All Products
Search
Document Center

Elastic Compute Service:Using Bastionhost to meet MLPS 2.0 requirements

Last Updated:Jun 21, 2026

Use Bastionhost to establish a unified O&M entry point, enforce fine-grained permission controls, and conduct end-to-end operation audits. This approach helps you secure your ECS instances and meet the core requirements for identity authentication, access control, and operation audits under MLPS 2.0 Level 3.

Security risks

Traditional O&M methods, such as allowing personnel to directly access servers from the internet or office networks using SSH or RDP, create several risks that are difficult to control:

  1. Unidentified users and privilege abuse: Using local or shared server accounts, such as root or Administrator, makes it impossible to trace actions back to a specific operator. If credentials for a high-privilege account are compromised, an attacker can gain unrestricted access and perform malicious actions, leaving you unable to identify the culprit.

  2. Operational blind spots: Without dedicated auditing tools, actions performed directly on a server are often not fully recorded. In the event of a security incident, the lack of detailed operation logs or session recordings makes it impossible to determine accountability, analyze the attack path, or assess the extent of the damage.

  3. Disorganized credential management and leakage risk: Managing hundreds or thousands of servers often requires operators to remember numerous passwords and keys. This can lead to insecure practices like using weak or reused passwords, or storing credentials in unsafe locations, significantly increasing the risk of credential leakage.

  4. A breeding ground for lateral movement: If an attacker compromises a jump server or an operator's PC and gains direct access to a server, they can use that server as a foothold to move laterally within your internal network, potentially compromising more critical systems.

  5. Sensitive data leakage: Uncontrolled O&M channels allow operators or attackers to easily download sensitive data through file transfers or database exports, leading to data breaches.

Best practices

Use Bastionhost to centrally manage your ECS instance assets, and use a security group to restrict system access to connections originating from Bastionhost. This allows you to centrally manage O&M accounts and permissions and audit all operations.

  1. Plan and deploy Bastionhost

    Go to the Bastionhost purchase page, select a suitable specification, and then enable the instance on the Bastionhost console. For detailed instructions, see Purchase and log on to a Bastionhost instance.

  2. Deny-by-default network access policy

    Enforce a network-level rule to route all O&M traffic through Bastionhost.

    • Create a dedicated security group: Create or plan a security group for your ECS instances. By default, its inbound rules should deny all external access, especially for the SSH (port 22) and RDP (port 3389) ports.

    • Configure exception rules to allow access: In the security group, add an inbound rule that allows traffic only from your Bastionhost egress IP address to the O&M ports of the target ECS instances, such as 22 or 3389.

      • Example rule:

        • Action: Allow

        • Priority: 1 (Highest)

        • Protocol: TCP

        • Source: Enter the Bastionhost egress IP address. For example, 47.100.XX.XX/32.

        • Destination: 22/22 (SSH) or 3389/3389 (RDP)

      The security group allows only 47.100.XX.XX/32 (the Bastionhost egress IP address) to access port 22 of the servers in the group.

  3. Centrally manage assets and identities

    • Import assets: In the Bastionhost console, you can import assets that you need to manage, such as ECS instances, databases, and applications, for unified management. For details

      For more information, see Create a new host.

    • Integrate identity sources:

      • Create Bastionhost users to log on to Bastionhost and perform operations on assets. For more information, see Manage users.

      • For enterprises with an established identity authentication system, we recommend integrating Bastionhost with your existing identity source, such as RAM users, AD/LDAP, or connecting to services like DingTalk and WeCom through an Identity as a Service (IDaaS) solution to enable unified identity management. See Identity authentication best practices.

  4. Configure access control policies

    • User and asset authorization: Follow the principle of least privilege. Grant each Bastionhost user access to only the assets they need. For example, developers can only access servers in the development environment, and database administrators can only access database servers. See Grant permissions on assets and asset accounts to a user.

    • Configure fine-grained control policies: Use the control policy feature in Bastionhost for more granular control. You can restrict specific users from executing high-risk commands (such as rm -rf), set limits on the type and size of file transfers, and enable dual-person approval for sensitive operations. See Configure a control policy.