs
Black Cat SSPM evaluates 30 security policies against your OVH Cloud configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Enable multi-factor authentication on the OVHcloud account
Add a TOTP or U2F second factor in addition to SMS-based MFA
Configure IP access restrictions to limit Control Panel access to trusted networks
Set an expiration date for OVHcloud API credentials to limit long-lived access
Revoke API credentials that have never been used to reduce unused access surface
Replace wildcard API credential rules with specific path and method restrictions
Delete disabled identity sub-users to eliminate latent access risk
Assign identity sub-users to appropriate groups to enforce group-based access policies
Enable multi-factor authentication for OVHcloud identity sub-users
Replace wildcard actions in IAM policies with explicit least-privilege action lists
Scope IAM policies to specific resource URNs instead of wildcard resource targets
Review and remove unused OAuth2 service accounts to maintain credential hygiene
Replace RSA or DSA SSH keys with Ed25519 or ECDSA keys for stronger cryptographic security
Replace undersized RSA SSH keys with keys of at least 2048 bits or switch to Ed25519
Review and revoke API credentials that grant OVH support access to your account
Use identity groups instead of assigning many individual identities to a single IAM policy
Require the identity user to change their password from the initial credential
configuration
Disable developer mode on the OVHcloud account when not actively needed
Assign identities to unused IAM policies or delete them to reduce configuration clutter
Add a meaningful description to OAuth2 service accounts to aid security reviews
Investigate and resolve the suspended Public Cloud project to restore normal operations
Replace stock OS images with hardened or custom images for new instances
Unshelve active instances or delete shelved instances that are no longer needed
Reboot the instance out of rescue mode to restore normal boot security controls
data protection
Set the Object Storage container to private to prevent unauthenticated public access
Configure lifecycle rules on Object Storage containers to expire or transition objects automatically
Enable object versioning on Object Storage containers to protect against accidental deletion
Restrict CORS origins on Object Storage containers to specific trusted domains
network
Add IP restrictions to API credentials to limit access to known source addresses
network security
Remove public IP from the instance and route access through a private network or bastion host