When you create a security-enhanced Elastic Compute Service (ECS) instance, you must select a specific operating system. When you use the Alibaba Cloud trusted system, you must also obtain the corresponding permissions so that the security-enhanced instance can report the trusted information to Alibaba Cloud Security Center when the instance starts. This topic describes how to create a security-enhanced instance.
Create a security-enhanced instance in the ECS console
The procedure for creating a security-enhanced instance in the ECS console is similar to that for creating a non-security-enhanced instance. However, you must pay attention to specific options when you create a security-enhanced instance. This procedure describes the specific configurations to make when you create a security-enhanced instance. For information about other general configurations, see Create an instance by using the wizard.
- Activate Key Management Service (KMS). After KMS is activated, a service key is automatically created. You do not need to pay for this key.
- Create a RAM role and grant permissions to this role. Alibaba Cloud provides you with system policies for trusted services. Follow the steps in the wizard to complete the settings when you create an instance.
Create a security-enhanced instance by calling an API operation
- KMS must be activated. Otherwise, the security-enhanced instance cannot be created. For more information, see Purchase a dedicated KMS instance.
- When you use the Alibaba Cloud trusted system, you must specify a RAM role for the
security-enhanced instance to be created and this role must be granted permissions
to access the trusted services. This way, the security-enhanced instance reports the
trusted information to Alibaba Cloud Security Center when the instance starts. You
can call an API operation to create a RAM role and grant permissions to this role.
For more information, see Use an instance RAM role by calling API operations. When you create a RAM role, you must take some precautions. For more information,
see Precautions on granting permissions to RAM roles.
Note If you use a self-managed trusted service system, you do not need to specify the RAM role.
Parameter | Description | Example |
---|---|---|
InstanceType | The instance type of the security-enhanced instance. ECS provides the following security-enhanced
instance families:
|
ecs.c6t.large |
ImageId | The ID of the image that is used to create the security-enhanced instance. You can call the DescribeImages operation to query image IDs. | aliyun_2_1903_x64_20G_secured_alibase_20210120.vhd |
SystemDisk.Category | The category of the system disk to attach to the security-enhanced instance. Only enhanced SSDs (ESSDs) can be used. | cloud_essd |
VSwitchId | The ID of the vSwitch of the security-enhanced instance. This parameter is required because all security-enhanced instances reside in virtual private clouds (VPCs). | vsw-bp134jzf285qg9u6w**** |
RamRoleName | The name of the RAM role. You can also call the AttachInstanceRamRole operation to attach a RAM role to the instance after the instance is created. | AliyunECSInstanceForYundunSysTrustRole |
UserData | The installation script used to install the Alibaba Cloud trusted system, which must
be encoded in Base64.
For information about the script content in plaintext before the script is encoded in Base64, see Script for installing the Alibaba Cloud trusted system. |
|
SecurityOptions.TrustedSystemMode | The trusted system mode. When you call the RunInstances operation to create a security-enhanced instance, you must set the SecurityOptions.TrustedSystemMode parameter to vTPM if you set InstanceType to g7t, c7t, or r7t.
Note You can call only the RunInstances operation to create an instance in trusted system mode. If you call the CreateInstance operation, you cannot set the trusted system mode parameter (
SecurityOptions.TrustedSystemMode ).
|
vTPM |
https://ecs.aliyuncs.com/?Action=RunInstances
&RegionId=cn-hangzhou
&InstanceType=ecs.c6t.large
&ImageId=aliyun_2_1903_x64_20G_secured_alibase_20210120.vhd
&SystemDisk.Category=cloud_essd
&VSwitchId=vsw-bp134jzf285qg9u6w****
&SecurityGroupId=sg-bp1c3o8hzd14dovh****
&RamRoleName=AliyunECSInstanceForYundunSysTrustRole
&UserData=IyEvYmluL3NoCkNVUlBBVEg9YHB3ZGAKU0NSSVBUX1BBVEg9Ii9kb3dubG9hZC9saW51eC9zY3JpcHQvVHJ1c3RBZ2VudEluc3RhbGwuc2giClJFR0lPTl9JRD1gY3VybCAtcyAtLXJldHJ5IDEgLS1tYXgtdGltZSAzIGh0dHA6Ly8xMDAuMTAwLjEwMC4yMDAvbGF0ZXN0L21ldGEtZGF0YS9yZWdpb24taWRgClVQREFURV9TSVRFMT1odHRwOi8vdHJ1c3RjbGllbnQtJHtSRUdJT05fSUR9Lm9zcy0ke1JFR0lPTl9JRH0taW50ZXJuYWwuYWxpeXVuY3MuY29tClVQREFURV9TSVRFMj1odHRwOi8vdHJ1c3RjbGllbnQtJHtSRUdJT05fSUR9Lm9zcy0ke1JFR0lPTl9JRH0uYWxpeXVuY3MuY29tClVQREFURV9TSVRFMz1odHRwOi8vdC10cnVzdGNsaWVudC0ke1JFR0lPTl9JRH0ub3NzLXskUkVHSU9OX0lEfS1pbnRlcm5hbC5hbGl5dW5jcy5jb20KTVNHX0lORk89ImRvd25sb2FkaW5nIGluc3RhbGwgc2NyaXB0IGZyb20gc2l0ZSIKTVNHX0VSUj0iZG93bmxvYWQgZmlsZSBlcnJvci4iCk1TR19PSz0idHJ1c3QgY2xpZW50IGluaXQgZG9uZS4iCgppbnN0YWxsKCkKewogIGVjaG8gIiR7TVNHX0lORk99IiIgMS4uLiIKICBjdXJsIC1mc1NMICIke1VQREFURV9TSVRFMX0iIiR7U0NSSVBUX1BBVEh9InxzaAogIGlmIFsgJD8gPT0gMCBdOyB0aGVuCiAgICByZXR1cm4gMQogIGZpCiAgZWNobyAiJHtNU0dfSU5GT30iIiAyLi4uIgogIGN1cmwgLWZzU0wgIiR7VVBEQVRFX1NJVEUyfSIiJHtTQ1JJUFRfUEFUSH0ifHNoCiAgaWYgWyAkPyA9PSAwIF07IHRoZW4KICAgIHJldHVybiAyCiAgZmkKICBlY2hvICIke01TR19JTkZPfSIiIDMuLi4iCiAgY3VybCAtZnNTTCAiJHtVUERBVEVfU0lURTN9IiIke1NDUklQVF9QQVRIfSJ8c2gKICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgcmV0dXJuIDMKICBmaQogIGVjaG8gIiIgMT4mMgogIGV4aXQgMQp9CgppbnN0YWxsCmVjaG8gIiR7TVNHX09LfSIKCmV4aXQgMAo=
&<Common request parameters>
- XML format
<RunInstancesResponse> <RequestId>04F0F334-1335-436C-A1D7-6C044FE73368</RequestId> <InstanceIdSets> <InstanceIdSet>i-bp16byi4f3fti5b3****</InstanceIdSet> </InstanceIdSets> </RunInstancesResponse>
- JSON format
{ "RequestId": "BB694A51-7860-4B5C-B906-9B4077798672", "InstanceIdSets": { "InstanceIdSet": [ "i-bp16byi4f3fti5b3****" ] } }
Precautions on granting permissions to RAM roles
{
"Statement": [
{
"Action": [
"yundun-systrust:GenerateNonce",
"yundun-systrust:GenerateAikcert",
"yundun-systrust:RegisterMessage",
"yundun-systrust:PutMessage"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}
Script for installing the Alibaba Cloud trusted system
#!/bin/sh
CURPATH=`pwd`
SCRIPT_PATH="/download/linux/script/TrustAgentInstall.sh"
REGION_ID=`curl -s --retry 1 --max-time 3 http://100.100.100.200/latest/meta-data/region-id`
UPDATE_SITE1=http://trustclient-${REGION_ID}.oss-${REGION_ID}-internal.aliyuncs.com
UPDATE_SITE2=http://trustclient-${REGION_ID}.oss-${REGION_ID}.aliyuncs.com
UPDATE_SITE3=http://t-trustclient-${REGION_ID}.oss-{$REGION_ID}-internal.aliyuncs.com
MSG_INFO="downloading install script from site"
MSG_ERR="download file error."
MSG_OK="trust client init done."
install()
{
echo "${MSG_INFO}"" 1..."
curl -fsSL "${UPDATE_SITE1}""${SCRIPT_PATH}"|sh
if [ $? == 0 ]; then
return 1
fi
echo "${MSG_INFO}"" 2..."
curl -fsSL "${UPDATE_SITE2}""${SCRIPT_PATH}"|sh
if [ $? == 0 ]; then
return 2
fi
echo "${MSG_INFO}"" 3..."
curl -fsSL "${UPDATE_SITE3}""${SCRIPT_PATH}"|sh
if [ $? == 0 ]; then
return 3
fi
echo "" 1>&2
exit 1
}
install
echo "${MSG_OK}"
exit 0