By Victor Mak, Solutions Architect
Alibaba Cloud Bastionhost is a unified, efficient, and secure platform that provides cloud-based operations and management (O&M), access control, and operation audit. It lets you access server resources through a centralized portal and enables you to manage and monitor asset O&M permissions in real time.
In this article, we'll be showing you how Bastionhost can help you safeguard your cloud-based resources and we'll be describing step-by-step how to use Alibaba Cloud Bastionhost to secure access your workload in Cloud.
With the rapid development of the Internet industry, there is a rapid growth in the numbers of personnel and devices in Internet enterprises, all of which require stable and efficient operation audit systems. Alibaba Cloud Bastionhost can meet the O&M requirements of these enterprises. Bastionhost provides the following advantages in O&M:
Before you begin, make sure of the following:
10.0.2.107
as an example.The overall procedure for setting up Bastionhost is as follows:
1. Log in to the Bastionhost console
2. On the Instances page, click Purchase Bastionhost
3. Select the region that you want to subscribe Bastionhost and number of assets will be managed by Bastionhost.
4. Once subscribed, you should see an instance under bastion console, click Authorize Bastionhost to grant Bastionhost to read information of ECS instances. Then, click Run to initialize Bastionhost instance
5. Select the VPC, vSwitch and Security Group to be associated with Bastionhost.
6. You should see that Bastionhost is successfully initialized and running now.
1. To manage Bastionhost users, select Users under Bastionhost instance
2. Bastionhost supports different users such as RAM users, AD users, LDAP users and local users. In this article, you will use local user as an example. Select Add Local User.
3. Fill in all the required information. Mobile number is a mandatory field if you want to enable two-factor authentication.
4. Go to Two-Factor Authentication under User > Authentication Settings. Select Enable SMS-based Authentication and click Save.
1. You can use control policies to configure command control to reduce misoperations of O&M personnel. To do this, go to Control Policies under Policies and click Create Control Policy.
2. Fill in the required information and click Next.
3. Fill in the commands that are not allowed. In this article, we'll use rm *
command as an example. Click Create Control Policy.
4. Once the control policy is created, you need to associate the control policy to a host/user.
5. In this example, we'll apply the control policy to all hosts and users. Any host under this Bastionhost is no longer allowed to use the rm
command.
1. Go to Hosts under Assets, select Import ECS Instances
2. Select the region that ECS located. In this example, we'll use Hong Kong region.
3. Select the ECS instance that you want to import and click Import.
4. Go to Host Account under ECS instances. You can create a host account that will be used for Bastionhost single sign on. In this article, we'll use root account as an example. Fill in the required information and click verify.
5. Go to Users > Authorize Hosts to associate assets with Bastionhost user. Select the assets that you want to authorize.
6. Click Authorize accounts if you want to perform single sign on after logging in to the asset.
7. Select the accounts that you want to associate and click update.
1. After completing all of the steps and settings above, you should now be able to log in to the assets through Bastionhost. Locate Bastionhost internal endpoint under Overview.
2. Start the command-line tool. Type ssh <Username to access Bastionhost>@<Bastionhost O&M address> -p60022
and press Enter. Note: Replace username with your actual username.
3. Since you have enabled two-factor authentication, you need to input the SMS code for authentication.
4. After logging in, select the assets you want to perform O&M operations by pressing the up or down arrow key, and press Enter.
5. Type in some commands to verify the results. Since you have configured control policies, the rm
command is not allowed.
1. You can go to Session Audit under Bastionhost console to playback the entire O&M session. Select which session you want to playback and click Play.
2. All the commands are recorded by Bastionhost.
And that's it! You have successfully configured Alibaba Cloud Bastionhost for your workload!
The views expressed herein are for reference only and don't necessarily represent the official views of Alibaba Cloud.
Definition and Benefits of Message Queuing Notification Service
2,599 posts | 763 followers
FollowPM - C2C_Yuan - June 3, 2024
Alibaba Clouder - January 27, 2021
Alibaba Clouder - January 27, 2021
Alibaba Clouder - January 27, 2021
JDP - March 31, 2022
Alibaba Cloud Community - August 12, 2024
2,599 posts | 763 followers
FollowA cloud firewall service utilizing big data capabilities to protect against web-based attacks
Learn MoreExplore Web Hosting solutions that can power your personal website or empower your online business.
Learn MoreWeb App Service allows you to deploy, scale, adjust, and monitor applications in an easy, efficient, secure, and flexible manner.
Learn MoreAlibaba Cloud is committed to safeguarding the cloud security for every business.
Learn MoreMore Posts by Alibaba Clouder