Community Blog How to Use Bastionhost to Securely Access Your Workload in the Cloud

How to Use Bastionhost to Securely Access Your Workload in the Cloud

In this blog post, we'll show you how you can use Alibaba Cloud Bastionhost to manage all of your resources in a secure and centralized manner.

By Victor Mak, Solutions Architect

Alibaba Cloud Bastionhost is a unified, efficient, and secure platform that provides cloud-based operations and management (O&M), access control, and operation audit. It lets you access server resources through a centralized portal and enables you to manage and monitor asset O&M permissions in real time.

In this article, we'll be showing you how Bastionhost can help you safeguard your cloud-based resources and we'll be describing step-by-step how to use Alibaba Cloud Bastionhost to secure access your workload in Cloud.

Background Information

With the rapid development of the Internet industry, there is a rapid growth in the numbers of personnel and devices in Internet enterprises, all of which require stable and efficient operation audit systems. Alibaba Cloud Bastionhost can meet the O&M requirements of these enterprises. Bastionhost provides the following advantages in O&M:

  • Supports a large number of concurrent sessions, up to thousands of users.
  • Provides high service stability that is stipulated in the SLA.
  • Support for O&M failure review with audit misoperations of O&M personnel.


Before you begin, make sure of the following:



The overall procedure for setting up Bastionhost is as follows:

  1. Subscribe and configure Bastionhost
  2. Create Bastionhost user with two-factor authentication
  3. Configure control policy
  4. Import asset and associate with Bastionhost user
  5. Logon the asset through Bastionhost
  6. Bastionhost session audit

Subscribe and Configure Bastionhost

1. Log in to the Bastionhost console

2. On the Instances page, click Purchase Bastionhost


3. Select the region that you want to subscribe Bastionhost and number of assets will be managed by Bastionhost.


4. Once subscribed, you should see an instance under bastion console, click Authorize Bastionhost to grant Bastionhost to read information of ECS instances. Then, click Run to initialize Bastionhost instance


5. Select the VPC, vSwitch and Security Group to be associated with Bastionhost.


6. You should see that Bastionhost is successfully initialized and running now.


Create Bastionhost User with Two-Factor Authentication

1. To manage Bastionhost users, select Users under Bastionhost instance

2. Bastionhost supports different users such as RAM users, AD users, LDAP users and local users. In this article, you will use local user as an example. Select Add Local User.


3. Fill in all the required information. Mobile number is a mandatory field if you want to enable two-factor authentication.


4. Go to Two-Factor Authentication under User > Authentication Settings. Select Enable SMS-based Authentication and click Save.


Configure Control Policy

1. You can use control policies to configure command control to reduce misoperations of O&M personnel. To do this, go to Control Policies under Policies and click Create Control Policy.


2. Fill in the required information and click Next.


3. Fill in the commands that are not allowed. In this article, we'll use rm * command as an example. Click Create Control Policy.


4. Once the control policy is created, you need to associate the control policy to a host/user.


5. In this example, we'll apply the control policy to all hosts and users. Any host under this Bastionhost is no longer allowed to use the rm command.


Import Assets and Associate with Bastionhost User

1. Go to Hosts under Assets, select Import ECS Instances


2. Select the region that ECS located. In this example, we'll use Hong Kong region.


3. Select the ECS instance that you want to import and click Import.


4. Go to Host Account under ECS instances. You can create a host account that will be used for Bastionhost single sign on. In this article, we'll use root account as an example. Fill in the required information and click verify.


5. Go to Users > Authorize Hosts to associate assets with Bastionhost user. Select the assets that you want to authorize.



6. Click Authorize accounts if you want to perform single sign on after logging in to the asset.


7. Select the accounts that you want to associate and click update.


Log in to the Asset through Bastionhost

1. After completing all of the steps and settings above, you should now be able to log in to the assets through Bastionhost. Locate Bastionhost internal endpoint under Overview.


2. Start the command-line tool. Type ssh <Username to access Bastionhost>@<Bastionhost O&M address> -p60022 and press Enter. Note: Replace username with your actual username.


3. Since you have enabled two-factor authentication, you need to input the SMS code for authentication.


4. After logging in, select the assets you want to perform O&M operations by pressing the up or down arrow key, and press Enter.


5. Type in some commands to verify the results. Since you have configured control policies, the rm command is not allowed.


Bastionhost Session Audit

1. You can go to Session Audit under Bastionhost console to playback the entire O&M session. Select which session you want to playback and click Play.


2. All the commands are recorded by Bastionhost.


And that's it! You have successfully configured Alibaba Cloud Bastionhost for your workload!

The views expressed herein are for reference only and don't necessarily represent the official views of Alibaba Cloud.

0 0 0
Share on

Alibaba Clouder

2,606 posts | 737 followers

You may also like