When you create a trusted instance, you must use Alibaba Cloud Trusted System and enable specific permissions for the trusted instance to report trust information to Alibaba Cloud Security Center. This topic describes how to create a trusted Elastic Compute Service (ECS) instance that uses Alibaba Cloud Trusted System.
Create a trusted instance
Create a trusted instance in the ECS console
In the ECS console, you can create a trusted instance similarly to how you create a regular instance. However, you must pay attention to specific settings when you create a trusted instance. This section focuses on the trusted instance-specific settings on the instance buy page. For information about general settings on the instance buy page, see Create an instance by using the wizard.
Log on to the ECS console.
In the left-side navigation pane, choose .
Click Create Instance.
Configure the settings in the Basic Configurations step.
Take note of the following parameters:
Instance Type: Select an instance type that supports the virtual Trusted Platform Module (vTPM) feature. For information about instance families that support vTPM, see the Instance families that support trusted computing capabilities section of the "Overview" topic.
Image:
Select an image version that is supported by the selected instance family.
(Optional) Select Trusted System.
NoteIf you select Trusted System when you create an instance, Alibaba Cloud Trusted System is enabled for the instance. Alibaba Cloud Trusted System performs trust verification on the instance when the instance starts. If you want to use a self-managed trusted service system, do not select Trusted System.
Click Next to go to the Networking step. If the Activate KMS dialog box appears, click Activate.
Make sure that Key Management Service (KMS) is activated when you create a trusted instance. Otherwise, the instance cannot be created. If KMS is already activated, the dialog box does not appear. Proceed with the Networking step.
(Required) Click Next to go to the System Configurations step.
If Trusted System is selected, you must specify a Resource Access Management (RAM) role for the instance. The RAM role must have access to Alibaba Cloud Trusted System. Alibaba Cloud provides the AliyunECSInstanceForYundunSysTrustRole service-linked role. We recommend that you configure and select this role by performing the following steps.
NoteYou can also create a role and grant it permissions based on your needs. For information about the precautions on creating RAM roles, see the "Precautions on granting permissions to RAM roles" section of this topic.
Click Authorize.
In the Cloud Resource Access Authorization dialog box, click Authorize.
On the page that appears, click Confirm Authorization Policy.
Click Authorized.
Select AliyunECSInstanceForYundunSysTrustRole as the RAM role.
NoteYou can also skip the authorization step and grant permissions after the instance is created. For more information, see Attach an instance RAM role to an ECS instance.
Follow the on-screen instructions to create the instance.
Create a trusted instance by calling an API operation
When you call an API operation to create a trusted instance, take note of the following items:
Make sure that KMS is activated. Otherwise, the instance cannot be created. For more information, see Purchase a dedicated KMS instance.
If you want to use Alibaba Cloud Trusted System, you must specify a RAM role that has access to Alibaba Cloud Trusted System for the trusted instance. This way, the trusted instance reports trust information to Alibaba Cloud Security Center on startup. For more information, see Attach an instance RAM role to an ECS instance. For information about the precautions on creating RAM roles, see the "Precautions on granting permissions to RAM roles" section of this topic.
NoteIf you want to use a self-managed trusted service system, you do not need to specify a RAM role for the instance.
You can call the RunInstances or CreateInstance operation to create an instance. The following table describes some parameters that you must take note of.
Parameter | Description | Example |
InstanceType | The instance type. Select an instance type that supports vTPM. For information about instance families that support vTPM, see the Instance families that support trusted computing capabilities section of the "Overview" topic. | ecs.c6t.large |
ImageId | The ID of the image. You can call the DescribeImages operation to query image IDs. | aliyun_2_1903_x64_20G_secured_alibase_20210120.vhd |
SystemDisk.Category | The category of the system disk. Only enhanced SSDs (ESSDs) can be used as system disks on trusted instances. | cloud_essd |
VSwitchId | The ID of the vSwitch. This parameter is required because all trusted instances reside in virtual private clouds (VPCs). | vsw-bp134jzf285qg9u6w**** |
RamRoleName | The name of the instance RAM role. You can also call the AttachInstanceRamRole operation to attach an instance RAM role to the instance after the instance is created. | AliyunECSInstanceForYundunSysTrustRole |
UserData | The installation script used to install Alibaba Cloud Trusted System, which must be encoded in Base64. For information about the script content in plaintext before the script is encoded in Base64, see the "Script used to install Alibaba Cloud Trusted System" section of this topic. | |
SecurityOptions.TrustedSystemMode | The trusted system mode. When you call the RunInstances operation to create a trusted instance, you must set Note You can call only the RunInstances operation to create a trusted instance. If you call the CreateInstance operation, you cannot specify the | vTPM |
Sample request:
https://ecs.aliyuncs.com/?Action=RunInstances
&RegionId=cn-hangzhou
&InstanceType=ecs.c6t.large
&ImageId=aliyun_2_1903_x64_20G_secured_alibase_20210120.vhd
&SystemDisk.Category=cloud_essd
&VSwitchId=vsw-bp134jzf285qg9u6w****
&SecurityGroupId=sg-bp1c3o8hzd14dovh****
&RamRoleName=AliyunECSInstanceForYundunSysTrustRole
&UserData=IyEvYmluL3NoCkNVUlBBVEg9YHB3ZGAKU0NSSVBUX1BBVEg9Ii9kb3dubG9hZC9saW51eC9zY3JpcHQvVHJ1c3RBZ2VudEluc3RhbGwuc2giClJFR0lPTl9JRD1gY3VybCAtcyAtLXJldHJ5IDEgLS1tYXgtdGltZSAzIGh0dHA6Ly8xMDAuMTAwLjEwMC4yMDAvbGF0ZXN0L21ldGEtZGF0YS9yZWdpb24taWRgClVQREFURV9TSVRFMT1odHRwOi8vdHJ1c3RjbGllbnQtJHtSRUdJT05fSUR9Lm9zcy0ke1JFR0lPTl9JRH0taW50ZXJuYWwuYWxpeXVuY3MuY29tClVQREFURV9TSVRFMj1odHRwOi8vdHJ1c3RjbGllbnQtJHtSRUdJT05fSUR9Lm9zcy0ke1JFR0lPTl9JRH0uYWxpeXVuY3MuY29tClVQREFURV9TSVRFMz1odHRwOi8vdC10cnVzdGNsaWVudC0ke1JFR0lPTl9JRH0ub3NzLXskUkVHSU9OX0lEfS1pbnRlcm5hbC5hbGl5dW5jcy5jb20KTVNHX0lORk89ImRvd25sb2FkaW5nIGluc3RhbGwgc2NyaXB0IGZyb20gc2l0ZSIKTVNHX0VSUj0iZG93bmxvYWQgZmlsZSBlcnJvci4iCk1TR19PSz0idHJ1c3QgY2xpZW50IGluaXQgZG9uZS4iCgppbnN0YWxsKCkKewogIGVjaG8gIiR7TVNHX0lORk99IiIgMS4uLiIKICBjdXJsIC1mc1NMICIke1VQREFURV9TSVRFMX0iIiR7U0NSSVBUX1BBVEh9InxzaAogIGlmIFsgJD8gPT0gMCBdOyB0aGVuCiAgICByZXR1cm4gMQogIGZpCiAgZWNobyAiJHtNU0dfSU5GT30iIiAyLi4uIgogIGN1cmwgLWZzU0wgIiR7VVBEQVRFX1NJVEUyfSIiJHtTQ1JJUFRfUEFUSH0ifHNoCiAgaWYgWyAkPyA9PSAwIF07IHRoZW4KICAgIHJldHVybiAyCiAgZmkKICBlY2hvICIke01TR19JTkZPfSIiIDMuLi4iCiAgY3VybCAtZnNTTCAiJHtVUERBVEVfU0lURTN9IiIke1NDUklQVF9QQVRIfSJ8c2gKICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgcmV0dXJuIDMKICBmaQogIGVjaG8gIiIgMT4mMgogIGV4aXQgMQp9CgppbnN0YWxsCmVjaG8gIiR7TVNHX09LfSIKCmV4aXQgMAo=
&<Common request parameters>Sample success responses
XML format
<RunInstancesResponse> <RequestId>04F0F334-1335-436C-A1D7-6C044FE73368</RequestId> <InstanceIdSets> <InstanceIdSet>i-bp16byi4f3fti5b3****</InstanceIdSet> </InstanceIdSets> </RunInstancesResponse>JSON format
{ "RequestId": "BB694A51-7860-4B5C-B906-9B4077798672", "InstanceIdSets": { "InstanceIdSet": [ "i-bp16byi4f3fti5b3****" ] } }
Precautions on granting permissions to RAM roles
We recommend that you create a custom policy that includes the minimum required permissions and attach the policy to the RAM role. You can set the permission type to System Policy (AliyunSysTrustFullAccess) for Alibaba Cloud Trust System. You can also set the permission type to Custom Policy for precise authorization. The following code snippet shows the policy that grants access to Alibaba Cloud Trust System.
You can select a system policy such as AdministratorAccess that grants more permissions. However, granting too many permissions to RAM roles may cause security risks. We recommend that you grant permissions based on the principle of least privilege. For more information, see What is RAM?
{
"Statement": [
{
"Action": [
"yundun-systrust:GenerateNonce",
"yundun-systrust:GenerateAikcert",
"yundun-systrust:RegisterMessage",
"yundun-systrust:PutMessage"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}
Script used to install Alibaba Cloud Trusted System
#!/bin/sh
CURPATH=`pwd`
SCRIPT_PATH="/download/linux/script/TrustAgentInstall.sh"
REGION_ID=`curl -s --retry 1 --max-time 3 http://100.100.100.200/latest/meta-data/region-id`
UPDATE_SITE1=http://trustclient-${REGION_ID}.oss-${REGION_ID}-internal.aliyuncs.com
UPDATE_SITE2=http://trustclient-${REGION_ID}.oss-${REGION_ID}.aliyuncs.com
UPDATE_SITE3=http://t-trustclient-${REGION_ID}.oss-{$REGION_ID}-internal.aliyuncs.com
MSG_INFO="downloading install script from site"
MSG_ERR="download file error."
MSG_OK="trust client init done."
install()
{
echo "${MSG_INFO}"" 1..."
curl -fsSL "${UPDATE_SITE1}""${SCRIPT_PATH}"|sh
if [ $? == 0 ]; then
return 1
fi
echo "${MSG_INFO}"" 2..."
curl -fsSL "${UPDATE_SITE2}""${SCRIPT_PATH}"|sh
if [ $? == 0 ]; then
return 2
fi
echo "${MSG_INFO}"" 3..."
curl -fsSL "${UPDATE_SITE3}""${SCRIPT_PATH}"|sh
if [ $? == 0 ]; then
return 3
fi
echo "" 1>&2
exit 1
}
install
echo "${MSG_OK}"
exit 0