NHN Bastion allows you to control access to instances on NHN Cloud. This document describes how to create an NHN Bastion in the NHN Cloud console, connect it to the instances you need access to, and manage users and their policies, resources, and history.
[Note] * The first web terminal created can't change or delete its specs until the service is deactivated. * You can only connect a floating IP to a VPC that has an Internet gateway connected. * The web terminal must allow SSH communication with the access target in order to access the access target (e.g., Security Groups, etc.). * Log encryption for: user ID, email, commands
[Caution] * If the Secure Key Manager service rotates the symmetric key you set up for log encryption, you need to be careful not to immediately delete the old version of the key. * If you delete the symmetric key that you set for log encryption in the Secure Key Manager service, the encrypted logs cannot be decrypted. You must manage the symmetric key carefully to avoid accidentally deleting it.
In Manage Policies, users only see a list of instances they are allowed to access, and they can access the instances they are allowed to access.
[Caution] * You need to select a web terminal that can SSH communicate with your instance. * Password authentication requires the operating system to enable password access. * Temporary SSH key authentication is only accessible through the web terminal from which you copied the script.
You can view a list of users authorized to use the NHN Bastion service and create and manage user groups.
A list of users authorized to use the NHN Bastion service. You can check the user's permissions and when they last accessed the instance.
You can create and manage user groups, and the groups you create can be enrolled as access subjects on the Manage Policies tab.
You can set access control policies and command control policies for instances enrolled in the connection target. Each policy has a priority, and policies are applied in order of highest priority.
[Example]
If the policy is applied as shown in the [table] below,
* user A can access Instance A, only the shutdown
command is unavailable, other commands are available
* user A can access Instance B, only the cd
command is available, no other commands
* user B can access Instance A, only the reboot
command is unavailable, other commands are available
* user B cannot access Instance B
Priority | User | Access Target | Command Policy |
---|---|---|---|
#1 | user A | Instance A | [Deny] shutdown |
#2 | user A | Instance A, Instance B | [Allow] cd |
#3 | user B | Instance A | [Deny] reboot |
[Caution] The following commands are blocked regardless of whether you have a command policy enrollment. * Bypass blocking commands: SSH, TELNET, SFTP, RCP, SCP, FTP, RSAP, RLOGIN, etc.
You can change the priority of a policy. 1. Change the order of the selected policies to the desired priority, and click Modify. 2. In After Reorder, see a preview of the priorities you modified. The preview shows the policies in first and last order based on the policy you modified. 3. Click Save to change the priority of the policy.
You can register policies in bulk using the provided templates, and you can download and back up created policies. * Batch Register: Provides policy uploads in bulk using templates * Batch Download of Policies: Provides a download of a list of currently applied policies
On Manage Resources > Manage Instances tab, you can add instances registered within a project as connection targets. It provides access control policy and command control policy capabilities for registered instances.
Delete All: You can delete all registered instances from the connection target.
Connection Settings
External Resources
Registration: You can manually register servers in legacy environments, instances from other projects, and more.
Batch Register: You can register external resources in bulk using templates.
[Caution] For registered external resources, SSH communication is attempted from the web terminal based on IP. You can use the service only in an environment where communication from the web terminal to the destination server is possible.
[Caution] Changes to create or delete instances can take up to 5 minutes to be reflected.
In Manage Resources > Manage Web Terminals, you can create/manage web terminal instances that provide the terminals and bathtubs needed to access the instance.
[Caution] You cannot delete the first web terminal created when the service is activated; you must deactivate the service to delete it.
Floating IP
* You can set whether to use a floating IP for the web terminal. * If a customer using the Network Firewall service uses the DNAT feature to assign a public IP to the web terminal, you can enable the redirection featureto enter the public IP of the web terminal. * Customers using on-premises DNS can enablethe redirect feature to enter the domain address of the web terminal.
IP access control
* You can enter a CIDR that requires access to the web terminal.
[Note] IP access control is provided on a whitelist basis.
Update Static Routing
Apply the static routing policy applied to the subnet to the web terminal.
Script
* Provides a script that needs to be run on the target instance to utilize the approach with ephemeral SSH keys.
[Caution] * The temporary SSH key approach only applies to the selected web terminal, and is not available when accessed through other paths. * The instance IP to access must be added to IP Access Control on the web terminal. * Port 443 outbound policy must be added to the web terminal IP in the Security Groups of the instance to access.
The Manage Resources > Resource Groups tab lets you create and manage groups of instances that are registered to a connection target.
* + Create Group: You can create a group by adding or deleting instances that are registered with the connection target. * Copy: You can select a group of resources to copy. * Modify: You can edit the resource group. * Delete: You can select a group of resources to delete them.
You can use the NHN Bastion service to manage the history of accesses to your instance. You can set the log retrieval period up to one week. History is kept for up to 6 months, and if you need to keep it longer than 6 months, you can back it up to Object Storage in Preferences > Manage Logs.
You can see which sessions are connected to your instance in real time, and you can block connections.
You can see the history of how users have accessed your instance, and you can use search criteria and access times to get the history you want.
You can see what commands users have used, and you can use search criteria and access times to look up the history of any command you want.
You can see the history of users uploading/downloading files to your instance, and you can use search criteria and access times to get the history you want.
You can set the session timeout time served by the web terminal when accessing an instance.
[Note] This is a session timeout setting provided by the web terminal, so it works independently of the session timeout set by the operating system.
You can set the maximum number of sessions a user can connect to at the same time.
You can back up logs provided by the NHN Bastion service to your own Object Storage.
[Note] When log encryption is enabled, logs are decrypted and backed up to Object Storage. Logs are backed up to Object Storage from the time you set up the backup. Previously saved logs are not backed up.
[Caution] Object Storage backups in other regions are not supported if the VPC where the web terminal was initially created does not have an Internet gateway.
You can specify the SSH port used to access the instance.
[Note] The port used to connect from the web terminal to the instance being accessed, which must be set to the SSH port set by your operating system.
You can see whether encryption is enabled and the applied symmetric key ID. If you performed key rotation in Secure Key Manager, you can update an older version of the key to the latest version via the Rotate key button.
[Caution] If you do not update the key in the NHN Bastion service after performing key rotation in Secure Key Manager, an error might occur in the log inquiry.
Delete all resources created by the NHN Bastion service.
[Caution] Data created while using the NHN Bastion service and all resources within the service will be deleted, and information cannot be recovered once deleted.
Provides a browser-based web terminal with file upload/download capabilities.
[Note] To paste what is copied locally to the remote server, you must allow the permission to view text or images stored in the clipboard from the browser.
You can launch the file navigator by clicking the right arrow button. The file navigator allows you to upload or download files with the desired path. You can adjust the font size by clicking the right arrow button.
[Note] File transfer is based on the permissions of the operating system account that was initially accessed, and account changes via the su command are not reflected. If you upload files by dragging and dropping, they are saved in your home directory, regardless of the current directory path.