Best practices for multi-account management in Bastionhost - Bastionhost

Background information

Large enterprises with complex services often need to manage assets across multiple accounts. To address this scenario, Bastionhost integrates with Resource Directory to provide a multi-account management feature. This feature provides unified security management and O&M control for assets across multi-account environments.

Solution

After adding member accounts to Bastionhost, you can import assets from these accounts, synchronize asset statuses in real time, centrally manage O&M policies, and audit all O&M operations. This gives you comprehensive O&M and security control over cloud assets across multiple accounts, reducing management costs.

Asset management: Import assets from multiple accounts, automatically synchronize their statuses, and identify which account owns each asset.
Note
- You can also import assets from other accounts by adding hosts manually. For more information, see Add a host.
- Accessing assets across accounts may cause network connectivity issues. If Bastionhost needs to connect to your servers over an internal network, you can establish the network connection or use the network domain feature. For more information, see Best practices for hybrid O&M.
Unified O&M control: Centrally manage access permissions and control policies for assets across multiple accounts.
- Fine-grained asset authorization: Grant Bastionhost users permissions to assets and asset accounts from multiple accounts. This helps you organize complex asset permissions and reduces the risk of permission sprawl. You can also filter authorized assets by Alibaba Cloud account on the user page to manage permissions more efficiently.
- Unified policy control: Apply custom control policies to assets from multiple accounts to govern O&M activities, such as command approval, command allowlists and denylists, and file transfers. This strengthens O&M security and reduces management costs.
Security auditing: Bastionhost provides unified, end-to-end session recording and log auditing for O&M activities on assets across multiple accounts. You can filter audit records by Alibaba Cloud account to manage and review activities for a specific account's assets.

Prerequisites

You have enabled Resource Directory. For more information, see Enable a resource directory.
You have added one or more member accounts to your Resource Directory.
- To create a new member account, see Create a member.
- To add an existing Alibaba Cloud account to your resource directory, see Invite an Alibaba Cloud account to join a resource directory.
If you use a RAM user for management, you must grant the RAM user permissions to manage Bastionhost (AliyunYundunBastionHostFullAccess) and Resource Directory (AliyunResourceDirectoryFullAccess). For instructions, see Grant permissions to a RAM user.
You have added the member accounts to your Bastionhost instance. For more information, see Multi-account management.

Asset management

After importing assets from multiple accounts, you can view the owner account of each asset in the asset list and filter assets by account. The following procedure describes how to import assets from multiple accounts.

Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.
In the list of Bastionhost instances, find the target instance and click Manage.
In the left-side navigation pane, under Assets, click Hosts or Database.
On the page that appears, import assets from your member accounts.

Click the drop-down arrow next to Import ECS Instances and select Import Member Account Instances.

For detailed instructions on how to import different types of assets, see Add a host and Add a database.

O&M control

Access control

After importing assets from other accounts into Bastionhost, you can authorize users to access them. You can filter a user's authorized assets by owner account to view the authorization status for a specific account's assets. The following procedure describes how to authorize a user.

Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.
In the list of Bastionhost instances, find the target instance and click Manage.
In the navigation pane on the left, choose Users > Users.
In the user list, click the target user name.
On the Target Asset tab, click No accounts found. Click here to authorize the user to manage the accounts of the asset group..
In the panel that appears, select the corresponding asset account and click Update.

Note
If no account is displayed, click Create Host Account to create an asset account.

For more information about the authorization process for each asset, see Authorize Assets and Asset Accounts.

Control policy

Bastionhost lets you associate multi-account assets with control policies and grant permissions by asset group. Based on your authorization and O&M requirements, you can organize multi-account assets into asset groups and then associate them with a control policy. Create a control policy as follows:

Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.
In the list of Bastionhost instances, find the target instance and click Manage.
In the navigation pane on the left, click Control Policies.
On the Control Policies page, click Create Control Policy.
On the Create Control Policy page, configure the name, priority, command control, command approval, protocol control, access control, and O&M approval for the control policy, and click Create Control Policy.
On the Assets and Users to Which Policy Is Attached page, associate both assets and users with the policy to make it take effect on them.
1. Associate assets with the policy. You can select Takes Effect on All Assets or Takes Effect on Selected All Assets.
  - If you select Takes Effect on All Assets, the policy applies to all asset accounts by default.
  - If you select Takes Effect on Selected All Assets, you can choose to associate all accounts or specific accounts after you associate the assets.
  Note
  To associate assets or asset accounts in batches with a control policy, first add the assets to an asset group. Then, perform the batch association.
2. Associate users with the policy. You can select Apply to All Users or Apply to Selected Users.

For more information, see Configure a control policy.

Security audit

Bastionhost audits all user operations on assets. On the Session Audit page, you can filter audit records by account ID to quickly find session audit records for assets that belong to a specific account.

Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.
In the list of Bastionhost instances, find the target instance and click Manage.
In the navigation pane on the left, choose O&M Audit > Session Audit.
On the Session Audit page, search for and view session records.

For more information, see Session audit.