By Victor Mak, Solutions Architect
Alibaba Cloud Bastionhost is a unified, efficient, and secure platform that provides cloud-based operations and management (O&M), access control, and operation audit. It lets you access server resources through a centralized portal and enables you to manage and monitor asset O&M permissions in real time.
In this article, we'll be showing you how Bastionhost can help you safeguard your cloud-based resources and we'll be describing step-by-step how to use Alibaba Cloud Bastionhost to secure access your workload in Cloud.
With the rapid development of the Internet industry, there is a rapid growth in the numbers of personnel and devices in Internet enterprises, all of which require stable and efficient operation audit systems. Alibaba Cloud Bastionhost can meet the O&M requirements of these enterprises. Bastionhost provides the following advantages in O&M:
Before you begin, make sure of the following:
10.0.2.107as an example.
The overall procedure for setting up Bastionhost is as follows:
1. Log in to the Bastionhost console
2. On the Instances page, click Purchase Bastionhost
3. Select the region that you want to subscribe Bastionhost and number of assets will be managed by Bastionhost.
4. Once subscribed, you should see an instance under bastion console, click Authorize Bastionhost to grant Bastionhost to read information of ECS instances. Then, click Run to initialize Bastionhost instance
5. Select the VPC, vSwitch and Security Group to be associated with Bastionhost.
6. You should see that Bastionhost is successfully initialized and running now.
1. To manage Bastionhost users, select Users under Bastionhost instance
2. Bastionhost supports different users such as RAM users, AD users, LDAP users and local users. In this article, you will use local user as an example. Select Add Local User.
3. Fill in all the required information. Mobile number is a mandatory field if you want to enable two-factor authentication.
4. Go to Two-Factor Authentication under User > Authentication Settings. Select Enable SMS-based Authentication and click Save.
1. You can use control policies to configure command control to reduce misoperations of O&M personnel. To do this, go to Control Policies under Policies and click Create Control Policy.
2. Fill in the required information and click Next.
3. Fill in the commands that are not allowed. In this article, we'll use
rm * command as an example. Click Create Control Policy.
4. Once the control policy is created, you need to associate the control policy to a host/user.
5. In this example, we'll apply the control policy to all hosts and users. Any host under this Bastionhost is no longer allowed to use the
1. Go to Hosts under Assets, select Import ECS Instances
2. Select the region that ECS located. In this example, we'll use Hong Kong region.
3. Select the ECS instance that you want to import and click Import.
4. Go to Host Account under ECS instances. You can create a host account that will be used for Bastionhost single sign on. In this article, we'll use root account as an example. Fill in the required information and click verify.
5. Go to Users > Authorize Hosts to associate assets with Bastionhost user. Select the assets that you want to authorize.
6. Click Authorize accounts if you want to perform single sign on after logging in to the asset.
7. Select the accounts that you want to associate and click update.
1. After completing all of the steps and settings above, you should now be able to log in to the assets through Bastionhost. Locate Bastionhost internal endpoint under Overview.
2. Start the command-line tool. Type
ssh <Username to access Bastionhost>@<Bastionhost O&M address> -p60022 and press Enter. Note: Replace username with your actual username.
3. Since you have enabled two-factor authentication, you need to input the SMS code for authentication.
4. After logging in, select the assets you want to perform O&M operations by pressing the up or down arrow key, and press Enter.
5. Type in some commands to verify the results. Since you have configured control policies, the
rm command is not allowed.
1. You can go to Session Audit under Bastionhost console to playback the entire O&M session. Select which session you want to playback and click Play.
2. All the commands are recorded by Bastionhost.
And that's it! You have successfully configured Alibaba Cloud Bastionhost for your workload!
The views expressed herein are for reference only and don't necessarily represent the official views of Alibaba Cloud.
Alibaba Clouder - April 13, 2020
ApsaraDB - June 29, 2020
Marketplace - November 23, 2018
Alibaba Clouder - January 24, 2019
Alibaba Clouder - November 6, 2017
Alibaba Clouder - August 28, 2020
A cloud firewall service utilizing big data capabilities to protect against web-based attacksLearn More
Explore Web Hosting solutions that can power your personal website or empower your online business.Learn More
A SaaS-based website vulnerability and threat detection service.Learn More
Web App Service allows you to deploy, scale, adjust, and monitor applications in an easy, efficient, secure, and flexible manner.Learn More
More Posts by Alibaba Clouder