| Feature | Description | Basic | Enterprise | References |
|---|
| Infrastructure | | | |
| Architecture | Determines the engine redundancy and availability of the bastion host. | Cloud-based single-engine architecture | Cloud-based dual-engine architecture | Benefits |
| Elastic scaling | Scale the number of assets, storage capacity, and bandwidth as your environment grows. |  | | Billing |
| Internationalization | Switch the console language between Simplified Chinese, Traditional Chinese, and English. Deploy outside China, with SMS two-factor authentication supported for mobile numbers from multiple telecom carriers outside China. | | | Which countries and regions support the SMS-based two-factor authentication feature of Bastionhost? |
| Multi-account management | Manage O&M operations across multiple Alibaba Cloud accounts through Resource Directory from a single bastion host. |  | | Use the multi-account management feature |
| User management | | | |
| User roles | Assign administrators, O&M engineers, and auditors with distinct permissions. | | | Grant management permissions to a RAM user |
| User provisioning | Add users individually or import them in bulk from a file. | | | Manage users |
| Directory sync | Automatically sync RAM users, AD-authenticated users, and LDAP-authenticated users. | | | Manage users and Configure AD authentication or LDAP authentication |
| Third-party identity sources | Import users from Identity as a Service (IDaaS), DingTalk, and Microsoft Entra ID — eliminating the need to manage separate user accounts for each identity source. | | | Manage users and Manage IDaaS authentication |
| Account lifecycle | Change account states — expired, locked, or inactive — to reflect the current status of a user. | | | Configure the parameters on the User Settings tab |
| Password and lockout policy | Set account lockout thresholds and password validity periods. | | | Configure the parameters on the User Settings tab |
| Asset management | | | |
| Server O&M | Connect to Windows and Linux servers over SSH and Remote Desktop Protocol (RDP). | | | Client-based O&M |
| Database O&M | Connect to ApsaraDB RDS instances (MySQL, SQL Server, PostgreSQL), PolarDB for MySQL, PolarDB for PostgreSQL, PolarDB for PostgreSQL (Compatible with Oracle) clusters, and self-managed MySQL, SQL Server, PostgreSQL, and Oracle databases. | | | Use the database management feature and Client-based O&M |
| Application O&M | Connect to client applications and web applications over HTTPS and HTTP. | | | Application management and O&M overview |
| Asset import | Add assets manually or import Alibaba Cloud and third-party cloud assets in bulk. | | | Add hosts and Manage third-party asset sources |
| Credential management | Store asset passwords and SSH keys in Bastionhost so O&M engineers can access assets without knowing the credentials. | | | Manage a host account and Configure account settings for a host |
| Asset health checks | Check the status of Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, and network connectivity — on a schedule or on demand. | | | Manage hosts |
| Security Center integration | Monitor asset risks — alerts, vulnerabilities, and baseline risks — and navigate directly to Security Center to remediate them. | | | Manage hosts |
| Hybrid asset management | Manage assets across third-party clouds, Alibaba Cloud, and on-premises data centers from a single bastion host. | | | Best practices of hybrid O&M |
| Network domain proxy | Access assets in isolated network environments over an internal network using the network domain proxy mode. | | | Use the network domain feature |
| Password management | | | |
| Automatic password change | Rotate Linux and Windows server passwords on a schedule or on demand, eliminating stale credentials. | | | Use the automatic password change feature |
| KMS secret rotation | Rotate passwords or keys for ECS instances using Key Management Service (KMS). | | | Import ECS secrets from KMS |
| O&M management | | | |
| Fine-grained authorization | Grant or revoke access at the level of individual users, user groups, asset accounts, and asset group accounts. | | | Authorize users or user groups to manage assets and asset accounts and Grant permissions on asset groups |
| Two-factor authentication | Authenticate users with SMS, email, Time-Based One-Time Password (TOTP), or DingTalk notifications. | | | Enable two-factor authentication |
| Client tool access | Log on to assets from native client tools: Microsoft Terminal Services Client (MSTSC), Xshell, SecureCRT, and PuTTY. | | | Database O&M tools and versions |
| Secure File Transfer Protocol (SFTP) file transfer | Transfer files to and from assets using WinSCP, Xftp, SecureFX, and other SFTP clients. | | | Perform SFTP-based O&M |
| Browser-based SSO | Access assets through single sign-on (SSO) directly from a browser. | | | SSO-based O&M |
| O&M portal | Provide O&M engineers with an independent portal separate from the admin console. | | | — |
| Web portal O&M for non-RAM users | Allow non-RAM users to perform O&M operations directly from the bastion host web portal. | | | O&M portal-based O&M (non-RAM users) |
| Real-time session monitoring | Monitor active sessions in real time and block any session immediately. | | | Search for real-time monitoring sessions and view session details and Block sessions |
| RDP session controls | Control clipboard usage and disk mapping during RDP sessions. | | | Configure a control policy |
| SSH command controls | Configure command whitelists and blacklists, and require approval for high-risk commands during SSH sessions. | | | Configure a control policy |
| File operation controls | Restrict file uploads, downloads, deletions, renames, and folder creation or deletion during O&M sessions. | | | Configure a control policy |
| O&M approval workflow | Require O&M engineers to submit an access request that an administrator must approve before they can log on to an asset. | | | Review an O&M application |
| Logon restrictions | Restrict access by user, source IP address, and time window. | | | Configure the parameters on the User Settings tab |
| Session timeout | Set the maximum idle duration and maximum total duration for O&M sessions. | | | Configure the parameters on the User Settings tab |
| O&M audit | | | |
| Session audit | Audit all O&M operations through logs and video recordings, with session playback. | | | Search for sessions and view session details |
| File transfer audit | Audit all file transfers performed during O&M sessions. | | | — |
| O&M reports | Generate and export O&M activity reports in PDF, HTML, or Word format. | | | View the O&M information on the O&M Reports page and export an O&M report |
| Log archiving | Transfer audit logs to Simple Log Service or download them locally using the log backup feature. | | | Archive audit logs in Simple Log Service and Use the log backup feature |
| API | | | |
| API operations | Call API operations to manage Bastionhost programmatically. | | | List of operations by function |