When you create a security-enhanced Elastic Compute Service (ECS) instance, you must select a specific operating system. When you use the Alibaba Cloud trusted system, you must also obtain the corresponding permissions so that the security-enhanced instance can report the trusted information to Alibaba Cloud Security Center when the instance starts. This topic describes how to create a security-enhanced instance.

Create a security-enhanced instance in the ECS console

The procedure for creating a security-enhanced instance in the ECS console is similar to that for creating a non-security-enhanced instance. However, you must pay attention to specific options when you create a security-enhanced instance. This procedure describes the specific configurations to make when you create a security-enhanced instance. For information about other general configurations, see Create an instance by using the wizard.

When you create a security-enhanced instance in the ECS console, you are prompted to perform the following operations:
  • Activate Key Management Service (KMS). After KMS is activated, a service key is automatically created. You do not need to pay for this key.
  • Create a RAM role and grant permissions to this role. Alibaba Cloud provides you with system policies for trusted services. Follow the steps in the wizard to complete the settings when you create an instance.
  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. Click Create Instance.
  4. Configure the settings in the Basic Configurations step.
    Take note of the following parameters:
    • Instance Type: Select a security-enhanced instance type. For more information about security-enhanced instance types, see Instance families.
      Note The g7t, c7t, and r7t instance families support Software Guard Extensions (SGX) encrypted computing. When you create a g7t, c7t, or r7t instance in the ECS console, the Alibaba Cloud SGX runtime is automatically installed. For information about how to build an SGX encrypted computing environment on a g7t, c7t, or r7t instance, see Build an SGX encrypted computing environment.
    • Image: Select an image version based on the instance family. The following table describes the available image versions.
      Instance family Image version
      g6t, c6t, and r6t
      • Alibaba Cloud Linux 2.1903 64-bit (Trusted)
      • CentOS 7.8 64-bit (Trusted)
      g7t, c7t, and r7t
      • Alibaba Cloud Linux 2.1903 LTS 64-bit (UEFI)
      • CentOS 8.4 64-bit (UEFI)
      • CentOS 8.3 64-bit (UEFI)
      • Ubuntu 20.04 64-bit (UEFI)
      • Ubuntu 18.04 64-bit (UEFI)
      Note If you select Trusted System when you create an instance, the Alibaba Cloud trusted system is used for the instance. The Alibaba Cloud trusted system verifies the instance when the instance starts. If you want to use a self-managed trusted service system, do not select Trusted System.
  5. Click Next: Networking. If the Enable Key Management Service (KMS) dialog box appears, click Enable.
    KMS must be activated. Otherwise, the security-enhanced instance cannot be created. If you have activated KMS, the dialog box does not appear. Proceed with the Networking step.
  6. Click Next: System Configurations.
    If Trusted System is selected, you must specify a RAM role for the instance. The RAM role must be granted permissions to access the trusted services. Alibaba Cloud provides you with the corresponding AliyunECSInstanceForYundunSysTrustRole service-linked role. We recommend that you configure and select this role by performing the following steps.
    Note If you need more precise or customized configurations, create a role and grant it permissions based on your needs. When you create a RAM role, you must take some precautions. For more information, see Precautions on granting permissions to RAM roles.
    1. Click here to authorize.
      Authorize
    2. In the Cloud Resource Access Authorization dialog box, click Confirm Authorization.
    3. In the dialog box that appears, click Confirm Authorization Policy.
    4. Click Authorized.
      Confirm authorization
    5. Select AliyunECSInstanceForYundunSysTrustRole as the RAM role.
      Set RAM Role
    Note You can also skip the authorization step and grant permissions after the instance is created. For more information, see Bind an instance RAM role.
  7. Follow the steps in the wizard to create the instance.

Create a security-enhanced instance by calling an API operation

When you call an API operation to create a security-enhanced instance, take note of the following items:
  • KMS must be activated. Otherwise, the security-enhanced instance cannot be created. For more information, see Activate KMS.
  • When you use the Alibaba Cloud trusted system, you must specify a RAM role for the security-enhanced instance to be created and this role must be granted permissions to access the trusted services. This way, the security-enhanced instance reports the trusted information to Alibaba Cloud Security Center when the instance starts. You can call an API operation to create a RAM role and grant permissions to this role. For more information, see Use an instance RAM role by calling API operations. When you create a RAM role, you must take some precautions. For more information, see Precautions on granting permissions to RAM roles.
    Note If you use a self-managed trusted service system, you do not need to specify the RAM role.
You can call the RunInstances or CreateInstance operation to create security-enhanced instances. The following table describes some parameters to take note of.
Parameter Description Example
InstanceType The instance type of the security-enhanced instance. ECS provides the following security-enhanced instance families:
  • g7t
  • c7t
  • r7t
  • g6t
  • c6t
ecs.c6t.large
ImageId The ID of the image that is used to create the security-enhanced instance. You can call the DescribeImages operation to query image IDs. aliyun_2_1903_x64_20G_secured_alibase_20210120.vhd
SystemDisk.Category The category of the system disk to attach to the security-enhanced instance. Only enhanced SSDs (ESSDs) can be used. cloud_essd
VSwitchId The ID of the vSwitch of the security-enhanced instance. This parameter is required because all security-enhanced instances reside in virtual private clouds (VPCs). vsw-bp134jzf285qg9u6w****
RamRoleName The name of the RAM role. You can also call the AttachInstanceRamRole operation to attach a RAM role to the instance after the instance is created. AliyunECSInstanceForYundunSysTrustRole
UserData The installation script used to install the Alibaba Cloud trusted system, which must be encoded in Base64.

For information about the script content in plaintext before the script is encoded in Base64, see Script for installing the Alibaba Cloud trusted system.

IyEvYmluL3NoCkNVUlBBVEg9YHB3ZGAKU0NSSVBUX1BBVEg9Ii9kb3dubG9hZC9saW51eC9zY3JpcHQvVHJ1c3RBZ2VudEluc3RhbGwuc2giClJFR0lPTl9JRD1gY3VybCAtcyAtLXJldHJ5IDEgLS1tYXgtdGltZSAzIGh0dHA6Ly8xMDAuMTAwLjEwMC4yMDAvbGF0ZXN0L21ldGEtZGF0YS9yZWdpb24taWRgClVQREFURV9TSVRFMT1odHRwOi8vdHJ1c3RjbGllbnQtJHtSRUdJT05fSUR9Lm9zcy0ke1JFR0lPTl9JRH0taW50ZXJuYWwuYWxpeXVuY3MuY29tClVQREFURV9TSVRFMj1odHRwOi8vdHJ1c3RjbGllbnQtJHtSRUdJT05fSUR9Lm9zcy0ke1JFR0lPTl9JRH0uYWxpeXVuY3MuY29tClVQREFURV9TSVRFMz1odHRwOi8vdC10cnVzdGNsaWVudC0ke1JFR0lPTl9JRH0ub3NzLXskUkVHSU9OX0lEfS1pbnRlcm5hbC5hbGl5dW5jcy5jb20KTVNHX0lORk89ImRvd25sb2FkaW5nIGluc3RhbGwgc2NyaXB0IGZyb20gc2l0ZSIKTVNHX0VSUj0iZG93bmxvYWQgZmlsZSBlcnJvci4iCk1TR19PSz0idHJ1c3QgY2xpZW50IGluaXQgZG9uZS4iCgppbnN0YWxsKCkKewogIGVjaG8gIiR7TVNHX0lORk99IiIgMS4uLiIKICBjdXJsIC1mc1NMICIke1VQREFURV9TSVRFMX0iIiR7U0NSSVBUX1BBVEh9InxzaAogIGlmIFsgJD8gPT0gMCBdOyB0aGVuCiAgICByZXR1cm4gMQogIGZpCiAgZWNobyAiJHtNU0dfSU5GT30iIiAyLi4uIgogIGN1cmwgLWZzU0wgIiR7VVBEQVRFX1NJVEUyfSIiJHtTQ1JJUFRfUEFUSH0ifHNoCiAgaWYgWyAkPyA9PSAwIF07IHRoZW4KICAgIHJldHVybiAyCiAgZmkKICBlY2hvICIke01TR19JTkZPfSIiIDMuLi4iCiAgY3VybCAtZnNTTCAiJHtVUERBVEVfU0lURTN9IiIke1NDUklQVF9QQVRIfSJ8c2gKICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgcmV0dXJuIDMKICBmaQogIGVjaG8gIiIgMT4mMgogIGV4aXQgMQp9CgppbnN0YWxsCmVjaG8gIiR7TVNHX09LfSIKCmV4aXQgMAo=
SecurityOptions.TrustedSystemMode The trusted system mode. When you call the RunInstances operation to create a security-enhanced instance, you must set the SecurityOptions.TrustedSystemMode parameter to vTPM if you set InstanceType to g7t, c7t, or r7t.
Note You can call only the RunInstances operation to create an instance in trusted system mode. If you call the CreateInstance operation, you cannot set the trusted system mode parameter (SecurityOptions.TrustedSystemMode).
vTPM
Sample requests:
https://ecs.aliyuncs.com/?Action=RunInstances
&RegionId=cn-hangzhou
&InstanceType=ecs.c6t.large
&ImageId=aliyun_2_1903_x64_20G_secured_alibase_20210120.vhd
&SystemDisk.Category=cloud_essd
&VSwitchId=vsw-bp134jzf285qg9u6w****
&SecurityGroupId=sg-bp1c3o8hzd14dovh****
&RamRoleName=AliyunECSInstanceForYundunSysTrustRole
&UserData=IyEvYmluL3NoCkNVUlBBVEg9YHB3ZGAKU0NSSVBUX1BBVEg9Ii9kb3dubG9hZC9saW51eC9zY3JpcHQvVHJ1c3RBZ2VudEluc3RhbGwuc2giClJFR0lPTl9JRD1gY3VybCAtcyAtLXJldHJ5IDEgLS1tYXgtdGltZSAzIGh0dHA6Ly8xMDAuMTAwLjEwMC4yMDAvbGF0ZXN0L21ldGEtZGF0YS9yZWdpb24taWRgClVQREFURV9TSVRFMT1odHRwOi8vdHJ1c3RjbGllbnQtJHtSRUdJT05fSUR9Lm9zcy0ke1JFR0lPTl9JRH0taW50ZXJuYWwuYWxpeXVuY3MuY29tClVQREFURV9TSVRFMj1odHRwOi8vdHJ1c3RjbGllbnQtJHtSRUdJT05fSUR9Lm9zcy0ke1JFR0lPTl9JRH0uYWxpeXVuY3MuY29tClVQREFURV9TSVRFMz1odHRwOi8vdC10cnVzdGNsaWVudC0ke1JFR0lPTl9JRH0ub3NzLXskUkVHSU9OX0lEfS1pbnRlcm5hbC5hbGl5dW5jcy5jb20KTVNHX0lORk89ImRvd25sb2FkaW5nIGluc3RhbGwgc2NyaXB0IGZyb20gc2l0ZSIKTVNHX0VSUj0iZG93bmxvYWQgZmlsZSBlcnJvci4iCk1TR19PSz0idHJ1c3QgY2xpZW50IGluaXQgZG9uZS4iCgppbnN0YWxsKCkKewogIGVjaG8gIiR7TVNHX0lORk99IiIgMS4uLiIKICBjdXJsIC1mc1NMICIke1VQREFURV9TSVRFMX0iIiR7U0NSSVBUX1BBVEh9InxzaAogIGlmIFsgJD8gPT0gMCBdOyB0aGVuCiAgICByZXR1cm4gMQogIGZpCiAgZWNobyAiJHtNU0dfSU5GT30iIiAyLi4uIgogIGN1cmwgLWZzU0wgIiR7VVBEQVRFX1NJVEUyfSIiJHtTQ1JJUFRfUEFUSH0ifHNoCiAgaWYgWyAkPyA9PSAwIF07IHRoZW4KICAgIHJldHVybiAyCiAgZmkKICBlY2hvICIke01TR19JTkZPfSIiIDMuLi4iCiAgY3VybCAtZnNTTCAiJHtVUERBVEVfU0lURTN9IiIke1NDUklQVF9QQVRIfSJ8c2gKICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgcmV0dXJuIDMKICBmaQogIGVjaG8gIiIgMT4mMgogIGV4aXQgMQp9CgppbnN0YWxsCmVjaG8gIiR7TVNHX09LfSIKCmV4aXQgMAo=
&<Common request parameters>
Sample success responses:
  • XML format
    <RunInstancesResponse>
          <RequestId>04F0F334-1335-436C-A1D7-6C044FE73368</RequestId>
          <InstanceIdSets>
                <InstanceIdSet>i-bp16byi4f3fti5b3****</InstanceIdSet>
          </InstanceIdSets>
    </RunInstancesResponse>
  • JSON format
    {
        "RequestId": "BB694A51-7860-4B5C-B906-9B4077798672",
        "InstanceIdSets": {
            "InstanceIdSet": [
                "i-bp16byi4f3fti5b3****"
            ]
        }
    }

Precautions on granting permissions to RAM roles

We recommend that you create a custom policy that contains the minimum required permissions and attach the policy to the RAM role. You can set the permission type to System Policy (AliyunSysTrustFullAccess) corresponding to the trusted service. You can also set the permission type to Custom Policy for precise authorization. The following section shows the precise policy for accessing trusted services.
Note You can select a system policy such as AdministratorAccess that grants greater permissions. However, permissions of RAM roles are related to information security risks. We strongly recommend that you grant permissions based on the principle of least privilege. For more information, see What is RAM?
{
    "Statement": [
        {
            "Action": [
                "yundun-systrust:GenerateNonce",
                "yundun-systrust:GenerateAikcert",
                "yundun-systrust:RegisterMessage",
                "yundun-systrust:PutMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ],
    "Version": "1"
}
Custom policies

Script for installing the Alibaba Cloud trusted system

#!/bin/sh
CURPATH=`pwd`
SCRIPT_PATH="/download/linux/script/TrustAgentInstall.sh"
REGION_ID=`curl -s --retry 1 --max-time 3 http://100.100.100.200/latest/meta-data/region-id`
UPDATE_SITE1=http://trustclient-${REGION_ID}.oss-${REGION_ID}-internal.aliyuncs.com
UPDATE_SITE2=http://trustclient-${REGION_ID}.oss-${REGION_ID}.aliyuncs.com
UPDATE_SITE3=http://t-trustclient-${REGION_ID}.oss-{$REGION_ID}-internal.aliyuncs.com
MSG_INFO="downloading install script from site"
MSG_ERR="download file error."
MSG_OK="trust client init done."

install()
{
echo "${MSG_INFO}"" 1..."
curl -fsSL "${UPDATE_SITE1}""${SCRIPT_PATH}"|sh
if [ $? == 0 ]; then
return 1
fi
echo "${MSG_INFO}"" 2..."
curl -fsSL "${UPDATE_SITE2}""${SCRIPT_PATH}"|sh
if [ $? == 0 ]; then
return 2
fi
echo "${MSG_INFO}"" 3..."
curl -fsSL "${UPDATE_SITE3}""${SCRIPT_PATH}"|sh
if [ $? == 0 ]; then
return 3
fi
echo "" 1>&2
exit 1
}

install
echo "${MSG_OK}"

exit 0