Bastionhost is a cloud-native privileged access management (PAM) service that centralizes control, auditing, and governance of operations and maintenance (O&M) access to your servers and other assets.
What Bastionhost does
Control who can access what — Grant and revoke access to servers and assets from a single location, without distributing SSH keys or opening inbound firewall ports.
Record every session — Capture real-time video recordings of all O&M sessions and play them back for compliance reviews.
Audit all activity — Maintain a tamper-proof session audit trail that tracks every command and operation.
Require approval for sensitive operations — Route high-risk access requests through an approval workflow before a session starts.
Store credentials securely — Use credential hosting to manage and inject SSH and Remote Desktop Protocol (RDP) credentials without exposing them to operators.
Enforce multi-factor authentication (MFA) — Add a second layer of identity verification at session initiation.
Who should use Bastionhost
Security administrators who need to enforce least-privilege access policies, eliminate standing credentials, and satisfy compliance requirements.
O&M administrators who manage day-to-day access to servers and assets, and need a single place to grant, revoke, and monitor permissions across teams.
Auditors who review session recordings and audit logs to investigate incidents or demonstrate compliance without needing direct system access.
IT compliance officers who require documented evidence of who accessed which asset, when, and what they did — with session-level granularity.
How it works
Bastionhost mediates every O&M session through a controlled access plane:
Authentication — The operator logs on to Bastionhost using their account credentials, with MFA enforced if configured.
Authorization — Bastionhost checks the operator's permissions against the configured policies and, for sensitive assets, triggers an approval workflow.
Connection — After authorization is granted, Bastionhost establishes the session to the target asset using stored credentials. The operator never sees the underlying SSH key or RDP password.
Recording and monitoring — Bastionhost records the session in real time and streams it to monitoring consoles so administrators can observe live sessions.
Audit — After the session ends, the full session audit record — including real-time video recording and command logs — is available for review and playback.
Editions
Bastionhost is available in two editions:
| Edition | Capabilities | Best for |
|---|---|---|
| Basic Edition | Core access control, session audit, web terminal-based O&M | Teams getting started with centralized access management |
| Enterprise Edition | All Basic Edition capabilities, plus Client/Server O&M, credential hosting, approval workflows, network domain segmentation, and deeper integration with Alibaba Cloud identity services | Organizations with strict compliance requirements or complex multi-team environments |
Get started
Purchase a Bastionhost instance and select the edition that fits your team size and compliance needs.
Add your servers and other assets to Bastionhost.
Create user accounts, assign roles, and configure access policies.
Set up session audit and review your first recorded session.