Bastionhost's multi-account management feature lets you centrally manage assets, access permissions, and O&M sessions across multiple Alibaba Cloud accounts — all from a single bastion host instance.
Who this guide is for
This guide is for IT administrators and O&M engineers at large organizations who manage cloud resources distributed across multiple Alibaba Cloud accounts. Common scenarios include:
Multi-BU environments: different business units own separate accounts, but a central security team needs visibility and control across all of them.
Managed service providers: you manage infrastructure on behalf of clients who each have their own account.
Compliance-driven separation: your organization mandates account-level isolation for regulatory reasons, but still requires centralized auditing.
If all your assets live under a single account, you don't need this feature.
How it works
Bastionhost integrates with Resource Directory to discover member accounts and their assets. After adding members to a bastion host:
Import assets from each member account — hosts and databases are automatically tagged with the Owner Account ID.
Grant Bastionhost users fine-grained permissions on those assets, filtered by account.
Apply control policies across all accounts or to selected asset groups.
Review O&M session records in a unified audit log, filterable by Owner Account ID.
Asset status syncs in real time, so the bastion host always reflects the current state of your infrastructure.
Prerequisites
Before you begin, make sure you have:
A resource directory enabled. See Enable a resource directory.
At least one member account in the resource directory — either created or invited.
The member account added to your bastion host. See Use the multi-account management feature.
If you are using a RAM user to perform these operations: the
AliyunYundunBastionHostFullAccessandAliyunResourceDirectoryFullAccesspermissions. See Grant permissions to a RAM user.
If network connectivity fails when accessing assets in a member account over the internal network, you can connect the network or use the network domain feature to bridge the connection. See Best practices of hybrid O&M.
Import assets from multiple accounts
After a member account is added to the bastion host, import its assets so they appear in the unified asset list.
Log in to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find your bastion host and click Manage.
In the left-side navigation pane, choose Assets > Hosts or Assets > Database.
Import the assets of each member account.
After import, each asset is labeled with its Owner Account ID. Use this field to filter the asset list by account.
For step-by-step import instructions, see Add hosts and Import databases.
To import assets from accounts that are not member accounts in your resource directory, create hosts manually. See Add hosts.
Manage O&M access
Authorize users to manage assets
Grant a Bastionhost user access to specific assets and asset accounts from member accounts. After authorization, you can filter that user's authorized assets by account to verify the authorization status.
Log in to the Bastionhost console. Select the region where your bastion host resides.
In the bastion host list, find your bastion host and click Manage.
In the left-side navigation pane, choose Users > Users.
On the Users page, click the name of the user you want to manage.
On the Managed Hosts, Managed Databases, or Authorized Applications tab, click No accounts found. Click here to authorize the user to manage the accounts of the asset group. in the Authorized Accounts column.
In the panel that appears, select the asset account to authorize and click Update.
If no asset accounts appear, click Create Host Account to create one first.
For the full authorization workflow, see Authorize users or user groups to manage assets and asset accounts.
Create and attach control policies
Control policies define what operations are allowed during an O&M session — covering command execution, approval workflows, protocols, and access windows. Policies can target all assets or a selected group, and all accounts or specific accounts within that group.
Log in to the Bastionhost console. Select the region where your bastion host resides.
In the bastion host list, find your bastion host and click Manage.
In the left-side navigation pane, click Control Policies.
On the Control Policies page, click Create Control Policy.
On the Create Control Policy page, configure the following parameters, then click Create Control Policy.
Parameter Description Name A unique name for the policy Priority Evaluation order when multiple policies apply to the same asset Command Control Restrict or block specific commands Command Approval Require approval before running commands Protocol Control Limit which protocols are allowed (SSH, RDP, and others) Access Control Restrict access by time window or IP range O&M Approval Require approval before starting an O&M session On the Assets and Users to Which Policy Is Attached page, attach the policy to assets and users.
Assets: Select Takes Effect on All Assets to apply the policy to every asset account, or select Takes Effect on Selected All Assets to pick specific assets and then choose Associate All Accounts or Associate Specific Accounts.
Users: Select Apply to All Users or Apply to Selected Users.
To apply a policy to multiple assets at once, add them to an asset group and attach the policy to the group.
For full configuration details, see Configure a control policy.
Audit O&M sessions
All O&M activity across every member account is recorded in a unified audit log based on session logs and videos. Filter by Owner Account ID to focus on assets from a specific account.
Log in to the Bastionhost console. Select the region where your bastion host resides.
In the bastion host list, find your bastion host and click Manage.
In the left-side navigation pane, choose O&M Audit > Session Audit.
On the Session Audit page, use the Owner Account ID filter to view session records for a specific account.
For details on reviewing and replaying sessions, see Session audit.
What's next
Use the multi-account management feature — add member accounts to a bastion host.
Add hosts — manually add hosts from any account.
Best practices of hybrid O&M — connect a bastion host to servers across different network environments.