NHN Bastion allows you to control access to instances on NHN Cloud. This document describes how to create an NHN Bastion in the NHN Cloud console, connect it to the instances you need access to, and manage users and their policies, resources, and history.
[Note] * The first web terminal created can't change or delete its specs until the service is deactivated. * You can only connect a floating IP to a VPC that has an Internet gateway connected. * The web terminal must allow SSH communication with the access target in order to access the access target (e.g., Security Groups, etc.).
In Manage Policies, users only see a list of instances they are allowed to access, and they can access the instances they are allowed to access.
[Caution] * You need to select a web terminal that can SSH communicate with your instance. * Password authentication requires the operating system to enable password access. * Temporary SSH key authentication is only accessible through the web terminal from which you copied the script.
You can view a list of users authorized to use the NHN Bastion service and create and manage user groups.
A list of users authorized to use the NHN Bastion service. You can check the user's permissions and when they last accessed the instance.
You can create and manage user groups, and the groups you create can be enrolled as access subjects on the Manage Policies tab.
You can set access control policies and command control policies for instances enrolled in the connection target. Each policy has a priority, and policies are applied in order of highest priority.
[Example]
If the policy is applied as shown in the [table] below,
* user A can access Instance A, only the shutdown
command is unavailable, other commands are available
* user A can access Instance B, only the cd
command is available, no other commands
* user B can access Instance A, only the reboot
command is unavailable, other commands are available
* user B cannot access Instance B
Priority | User | Access Target | Command Policy |
---|---|---|---|
#1 | user A | Instance A | [Deny] shutdown |
#2 | user A | Instance A, Instance B | [Allow] cd |
#3 | user B | Instance A | [Deny] reboot |
[Caution] The following commands are blocked regardless of whether you have a command policy enrollment. * Bypass blocking commands: SSH, TELNET, SFTP, RCP, SCP, FTP, RSAP, RLOGIN, etc.
You can change the priority of a policy. 1. Change the order of the selected policies to the desired priority, and click Modify. 2. In After Reorder, see a preview of the priorities you modified. The preview shows the policies in first and last order based on the policy you modified. 3. Click Save to change the priority of the policy.
On Manage Resources > Manage Instances tab, you can add instances registered within a project as connection targets. It provides access control policy and command control policy capabilities for registered instances.
[Caution] Changes to create or delete instances can take up to 5 minutes to be reflected.
In Manage Resources > Manage Web Terminals, you can create/manage web terminal instances that provide the terminals and bathtubs needed to access the instance.
[Caution] You cannot delete the first web terminal created when the service is activated; you must deactivate the service to delete it.
Floating IP
* You can set whether to use a floating IP for the web terminal. * Customers using the Network Firewall service to DNAT a public IP can set the Redirection feature to enable to enter the public IP. * Customers using on-premises DNS can enable the Redirect feature to enter their domain address. * IP Access Control
* You can enter a CIDR that requires access to the web terminal.
[Note] IP access control is provided on a whitelist basis.
Script
* Provides a script that needs to be run on the target instance to utilize the approach with ephemeral SSH keys.
[Caution] * The temporary SSH key approach only applies to the selected web terminal, and is not available when accessed through other paths. The instance IP to access must be added to IP Access Control on the web terminal. Port 443 outbound policy must be added to the web terminal IP in the Security Groups of the instance to access.
The Manage Resources > Resource Groups tab lets you create and manage groups of instances that are registered to a connection target.
* + Create Group: You can create a group by adding or deleting instances that are registered with the connection target. * Copy: You can select a group of resources to copy. * Modify: You can edit the resource group. * Delete: You can select a group of resources to delete them.
You can use the NHN Bastion service to manage the history of accesses to your instance. History is kept for up to 6 months, and if you need to keep it longer than 6 months, you can back it up to Object Storage in Preferences > Manage Logs.
You can see which sessions are connected to your instance in real time, and you can block connections.
You can see the history of how users have accessed your instance, and you can use search criteria and access times to get the history you want.
You can see what commands users have used, and you can use search criteria and access times to look up the history of any command you want.
You can set the session timeout time served by the web terminal when accessing an instance.
[Note] This is a session timeout setting provided by the web terminal, so it works independently of the session timeout set by the operating system.
You can set the maximum number of sessions a user can connect to at the same time.
You can back up logs provided by the NHN Bastion service to your own Object Storage.
[Caution] Object Storage backups in other regions are not supported if the VPC where the web terminal was initially created does not have an Internet gateway.
You can specify the SSH port used to access the instance.
[Note] The port used to connect from the web terminal to the instance being accessed, which must be set to the SSH port set by your operating system.
Delete all resources created by the NHN Bastion service.
[Caution] Data created while using the NHN Bastion service and all resources within the service will be deleted, and information cannot be recovered once deleted.
Provides a browser-based web terminal with file upload/download capabilities.
You can launch the file navigator by clicking the right arrow button. The file navigator allows you to upload or download files from the desired path.
[Caution] File transfer is based on the permissions of the operating system account that was initially accessed, and account changes via the su command are not reflected.