Best Practices for Unified Management of Multiple Accounts on Bastion Machines - Bastionhost

This topic describes how Bastionhost manages assets through the unified management feature for multiple accounts.

Background information

Large enterprises often have complex business operations and scenarios that require multiple accounts to manage assets. Bastionhost addresses this need by offering a unified management feature for multiple accounts in conjunction with Resource Directory (RD) to achieve unified security management and O&M control of assets in complex account environments.

Solution

After adding members to a bastion host, you can import their assets, manage O&M policies centrally, and conduct comprehensive audits of O&M operations. Bastionhost synchronizes asset status in real time, enabling centralized cloud-based asset management across multiple accounts and reducing management costs.

Bastionhost offers an asset management feature that allows you to import assets from multiple accounts with just a few clicks and distinguish them by Owner Account ID, with automatic status synchronization.
Note
- You can import assets from other accounts by creating a new host. For detailed instructions, see Create a host.
- If you encounter network connectivity issues when accessing assets across accounts, you can either set up the network connection manually or utilize the network domain feature to enable Bastionhost to connect with the server's internal network. For more information, see Best practices for hybrid O&M scenarios.
Bastionhost provides an O&M management feature, allowing centralized management of access permissions and policies for assets across multiple accounts.
- Fine-grained asset authorization: Authorize assets and asset account permissions of multiple accounts to Bastionhost users. This helps enterprises organize complex asset permissions, reduce the risk of permission confusion, and supports filtering authorized assets by Alibaba Cloud account dimension in the user interface to enhance permission management efficiency.
- Unified policy control of O&M behavior: Customize associated policies for assets under multiple accounts, including command approval, command whitelists and blacklists, and file transfer control. This enhances asset O&M security and reduces management costs.
Bastionhost provides an O&M audit feature, allowing you to audit all O&M operations on assets of multiple accounts based on logs and videos, with the ability to filter assets by Alibaba Cloud account. This enables specific account asset management and auditing.

Prerequisites

A resource directory has been enabled. For specific operations, refer to Enable a resource directory.
Member accounts have been added to the resource directory.
- To create a new member account, see Create a member.
- To add an existing account to the resource directory, see Invite an Alibaba Cloud account to join the resource directory.
When managing with a RAM user, you must grant the necessary permissions to manage Cloud Security Bastionhost (AliyunYundunBastionHostFullAccess) and Resource Directory Service (AliyunResourceDirectoryFullAccess). For guidance on granting permissions to a RAM user, see Grant permissions to a RAM user.
Member accounts have been integrated into Bastionhost. For detailed instructions, see Unified Account Management.

Asset management

After importing assets from multiple accounts, you can view the account to which each asset belongs in the asset list and filter by account dimension. The process for importing assets from multiple accounts is as follows:

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, under the Asset Management tab, click the destination asset (Host, Database).
On the destination asset page, import assets from multiple accounts.

For detailed import procedures for each asset, see Create a host and Create a database.

O&M management

Resource Access Management

After importing assets from other accounts into Bastionhost, you can authorize them to the appropriate users. You can filter authorized assets by account dimension on the user page to clearly display the authorization status of specific account assets. The steps for authorizing by user dimension are as follows:

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Users > Users.
In the user list, click the target user name.
On the target asset tab, click No Authorized Account, Click To Authorize Account.
In the pop-up panel, select the corresponding asset account and click Update.

Note
If no account is displayed, you can click Create A Host Account to create an asset account.

For detailed authorization procedures for each asset, please refer to Authorize assets and asset accounts.

Control policy

Bastionhost supports associating multi-account assets with control policies as needed and authorizing by asset group. Users can organize multi-account assets according to authorization and O&M management requirements, configure them by asset group, and then associate control policies. The steps to create a control policy are as follows:

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, click Control Policies.
On the Control Policies page, click Create Control Policy.
On the Create Control Policy page, configure the control policy's name, priority, command control, command approval, protocol control, access control, and O&M approval, and click Create Control Policy.
On the Assets and Users to Which Policy Is Attached page, you need to associate both assets and users with the policy to make it effective on the corresponding assets and users.
1. Associate assets with the policy. You can choose Takes Effect on All Assets or Takes Effect on Selected All Assets.
  - Select Takes Effect on All Assets, which is effective by default for all asset accounts.
  - Select Takes Effect on Selected All Assets. After associating assets, you can choose to associate all accounts or specify accounts.
  Note
  If you need to batch associate assets or asset accounts through control policies, you can first add assets to an asset group in batches and then perform batch association.
2. Associate users with the policy. You can choose Apply to All Users or Apply to Selected Users.

For detailed information on configuring control policies, see Configure Control Policies.

Security audit

Bastionhost supports auditing all operations performed by users accessing assets through Bastionhost. On the session audit page, you can filter audit records by asset account ID to quickly locate session audit records of specific account assets.

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, select O&M Audit > Session Audit.
On the Session Audit page, search and view session records.

For more information on session audit content, please refer to Session Audit.