Best practices for multi-account management of Bastionhost - Bastionhost

This topic describes how to use the multi-account management feature of Bastionhost to perform O&M operations on assets.

Background information

For scenarios in which large enterprises have complex business and assets managed by using multiple accounts, Bastionhost provides the multi-account management feature based on Resource Directory. This allows you to implement centralized asset O&M and management in a complex account environment.

Solution

After you add members to a bastion host, you can import the assets of the members to the bastion host, manage O&M policies in a centralized manner, and comprehensively audit O&M operations. Bastionhost synchronizes the asset status in real time. This allows you to manage assets of multiple accounts in a centralized manner on the cloud and reduces management costs.

Bastionhost provides the asset management feature for you to import assets of multiple accounts. You can categorize assets by Owner Account ID and automatically synchronize asset status.
Note
- You can also import assets of other accounts by creating hosts. For more information, see Add hosts.
- Network connections may fail when you access assets that do not belong to your Alibaba Cloud account. To connect the bastion host to the server over an internal network, you can connect the network or use the network domain feature. For more information, see Best practices of hybrid O&M.
Bastionhost provides the O&M management feature for you to centrally manage access permissions and policies for assets of multiple accounts.
- Fine-grained centralized authorization on assets: You can grant permissions on assets of multiple accounts and asset account permissions to Bastionhost users. This helps enterprises sort out complex asset permissions and prevent permission-related confusion. You can filter authorized assets by Alibaba Cloud account on the user interface to improve the efficiency of permission management.
- Centralized management of O&M operations: Bastionhost allows you to configure control policies. You can configure command control, command approval, protocol control, and access control policies to manage O&M operations. This enhances asset O&M security and reduces management costs.
Bastionhost provides the O&M audit feature for you to audit all O&M operations on assets of multiple accounts based on logs and videos. You can also filter assets by Alibaba Cloud account to manage asset operations for specific accounts.

Prerequisites

A resource directory is enabled. For more information, see Enable a resource directory.
A member exists in the resource directory.
- For more information about how to create a member, see Create a member.
- For more information about how to invite an existing account to join a resource directory as a member, see Invite an Alibaba Cloud account to join a resource directory.
If you use a RAM user to manage the assets of multiple accounts, make sure that the RAM user has the AliyunYundunBastionHostFullAccess and AliyunResourceDirectoryFullAccess permissions. For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.
A member is added to a bastion host. For more information, see Use the multi-account management feature.

Asset management

After you import assets of multiple accounts, you can view the accounts in the asset list and filter assets by account. To import assets of multiple accounts, perform the following operations:

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Assets > Hosts or Assets > Database.
On the page that appears, import assets of multiple accounts.

For more information about how to import assets, see Add hosts and Import databases.

O&M management

Access control

After you import assets of other accounts to a bastion host, you can authorize a user to manage assets. On the Users page, you can filter the authorized assets by account to view the authorization status of specific account assets. To authorize a user to manage assets, perform the following operations:

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Users > Users.
On the Users page, click the name of the user that you want to manage.
On the Managed Hosts, Managed Databases, or Authorized Applications tab, click No accounts found. Click here to authorize the user to manage the accounts of the asset group. in the Authorized Accounts column.
In the panel that appears, select the asset account that you want to authorize the user group to manage and click Update.
Note
If no account is displayed, click Create Host Account to create an asset account.

For more information about the asset authorization process, see Authorize users or user groups to manage assets and asset accounts.

Control policy

Bastionhost allows you to associate assets of multiple accounts with control policies based on your business requirements and perform authorization based on asset groups. You can use authorization rules to perform O&M operations on assets, configure control policies by asset group, and associate control policies. To create a control policy, perform the following operations:

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, click Control Policies.
On the Control Policies page, click Create Control Policy.
On the Create Control Policy page, configure the Name, Priority, Command Control, Command Approval, Protocol Control, Access Control, and O&M Approval parameters. Then, click Create Control Policy.
On the Assets and Users to Which Policy Is Attached page, you must associate the control policy with assets and users for the policy to take effect on the assets and users.
1. Associate the control policy with assets. You can select Takes Effect on All Assets or Takes Effect on Selected All Assets.
  - If you select Takes Effect on All Assets, the control policy takes effect on all asset accounts.
  - If you select Takes Effect on Selected All Assets, select the assets that you want to associate with the control policy and then select Associate All Accounts or Associate Specific Accounts.
  Note
  To associate a control policy with multiple assets or asset accounts, add the assets to an asset group and then associate the control policy.
2. Associate the control policy with users. You can select Apply to All Users or Apply to Selected Users.

For more information about how to configure a control policy, see Configure a control policy.

Security audit

Bastionhost allows you to audit all O&M operations on the assets. On the Session Audit page, you can filter session records by Owner Account ID to quickly find the session records of the assets of specific accounts.

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose O&M Audit > Session Audit.
On the Session Audit page, view the session records.

For more information about session audit, see Session audit.