Cloud Bastion Host

Service Overview

Date 2022-12-01
Cloud Bastion Host
Service Overview Contents

Contents

1 Cloud Bastion Host..................................................................................................................1

2 Features..................................................................................................................................... 2
3 Product Advantages..............................................................................................................10
4 Application Scenarios........................................................................................................... 12
5 Edition Differences................................................................................................................14
6 Basic Concepts........................................................................................................................19
7 Pricing Details........................................................................................................................ 20
8 Restrictions on Using CBH...................................................................................................22
9 Permissions Management of CBH Instances...................................................................26
10 CBH and Other Services.....................................................................................................30
11 Personal Data Protection Mechanism............................................................................ 32
12 Security Statement............................................................................................................. 35
A Change History...................................................................................................................... 37

2022-12-01 ii
Cloud Bastion Host
Service Overview 1 Cloud Bastion Host

1 Cloud Bastion Host

Cloud Bastion Host (CBH) is a unified security management and control platform.
It provides account, authorization, authentication, and audit management services
that enable you to centrally manage cloud computing resources.
A CBH system has various functional modules, such as department, user, resource,
policy, operation, and audit modules. It integrates functions such as single sign-on
(SSO), unified asset management, multi-terminal access protocols, file transfer,
and session collaboration. With the unified O&M login portal, protocol-based
forward proxy, and remote access isolation technologies, CBH enables centralized,
simplified, secure management and maintenance auditing for cloud resources such
as servers, cloud hosts, databases, and application systems.

Service Features
● A CBH instance maps to an independent CBH system. You can configure a
CBH instance to deploy the mapped CBH system. A CBH system environment
is managed independently to ensure secure system running.
● A CBH system provides a single sign-on (SSO) portal, making it easier for you
to centrally manage large-scale cloud resources and safeguard accounts and
data of managed resources.
● CBH helps you comply with security regulations and laws, such as
Cybersecurity Law, and audit requirements in different standards, including
the following:
– Technical audit requirements in the Sarbanes-Oxley Act and Classified
Information Security Protection standard
– Technical audit requirements stated by the financial supervision
departments
– O&M audit requirements in relevant laws and regulations, such as
Sarbanes-Oxley Act, Payment Card Industry (PCI) standards, International
Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) 27001, and other internal compliance
regulations

2022-12-01 1
Cloud Bastion Host
Service Overview 2 Features

2 Features

CBH enables common authentication, authorization, account, and audit (AAAA)

management. Users can obtain O&M permissions by submitting tickets and can
invite O&M engineers to perform collaborative O&M.

Credential Authentication
CBH uses multi-factor authentication and remote authentication technologies to
enhance O&M security.
● Multi-factor authentication: CBH authenticates users by mobile one-time
passwords (OTPs), SMS messages, USB keys, and/or OTP tokens. This allows
you to mitigate O&M risks caused by leaked credentials.
● Remote authentication: CBH interconnects with third-party authentication
services or platforms to perform remote account authentication, prevent
credential leakage, and ensure secure O&M. Currently, Active Directory (AD),
Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory
Access Protocol (LDAP), and Azure AD remote authentication are available.
CBH allows you to synchronize users from the AD domain server without
modifying the original user directory structure.

Account Management
With a CBH system, you can centrally manage system user accounts and managed
resource accounts, and establish a visible, controllable, and manageable O&M
system that covers the entire account lifecycle.

2022-12-01 2
Cloud Bastion Host
Service Overview 2 Features

Table 2-1 Account management

Feature Description

System CBH enables you to grant a unique account with specific permissions to each system
user user based on their responsibilities. This eliminates security risks resulting from the
accounts use of shared accounts, temporary accounts, or privilege escalation.
● Batch importing
CBH enables you to synchronize users from a third-party server or import users in
batches, eliminating the need to create users repeatedly.
● User groups
CBH allows you to add users of the same type in a group and assign permissions
by user group.
● Batch management
CBH enables you to manage user accounts in batches, including deleting, enabling,
and disabling user accounts, resetting user passwords, and modifying basic user
configurations.

2022-12-01 3
Cloud Bastion Host
Service Overview 2 Features

Feature Description

Managed With a CBH system, you can centrally manage accounts of resources managed in the
resource CBH system through the entire account lifecycle, log in to managed resources by
accounts using SSO portal, and seamlessly switch between resource management and O&M.
● Resource types
CBH supports management of a wide range of resource types, including host (such
as Windows and Linux hosts), Windows application, and database (such as MySQL
and Oracle) resources.
– Host resources of the client-server architecture, including hosts configured with
the Secure Shell (SSH), Remote Desktop Protocol (RDP), Virtual Network
Computing (VNC), Telnet, File Transfer Protocol (FTP), SSH File Transfer
Protocol (SFTP), DB2, MySQL, SQL Server, Oracle, Secure Copy Protocol (SCP),
or Rlogin protocol.
– Application resources of the browser-server architecture or the client-server
architecture, including more than 12 types of browser- and client-side Windows
applications, such as Microsoft Edge, Google Chrome, and Oracle tools.
● Resource management
– Batch importing
CBH enables quick auto-discovery, synchronization, and batch importing of
cloud resources, such as Elastic Cloud Server (ECS) and Relational Database
Server (RDS) DB instances on the cloud for centralized O&M.
– Account group management
CBH manages resource accounts by group. By placing resource accounts of the
same attribute in the same group, you can assign permissions on a group basis
and let accounts inherit the permissions directly from the group to which they
belong.
– Password autofill
CBH uses the Advanced Encryption Standard (AES) 256-bit encryption
technology to encrypt managed resource accounts and uses the password auto-
filling technology to encrypt shared accounts, preventing data leakage.
– Automatic password change of managed resource accounts
CBH supports password change policies so that you can periodically change
account passwords to keep managed accounts secure.
– Automatic synchronization of managed resource accounts
CBH allows you to configure account synchronization policies so that you can
periodically check and synchronize account information between the CBH
system and the managed host resources. When you create, modify, or delete an
account on a host, the same operation is performed in CBH.
– Batch management
CBH allows you to batch manage information and accounts of managed
resources, including deleting a resource, adding a resource label, modifying
resource information, verifying a managed account, and deleting a managed
account.

Permissions Management
CBH supports fine-grained permission management so that you have complete
control over which user can access the CBH system and which managed resources

2022-12-01 4
Cloud Bastion Host
Service Overview 2 Features

can be accessed by a specific system user, enabling you to safeguard both the CBH
system and managed resources.

Table 2-2 Permissions management

Functi Description
on

CBH You can assign permissions to a system user to log in to a CBH system
system and use different functional modules in the CBH system according to
access the user's responsibilities.
permiss ● System user roles
ion CBH supports role-based and module-based permission
management so that you can allow a system user to access specific
functional modules based on the user's responsibilities.
You can use default user roles or create custom roles by adding
various functional modules.
● Departments
CBH enables department-based system user management,
allowing you to specify departments of different levels for each
system user. There are no limits on the number of department
levels.
● Login restrictions
CBH controls system user logins from many dimensions, including
login validity period, login duration, multi-factor verification, IP
addresses, and MAC addresses.

Manag You can assign permissions for resources by user, user group, account,
ed and account group.
resourc ● Access control
e You can control resource access by resource access validity period,
access access duration, and IP address. CBH also allows you to assign
permiss permissions to users for uploading and downloading files,
ion transferring files, and using the clipboard. When an O&M initiates
an O&M session, the watermark indicating their identity will be
displayed in the background of the session window.
● Two-person authorization
You can configure multi-level authorization for users, allowing
them to access to a specific resource, and thereby safeguard
sensitive and mission-critical resources.
● Command interception
You can set command control policies or database control policies
to forcibly block sensitive or high-risk operations on servers or
databases, generate alarms, and review such operations. This gives
you more control over key operations.
● Batch authorization
You can grant permissions for multiple resources to multiple users
by user group or account group.

2022-12-01 5
Cloud Bastion Host
Service Overview 2 Features

Operation Audit
In a CBH system, each system user has a unique identifier. After a system user
logs in to the CBH system, the CBH system logs their operations and monitors and
audits their operations on managed resources based on the unique identifier so
that any security events can be discovered and reported in real time.

Table 2-3 Operation audit description

Functi Description
on

System All operations in a CBH system are recorded, and alarms are reported
operati for misoperations, malicious operations, and unauthorized operations.
on ● System login logs
audit Details about a login, including the login mode, system user, source
IP address, and login time, are recorded. System login logs can be
exported with just a few clicks.
● System operation logs
All system operation actions are recorded. System operation logs
can be exported with just a few clicks.
● System reports
CBH displays all operation details of users in one place, including
user statuses, user and resource creation, login methods, abnormal
logins, and session controls.
System reports can be exported with just a few clicks and
periodically reported by email.
● Alarm notification
You can configure different alarm reporting methods and alarm
severity levels for system operation and your application
environment so that the CBH system sends alarm notifications by
email or system messages as soon as it determines system
exceptions and abnormal user operations.

2022-12-01 6
Cloud Bastion Host
Service Overview 2 Features

Functi Description
on

Resourc A CBH system records user operations throughout the entire O&M
e O&M process and supports multiple O&M auditing techniques. It audits user
audit operations, identifies O&M risks, and provides the basis for tracing
and analyzing security events.
● Auditing techniques
– Linux command audits
For command operations through character-oriented protocols
(such as SSH and Telnet), a CBH system records the entire O&M
process, parses operation commands, reproduces operation
commands, and quickly locates and replays operations using
keywords in input and output results.
– Windows operation audits
For operations on terminals and applications through graphics
protocol (such as RDP and VNC), the CBH system records all
remote desktop operations, including keyboard actions, function
key operations, mouse operations, window instructions, window
switchover, and clipboard copy.
– Database command audit
For command operations through database protocols (such as
DB2, MySQL, Oracle, and SQL Server), the CBH system records
the entire process from single sign-on (SSO) to database
command operations, parses database operation instructions,
and reproduces all operating instructions.
– File transfer audits
For file transfer operations through file transfer protocols (such
as FTP, SFTP, and SCP), the CBH system audits the entire file
transfer process on web browsers or clients, and records the
names and destination paths of transferred files.
● O&M audit methods
– Real-time monitoring
Ongoing O&M sessions can be monitored, viewed, and
terminated.
– History logs
All O&M operations are recorded and history session logs can be
exported with just a few clicks.
– Session videos
Linux commands and Windows operations can be recorded by
video.
Video files can be downloaded with just a few clicks.
– Operation reports
CBH uses various reports to display O&M statistics in one place,
including O&M action distribution over time, resource access
times, session duration, two-person authorization, command
interception, number of commands, and number of transferred
files.

2022-12-01 7
Cloud Bastion Host
Service Overview 2 Features

Functi Description
on

Operation reports can be exported with just a few clicks and

periodically sent by email.
– Log backup
CBH allows you to back up history session logs to a remote
Syslog server, FTP/SFTP server, and OBS bucket for disaster
recovery.

O&M Functions
CBH supports multiple architectures, tools, and methods to manage a wide range
of resources.

Table 2-4 Efficient O&M functions

Functi Description
on

O&M By leveraging HTML5 for remote logins, O&M engineers can

using a implement O&M operations such as real-time operation monitoring
web and file uploading and downloading, without installing a client.
browse ● One-stop O&M
r O&M engineers can complete remote O&M anytime anywhere
through Microsoft Edge, Google Chrome, or Mozilla Firefox
browsers on Windows, Linux, Android, and iOS operating systems
without installing plug-ins.
● Batch login
CBH supports one-click login to multiple authorized resources,
enabling O&M engineers to manage the resources on the same tab
page of a browser.
● Collaborative session
Allows multiple O&M engineers to perform O&M through a shared
O&M session. The user who initiates the O&M session can invite
other O&M personnel or experts to join the on-going session and
locate problems. This greatly improves O&M efficiency when
multiple O&M engineers work together.
● File transmission
CBH uses the WSS-based file management technology to upload,
download, and manage files online, enabling file sharing among
several hosts.
● Command group-sending
CBH supports the group sending function for multiple Linux
resources. With this function enabled, when a command is
executed in a session window, the same operation is performed in
other session windows.

2022-12-01 8
Cloud Bastion Host
Service Overview 2 Features

Functi Description
on

Third- CBH enables one-click interconnection with multiple O&M tools,

party enabling you to perform O&M without changing client usage habits.
client ● O&M tools
O&M SecureCRT, Xshell, Xftp, WinSCP, Navicat, and Toad for Oracle
● SSH clients
For host resources with character protocols configured, O&M
engineers can log in to them through SSH clients.
● Database clients
For database-deployed host resources, O&M engineers can log in
to databases using configured SSO tools.
● File transfer clients
For host resources with file transfer protocols configured, O&M
engineers can log in to them through FTP, SFTP, or SCP client.

Autom CBH enables automated O&M to simplify online complex operations,

atic eliminating repetitive manual effort and improving efficiency.
O&M ● Script management
CBH manages offline scripts, including Shell and Python scripts.
● O&M tasks
CBH automatically executes one or more preset O&M tasks, such
as command execution, script execution, and file transfer tasks.

O&M Ticket Application

During the O&M, if a system user does not have the required permissions for a
certain resource, they can submit a ticket to apply for the permissions.
● O&M personnel can:
– Manually or automatically trigger the ticket system and submit access
approval tickets, command approval tickets, and database approval
tickets.
– Submit, query, send reminders for approving, cancel, and delete tickets.
● System administrators can:
– Customize approval processes, including multi-level approval processes.
– Approve one or more tickets at a time, as well as reject, cancel, query,
and delete tickets.

2022-12-01 9
Cloud Bastion Host
Service Overview 3 Product Advantages

3 Product Advantages

HTML5 One-stop Management

CBH makes it possible for users to perform O&M anytime, anywhere on any
terminal using mainstream browsers (including mobile app browsers) without
installing clients or plug-ins.
With an easy-to-use HTML5 UI, CBH gives you the ability to centrally manage
users, resources, and permissions. It also enables batch creation of user accounts,
batch import of resources, batch authorization of O&M operations, and batch
logins to managed resources.

Precise Interception
CBH presets standard Linux command library or allows you to customize
commands, so the CBH system can precisely intercept O&M operation instructions
and scripts when corresponding command control rules are triggered. In addition,
CBH uses the dynamic approval mechanism to dynamically control sensitive
operations in on-going O&M sessions, preventing dangerous and malicious
operations.

Multi-level Approval
With CBH, you can enable the multi-level approval mechanism to monitor O&M
operations on sensitive and mission-critical resources, improving data protection
and management capabilities and keeping data of critical assets secure.

Unified Application Resource Management

CBH gives you the ability to use a unified access entry to manage different
application resources, such as databases, web applications, and client programs. It
also supports OCR technology, enabling you to convert operations on graphical
applications into text files and simplify O&M audits.

Database O&M Audits

For cloud databases such as DB2, MySQL, SQL Server, and Oracle, CBH supports
unified resource O&M management and one-click login to the database through
SSO portal. To enable efficient audit operations on database resources, CBH

2022-12-01 10
Cloud Bastion Host
Service Overview 3 Product Advantages

records the entire database operation process, parses operation instructions, and
reproduces all operation instructions.

Automatic O&M
CBH also gives you the ability to automate complex, repetitive, and large-quantity
O&M operations by configuring unified rules and tasks, free O&M personnel from
repetitive manual effort, and improve O&M efficiency.

2022-12-01 11
Cloud Bastion Host
Service Overview 4 Application Scenarios

4 Application Scenarios

A secure O&M management and audit service is a must-have for any enterprises.
CBH is an ideal choice for you. CBH is applicable to various O&M scenarios of
enterprise businesses, especially scenarios involving a large number of enterprise
employees, a large amount of complex assets, sophisticated O&M personnel
construction and permissions, or diversified O&M patterns.

Strict Compliance Audit

Some enterprises, such as enterprises in the insurance and finance industries, have
a large amount of personal information data, financial fund operations, and third-
party organization operations. There are big risks of illegal operations, such as
violation of regulations and abuse of competence.
CBH gives the ability to those enterprises to establish a sound O&M audit system
so that they can comply with industry supervision requirements. With CBH
deployed on the cloud, an enterprise can centrally manage accounts and
resources, isolate department permissions, configure multi-level review for
operations on mission-critical assets, and enable dual-approval for sensitive
operations.

Efficient O&M
Some enterprises, such as fast-growing Internet enterprises, have a large amount
of sensitive information, such as operations data, exposed on the public networks.
Their services are highly open. All these increase data leakage risks.
During the remote O&M, CBH hides the real IP addresses of your assets to protect
asset information from disclosure. In addition, CBH provides comprehensive O&M
logs to effectively monitor and audit the operations of O&M personnel, reducing
network security accidents.

A Large Number of Assets and O&M Staff

As an increasing number of companies move businesses to the cloud, the number
of cloud accounts, servers, and network devices also doubles. Many companies
outsource system O&M workloads to system suppliers or third-party O&M
providers to reduce human resource costs. However, this often involves more than
one supplier or agent and increases instability of O&M staff. As a result, risks are
increasingly prominent if the monitoring over O&M is not in place.

2022-12-01 12
Cloud Bastion Host
Service Overview 4 Application Scenarios

CBH provides a system to manage a large number of O&M accounts and a wide
range of resources in a secure manner. It also allows O&M personnel to access
resources using single sign-on (SSO) tools, improving the O&M efficiency. In
addition, CBH uses fine-grained permission control so that all operations on a
managed resource are recorded and operations of all O&M staff are auditable.
Any O&M incidents are traceable, making it easier to locate the operators.
Additionally, the CBH system displays the on-going O&M sessions and receives
abnormal behavior alarm notifications to ensure that O&M engineers cannot
perform unauthorized operations.

2022-12-01 13
Cloud Bastion Host
Service Overview 5 Edition Differences

5 Edition Differences

CBH includes standard and professional editions. You can select 50, 100, 200, 500,
1000, 2000, and 5000 asset specifications under each edition.

Differences on Specifications
For details about different specifications, see Table 1 Configuration of different
specifications.

Table 5-1 Configuration of different specifications

Asset Max. CPUs Memory System Disk Data Disk

Quantity Concurrent
Connections

50 50 4 cores 8 GB 100GB 500GB

100 100 4 cores 8 GB 100 GB 1000 GB

200 200 4 cores 8 GB 100 GB 1000 GB

500 500 8 cores 16 GB 100 GB 2000 GB

1000 1000 8 cores 16 GB 100 GB 2000 GB

2000 1500 8 cores 16 GB 100 GB 2000 GB

5000 2000 8 cores 16 GB 100 GB 2000 GB

NOTICE

The number of concurrent connections in Table 5-1 includes only connections

established by O&M clients that use character-based protocols (such as SSH or
MySQL client). Connections established by O&M clients that use graphic-based
protocols (such as H5 web and RDP client) is not included, which is only one third
of this number.

2022-12-01 14
Cloud Bastion Host
Service Overview 5 Edition Differences

Edition Difference
Both editions provide identity authentication, permission control, account
management, and operation audit. Apart from those functions, the enhanced
edition also provides automatic O&M and database O&M audit.
For details about functions supported by different editions, see Table 2 Functions
of different editions.

Table 5-2 Functions of different editions

Functi Description Standa Profess
on rd ional
edition edition

Identity Two-factor authentication for user accounts Suppor Suppor

authen CBH allows you to configure multi-factor ted ted
tication authentication, such as mobile phone one-time
passwords (OTPs), mobile phone SMS messages,
USB keys, and dynamic OTP tokens to
authenticate user identities.

Remote authentication for user accounts Suppor Suppor

CBH also allows you to authenticate user ted ted
identities through AD, RADIUS, LDAP, and Azure
AD remote authentication.

Permiss System access permission Suppor Suppor

ion CBH allows you to configure department- and ted ted
control role-based permission control so that you can
allow a specific system user to access a specific
module in a given CBH system.

Resource access permission Suppor Suppor

CBH allows you to configure resource access ted ted
control policies based on users, user groups,
managed accounts, and account groups to limit
what resources can be assessed. You can also
configure two-person authorization policies and
command control policies to limit what operations
are allowed on a certain resource.

Two-person authorization Suppor Suppor

CBH allows you to configure two- or multi-person ted ted
authorization for core sensitive resources.

Character command interception Suppor Suppor

CBH allows you to configure command control ted ted
policies to dynamically authorize key operations
on character protocol resources.

2022-12-01 15
Cloud Bastion Host
Service Overview 5 Edition Differences

Functi Description Standa Profess

on rd ional
edition edition

Database command interception Not Suppor

CBH allows you to configure database control support ted
policies to precisely restrict and re-review sensitive ed
and risky database operations.
NOTE
This function applies to cloud databases as well as self-
built databases.

Accoun User lifecycle management Suppor Suppor

t ● CBH allows you to create a single user account, ted ted
manag import user accounts in batches, manage user
ement accounts in batches, and manage user groups.

Managed account lifecycle Suppor Suppor

● CBH allows you to add resources and their ted ted
accounts one by one or in batches, and classify
added accounts into different groups for
management.

Host resource management Suppor Suppor

● CBH allows you to manage Linux or Windows ted ted
hosts with the SSH, RDP, VNC, Telnet, FTP, SFTP,
SCP, or Rlogin protocol configured.

Application resource management Suppor Suppor

● CBH allows you to use Windows application ted ted
servers to manage browser or client application
resources, such as Google Chrome, Microsoft
Edge, Mozilla Firefox, Oracle Tool and MySQL.

Database resource management Not Suppor

● CBH allows you to manage DB2, MySQL, SQL support ted
Server, and Oracle databases. ed

Automatic password change for managed Suppor Suppor

accounts ted ted
● CBH allows you to configure password change
policies to let the system periodically change
passwords of managed accounts.

Automatic synchronization of managed resource Not Suppor

accounts support ted
● CBH allows you to configure account ed
synchronization policies to let the system
detect zombie accounts or unmanaged
accounts in a timely manner.

2022-12-01 16
Cloud Bastion Host
Service Overview 5 Edition Differences

Functi Description Standa Profess

on rd ional
edition edition

Operati System login and operation logging Suppor Suppor

on ● CBH allows you to export system logs, generate ted ted
audit system reports, and configure alarm
notifications.

Resource O&M audit Suppor Suppor

● CBH allows you to audit the entire O&M ted ted
process through multiple audit methods, such
as monitoring on-going sessions, generating
videos for history sessions, exporting text
reports, and remote log backup.

Database operation audit Not Suppor

● CBH allows you to audit the entire database support ted
O&M process based on operation commands. ed

Efficien One-stop web browser O&M Suppor Suppor

t O&M ● CBH allows you to remotely log in to resources ted ted
without having to install a client with
integrated functions, such as batch login,
collaborative session, file transfer, and
command group sending.

Third-party client O&M Suppor Suppor

● CBH can interconnect with multiple O&M tools ted ted
with just a few clicks, including SSH, FTP, SFTP,
and SCP client.

Database O&M Not Suppor

● CBH allows you to log in to the target support ted
databases using the single sign-on (SSO) tool ed
with just a few clicks.

Automatic O&M Not Suppor

● CBH allows you to manage scripts online and support ted
let the system periodically execute preset O&M ed
tasks.

Ticket Access and command authorization ticket Suppor Suppor

applica application ted ted
tion ● CBH allows you to obtain the resource control
permissions by manually or automatically
triggering a system ticket and submitting the
ticket to the system administrator for approval.

2022-12-01 17
Cloud Bastion Host
Service Overview 5 Edition Differences

Functi Description Standa Profess

on rd ional
edition edition

Database authorization ticket application Not Suppor

● CBH automatically generates an authorization support ted
ticket for each sensitive operation from a ed
system user. The system user then needs to
submit the ticket to the administrator for
approval. The sensitive operation can be
resumed only after the application is approved.

2022-12-01 18
Cloud Bastion Host
Service Overview 6 Basic Concepts

6 Basic Concepts

CBH Instance
A CBH instance is an independent CBH system. Users can log in to the CBH
console to buy and manage CBH instances. A user can log in to a CBH system to
perform secure O&M management and auditing only after the user has purchased
a CBH instance.

Single Sign-On
Single sign-on (SSO) is an authentication scheme that allows a user to use a
single ID and password to log in to any of several related, yet independent,
software systems. After logging in to one of these application systems, the user
can access all other related application systems without using other credentials.

Number of Assets
The number of assets refers to the number of resources running on each host
managed by CBH. One host may have multiple resources, including protocols and
applications running on it.
For example, if two RDP, one Telnet, and one MySQL host resources and one
Google Chrome browser application resource are added to a cloud host managed
by a CBH system, the number of managed assets is five.

Concurrent Requests
The number of concurrent requests indicates the number of connections
established between a managed host and the CBH system over all protocols at the
same time.
For example, if 10 O&M engineers use a CBH system at the same time and each
engineer generates five protocol connections (such as remote connections through
SSH or MYSQL client), the number of concurrent requests is 50.

2022-12-01 19
Cloud Bastion Host
Service Overview 7 Pricing Details

7 Pricing Details

Billing Items
Billed based on the edition and required duration of the CBH instance.

Table 7-1 Billing items

Billing Item Billing Description

CBH Billed based on the edition and required duration of the CBH
instances instance.

Required Billed on a yearly or monthly basis.

duration

Elastic IP An EIP must be bound to the CBH instance if you want to log in
Address (EIP) to the CBH instance through a public network. EIPs are
separately billed by bandwidth or traffic. For details, see EIP
Pricing Details.
NOTE
To ensure that the CBH system can work normally, ensure that the EIP
bound to the mapped CBH instance is available.

NOTE

To manage application resources through application publishing servers, purchase resources

such as Windows servers, images, enterprise authorization codes, and client licenses at
additional costs.

Billing Modes
CBH is billed on a yearly/monthly basis only.

You can get a 17% discount for a one-year subscription, a 30% discount for a two-
year subscription, and 50% discount for a three-year subscription. If you want to
use CBH for a long time, buy it by the year to save more money.

2022-12-01 20
Cloud Bastion Host
Service Overview 7 Pricing Details

Changing Billing Options

● Changing instance specifications
If your business increases, CBH allows you to change CBH specifications
within the billing cycle. You can upgrade your instance from a basic edition to
an enhanced edition or to another basic edition of higher specifications.
However, the edition of an instance cannot be changed to a lower one.
● Unsubscribing
If you want to stop using a CBH instance, go to the Billing Center to
unsubscribe from it.

Renewal
When a yearly/monthly-billed CBH instance is about to expire, you can choose
More > Renew in the Operation column on the CBH instance list page to renew
the instance to extend the validity period. After the instance is renewed, the
mapped CBH system is automatically renewed.
For more information about renewal, including exporting the renewal list and
changing subscriptions, see Renewal Management.

Expiration and Overdue Payment

If a yearly/monthly-billed resource fails to be renewed in a given time, there is a
retention period. The retention period varies depending on subscription methods.
For details about how to process resources in the retention period, see Retention
Period.
When your account is in arrears, you can view the arrears details. You need to pay
the arrears within the specified period. To prevent resources from being stopped or
released, top up your account in a timely manner. For details, see Repaying
Arrears.

2022-12-01 21
Cloud Bastion Host
Service Overview 8 Restrictions on Using CBH

8 Restrictions on Using CBH

To improve the stability and security of the CBH system, there are some
restrictions on the use of CBH instances and their mapped CBH systems.

Network Access Restrictions

● Cross-region resource management is not supported.
A CBH instance and resources (such as ECSs and cloud databases) managed
in the mapped CBH system must be in the same region.
Although some services such as Virtual Private Network (VPN) can be used
to establish VPCs in different regions, using CBH to manage resources across
regions is still not recommended because the cross-region network is less
stable.
● Cross-VPC resource management is not supported.
A CBH instance and resources (such as ECSs and cloud databases) managed
in the mapped CBH system must be in the same VPC so that the CBH system
can communicate the managed resources directly.
If they are in different VPCs, use a VPC peering connection to connect two
VPCs.
● Communication between the CBH instance security group and managed
resource security group must be allowed.
The managed resources must be accessible through the security group to
which the CBH instance belongs, and the security group to which the
resources belong must allow access from the private IP address of the CBH
instance.
If a CBH instance and its managed resources belong to different security
groups, no communication between them is established by default. To
establish a connection, add an inbound rule to the CBH instance security
group.
The default ports of the security group are ports 443 and 2222, which can be
accessed through the web browser and SSH client by default. To use other
access methods, manually add the destination port.
● A CBH system can be logged in only through IP address and port number.

2022-12-01 22
Cloud Bastion Host
Service Overview 8 Restrictions on Using CBH

Supported Resources
Currently, CBH can manage only resources on Huawei Cloud.
● Supported host types
CBH allows you to manage Linux or Windows hosts with the SSH, RDP, VNC,
Telnet, FTP, SFTP, SCP, or Rlogin protocol configured.
● Supported database types
– Relational Database Service (RDS) DB instances
– Databases on Elastic Cloud Servers (ECSs)
● Supported database versions

Table 8-1 Supported database versions

Database Engine Engine Version

MySQL MySQL 5.5, 5.6, 5.7, and 8.0

Microsoft SQL Server 2017

Oracle Oracle 10g, 11g, and 12c

DB2 DB2 Express-C

PostgreSQL Not supported

● Supported application server types and versions

Only applications on Windows servers and Linux servers can be managed.
Table 8-2 lists the supported operating system versions.

Table 8-2 Supported application server types and versions

OS Type Version

Windows Windows Server 2008 R2 or later

Linux CentOS7.9

NOTE

Currently, application O&M is available only on the x86 CBH instances.

Supported Third-Party Clients

To perform secure O&M management through CBH, use a third-party client to log
in to the CBH system.

2022-12-01 23
Cloud Bastion Host
Service Overview 8 Restrictions on Using CBH

Table 8-3 Clients and versions supported for logging in to the CBH system

Login Type Supported Version

Client

Logging in to Edge Microsoft Edge 44 or later

a CBH system NOTE
from a web When you use Microsoft Edge, the maximum size
browser of a file that can be uploaded to a host is 4 GB.

Google Chrome Google Chrome 52.0 or later

Safari Safari 10 or later

Mozilla Firefox Mozilla Firefox 50.0 or later

Login using SecureCRT SecureCRT 8.0 or later

an SSH client
Xshell Xshell 5 or later

Mac Terminal Mac Terminal 2.0 or later

Table 8-4 Clients that can be invoked during operation

Operation Resource Protocol Supported Client

Method Type/Application
Type

Database MySQL Navicat 11 and 12

operation MySQL Administrator 1.2.17
(in the Host MySQL CMD
Operation
module) SQL Server Navicat 11 and 12
SSMS 17.6

Oracle Toad for Oracle 11.0, 12.1, 12.8, and

13.2
Navicat 11 and 12
PL/SQL Developer 11.0.5.1790

DB2 DB2 CMD command line 11.1.0

File Transfer SFTP Xftp, WinSCP, and FlashFXP

FTP Xftp, WinSCP, FlashFXP, and FileZilla

SCP WinSCP

Application MySQL Tool MySQL Administrator

operation
Oracle Tool PL/SQL Developer

SQL Server Tool SSMS

dbisql dbisql

2022-12-01 24
Cloud Bastion Host
Service Overview 8 Restrictions on Using CBH

Operation Resource Protocol Supported Client

Method Type/Application
Type

Google Chrome Google Chrome

Edge Edge

Mozilla Firefox Mozilla Firefox

VNC Client VNC Viewer

SecBrowser SecBrowser

VSphere Client VSphere Client

Radmin Radmin

Other Constraints
● The maximum number of resources that can be managed by CBH cannot
exceed the number of assets allowed by the instance edition.
● The maximum number of resources that can be concurrently logged in to
through CBH cannot exceed the number of concurrent requests allowed by
the CBH instance edition.
NOTE

The number of assets refers to the number of resources running on a cloud host managed
by CBH. One cloud host may have multiple resources, including protocols and applications
running on it.
The number of concurrent requests indicates the number of connections established
between a managed hosts and the CBH system over all protocols at the same time.
For more details, see Basic Concepts.

2022-12-01 25
Cloud Bastion Host
Service Overview 9 Permissions Management of CBH Instances

9 Permissions Management of CBH

Instances

If you need to assign different permissions to employees in your enterprise to

access your CBH instances, IAM is a good choice for fine-grained permissions
management. IAM provides identity authentication, permissions management,
and access control, helping you securely manage access to your HUAWEI CLOUD
resources.
With IAM, you can create IAM users under your account for your employees, and
assign permissions to the users to control their access to specific resource types.
For example, you can create IAM users for the software developers and assign
specific permissions to allow them to only use CBH instances but not to create,
change specifications of, or upgrade CBH instances.
If your HUAWEI CLOUD account does not need individual IAM users for
permissions management, then you may skip over this section.
IAM is free. You pay only for the resources in your account. For more information
about IAM, see IAM Service Overview.

CBH Instance Permissions

By default, new IAM users do not have any permissions assigned. You can add a
user to one or more groups to allow them to inherit the permissions from the
groups to which they are added.
CBH is a project-level service deployed and accessed in specific physical regions. To
assign CBH permissions to a user group, specify the scope as region-specific
projects and select projects for the permissions to take effect. If All projects is
selected, the permissions will take effect for the user group in all region-specific
projects. When accessing a CBH instance, switch to a region where they have been
authorized to use the CBH instance.
You can grant users permissions by using roles and policies.
● Roles: A type of coarse-grained authorization mechanism that defines
permissions related to users responsibilities. Only a limited number of service-
level roles for authorization are available. You need to also assign other
dependent roles for the permission control to take effect. Roles are not ideal
for fine-grained authorization and secure access control.

2022-12-01 26
Cloud Bastion Host
Service Overview 9 Permissions Management of CBH Instances

● Policies: A fine-grained authorization mechanism that defines permissions

required to perform operations on specific cloud resources under certain
conditions. This mechanism allows for more flexible policy-based
authorization and meets secure access control requirements. For example, you
can grant CBH users only the permissions for managing a certain type of
resources. For details about the actions supported by CBH, see Permissions
and Supported Actions.

Table 9-1 lists all the system-defined roles and policies supported by CBH
instances.

Table 9-1 System permissions for CBH instances

Role/Policy Description Type Dependency

Name

CBH All permissions on CBH Syste None

FullAccess instances. m-
define
d
policy

CBH Read-only permissions for Syste None

ReadOnlyAcce CBH instances. Users who m-
ss have read-only permissions define
granted can only view CBH d
instances but not configure policy
services.

Table 9-2 lists the common operations for each system-defined policy or role of
CBH instances. Select the policies or roles as required.

Table 9-2 Common operations for each system-defined policy or role of CBH

Operation CBH FullAccess CBH

ReadOnlyAccess

Creating a CBH instance √ x

Changing CBH instance specifications √ x

(changing specifications)

Querying the CBH instance list √ √

Upgrading the CBH system version √ x

Querying total ECS quota √ x

Binding or unbinding an EIP √ x

Restarting a CBH instance √ x

Starting a CBH instance √ x

2022-12-01 27
Cloud Bastion Host
Service Overview 9 Permissions Management of CBH Instances

Operation CBH FullAccess CBH

ReadOnlyAccess

Stopping a CBH instance √ x

Querying the AZ of a CBH instance √ x

Checking whether an IPv6 CBH √ x

instance can be created

Checking network connection √ x

between the CBH instance and the
license center

Modifying the network of the CBH √ x

instance to ensure that the CBH
instance can communicate with the
license center

Related Topics
● IAM Service Overview
● Creating a User Group and User and Granting Them CBH Permissions
● Custom Policies for CBH instances
● CBH Instance Permissions and Supported Actions

CBH FullAccess Policy Content

{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cbh:*:*",
"vpc:subnets:get",
"vpc:publicIps:list",
"vpc:vpcs:list",
"vpc:securityGroups:get",
"vpc:firewallGroups:get",
"vpc:firewallPolicies:get",
"vpc:firewallRules:get",
"vpc:ports:get",
"vpc:publicips:update",
"vpc:securityGroups:create",
"vpc:firewallRules:create",
"vpc:firewallPolicies:addRule"
"ecs:cloudServerFlavors:get",
"evs:types:get"
]
}
]
}

CBH ReadOnlyAccess Policy Content

{
"Version": "1.1",
"Statement": [

2022-12-01 28
Cloud Bastion Host
Service Overview 9 Permissions Management of CBH Instances

{
"Effect": "Allow",
"Action": [
"cbh:*:list*",
"vpc:publicIps:list",
"vpc:vpcs:list",
"vpc:securityGroups:get",
"vpc:subnets:get"
]
}
]
}

2022-12-01 29
Cloud Bastion Host
Service Overview 10 CBH and Other Services

10 CBH and Other Services

CBH needs to work with other cloud services. Figure 10-1 shows the dependencies
between CBH and other cloud services.

Figure 10-1 CBH and other services

VPC
Virtual Private Cloud (VPC) provides a virtual network environment for you to
configure security groups, subnets, and Elastic IP Addresses (EIPs) for your CBH
instances. This allows you to manage and configure internal networks. You can
also customize access rules for security groups to enhance security.

ECS
Elastic Cloud Server (ECS) provides a deployment environment for CBH instances,
and CBH provides security management services for resources on ECSs.

2022-12-01 30
Cloud Bastion Host
Service Overview 10 CBH and Other Services

● ECSs are used to deploy the CBH background environment, which uses the
EulerOS operating system.
● You can log in to resources, such as servers and databases, on ECSs through
CBH to manage those resources and login credentials and audit O&M sessions
in a more secure way.

EIP
Elastic IP Address (EIP) provides independent public IP addresses and egress
bandwidth. Each public EIP can be used by only one cloud resource at a time. With
an EIP bound to a CBH instance, users can access the Internet through the
mapped CBH system. You can adjust the EIP bandwidth at any time to meet your
business traffic changes.

RDS
You can log in to the Huawei Cloud Relational Database Service (RDS)
databases through CBH to manage databases and login credentials and audit
O&M sessions in a more secure way.

CTS
Cloud Trace Service (CTS) generates traces to enable you to get a history of
operations performed on CBH instances, allowing you to query, audit, and
backtrack resource operation requests initiated from the management console as
well as the responses to those requests.
CTS records operations on CBH instances for later query, auditing, and
backtracking. For details, see CBH Operations Supported by CTS.

IAM
Identity and Access Management (IAM) helps you to manage permissions and
identity authentication for users of CBH instances. For more details, see
Permissions Management.

2022-12-01 31
Cloud Bastion Host
Service Overview 11 Personal Data Protection Mechanism

11 Personal Data Protection

Mechanism

No personal data is gathered by a CBH instance. After an instance is created, you

need to create a user account for logging in to the CBH system. Creating a user
account for logging in to the system requires personal data.
To ensure that your personal data, such as the username, password, and mobile
phone number for logging in to a CBH system, will not be obtained by
unauthorized or unauthenticated entities or people and to prevent data leakage,
CBH encrypts your personnel data before storing it to control access to the data
and records logs for operations performed on the data.

Personal Data to Be Collected

Table 11-1 lists the personal data generated or collected by CBH.

Table 11-1 Personal data

Item Type Collection Method Can Be Mandatory
Modifie
d

CBH Login Login name configured No Yes

instanc name by the system Login names are
es administrator during used to identify
user creation users.

2022-12-01 32
Cloud Bastion Host
Service Overview 11 Personal Data Protection Mechanism

Item Type Collection Method Can Be Mandatory

Modifie
d

Password ● Password configured Yes Yes

by the system This password is
administrator during used by the user to
user creation or log in to a CBH
password resetting system.
● Password reset by a
user when they log
in to a CBH system
for the first time or
password changed by
a user after the user
logs in to the CBH
system

Email ● Email address Yes Yes

configured by the This email address is
administrator during used to receive
user creation notifications sent by
● Email address the CBH system.
entered by a user
after the user logs in
to the CBH system

Mobile ● Mobile phone Yes Yes

number number configured ● This mobile
by the administrator phone number is
during user creation used to receive
● Mobile phone SMS notifications
number entered by a from the CBH
user after the user system.
logs in to the CBH ● This mobile
system phone number is
also used to
receive
verification codes
sent by the CBH
system during
password
resetting.

Storage Mode
CBH uses encryption algorithms to encrypt users' sensitive data and stores
encrypted data.
● Login names are not sensitive data and stored in plaintext.

2022-12-01 33
Cloud Bastion Host
Service Overview 11 Personal Data Protection Mechanism

● Passwords, email addresses, and mobile numbers are encrypted for storage.

Access Permission Control

Your personal data is encrypted for storage in CBH. A security code is required for
the system administrators and upper-level administrators when they attempt to
view your mobile number and email addresses. However, passwords of all users
are invisible to all.

Two-factor Authentication
After multi-factor authentication is configured for a user, the user needs to be
authenticated twice when logging in to the CBH system. The secondary
authentication includes SMS message, mobile OTP, USB key, and dynamic token
modes. This effectively protects sensitive user information.

Logging
The CBH system records audit logs for all operations on users' personal data,
including adding, modifying, querying, and deleting data. The logs can be backed
up to a remote server or local computer. Users with the audit permission can view
and manage logs of user accounts in lower-level departments. The system
administrator admin has the highest permissions and can view and manage
operation records of all user accounts used to log in to the CBH system.

2022-12-01 34
Cloud Bastion Host
Service Overview 12 Security Statement

12 Security Statement

Before using CBH, read this security statement carefully and perform accordingly
to avoid network security issues.

Managing Accounts
The default account admin is the default administrator of a CBH system. The
password of admin user is the password you set during purchase of the CBH
instance.

Change the password as prompted upon your first login to the CBH system.
Otherwise, the CBH system page cannot be reached.

Managing Passwords
To ensure security, you are advised to set passwords according to the following
rules:

● Change the password and configure phone number as prompted after you log
in to the CBH system. Otherwise, the requested CBH system cannot be
reached.
● The complexity of a password must meet the following security policies:
– Contain 8 to 32 characters.
– Contain at least three of the following character types: uppercase letters
(A to Z), lowercase letters (a to z), digits (0 to 9), and special characters.
– Cannot contain the username or the username spelled backwards.
● It is recommended that you periodically change your password for account
security.

Feature Statement
● The purchased products, services and features are stipulated by the contract
made between Huawei and the customer. All or part of the products, services
and features described in this document may not be within the purchase
scope or the usage scope.
● The information in this document is subject to change without notice. Every
effort has been made in the preparation of this document to ensure accuracy

2022-12-01 35
Cloud Bastion Host
Service Overview 12 Security Statement

of the contents, but all statements, information, and recommendations in this

document do not constitute a warranty of any kind, express or implied.
● CBH supports the HTTPS protocol but not the HTTP protocol.
● Make sure CBH is used in compliance with laws and regulations.

Third-Party Software
CBH uses the following third-party software:
● Browsers and versions for logging in to a CBH system. For details, see Table
12-1.

Table 12-1 Recommended browsers and versions

Browser Version Description

Edge 11 or later Upload restriction: On the H5 O&M page, the

maximum size of a single uploaded file is 4
GB.

Chrome 52.0 or later None

Safari 10 or later None

Firefox 50.0 or later None

Such software can be downloaded in either of the following ways:

● Log in to the CBH system as a system administrator. On the page that is
displayed, click the download icon in the upper right corner. On the displayed
Download Center page, download the required software.
● Log in to the CBH system as an O&M user. On the page that is displayed, click
the download icon in the upper right corner. On the displayed Download
Center page, download the required software.

2022-12-01 36
Cloud Bastion Host
Service Overview A Change History

A Change History

Released On Description

2022-12-01 This issue is the first official release.

2022-12-01 37