For security purposes, we recommend that you run Cloud Assistant commands as a regular user (non-root or non-system user) based on the principle of least privilege. This topic describes how to configure a Resource Access Management (RAM) user to run Cloud Assistant commands as a regular user.
Prerequisites
Regular users are created for the Elastic Compute Service (ECS) instance. In this topic, regular users user01 and user02 are used.
Background information
If you do not configure specific permissions when you run a Cloud Assistant command, the command is run based on the highest level of permissions on instances. By default, Cloud Assistant commands are run by the root user on Linux instances and by the system user on Windows instances.
To ensure information security, we recommend that you restrict the use of the root user or system user on ECS instances. You can create a RAM user and attach policies to the RAM user that deny the root user or system user to run Cloud Assistant commands on ECS instances and policies that allow specific users, such as user01 and user02, to run Cloud Assistant commands on ECS instances.
Run Cloud Assistant commands on Linux instances as a regular user
If you want to run Cloud Assistant commands only on Linux instances, you can perform the following operations to restrict a RAM user from running Cloud Assistant commands as the root user:
Log on to the RAM console with your Alibaba Cloud account.
Create a RAM user. For more information, see Create a RAM user.
The following table describes the parameters that are required to create a RAM user.
Parameter
Example
Logon Name
commandUser
Display Name
commandUser
Access Mode
You can use Cloud Assistant in the Alibaba Cloud Management Console or by calling API operations. In this example, select Console Access and OpenAPI Access.
NoteYou can select an access mode based on your business requirements to conform to the principle of least privilege.
Set Logon Password
Select Automatically Regenerate Default Password.
Password Reset
Select Required at Next Logon.
Enable MFA
Select Not Required.
After you create a RAM user, record the username, password, and AccessKey pair of the RAM user.
Create a policy that includes permissions on Cloud Assistant. For more information, see Create custom policies.
Create a policy named commandUserPolicy to allow or deny users to run Cloud Assistant commands on ECS instances. The following section describes example policies. You can modify the policies based on your business requirements.
The following policy allows specific regular users, such as user01 and user02, to run Cloud Assistant commands on ECS instances:
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeTagKeys", "ecs:DescribeTags", "ecs:CreateCommand", "ecs:DescribeCommands", "ecs:InvokeCommand", "ecs:RunCommand", "ecs:DeleteCommand", "ecs:DescribeInvocations", "ecs:DescribeInvocationResults", "ecs:StopInvocation", "ecs:DescribeCloudAssistantStatus", "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/*" ], "Condition": { "StringEquals": { "ecs:CommandRunAs": [ "user01", "user02" ] } } } ], "Version": "1" }NoteIf you want to allow other users to run Cloud Assistant commands on ECS instances, you can modify or add usernames in the Condition element.
The following policy prevents specific users, such as the root user or system user, from running Cloud Assistant commands on ECS instances:
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeTagKeys", "ecs:DescribeTags", "ecs:CreateCommand", "ecs:DescribeCommands", "ecs:InvokeCommand", "ecs:RunCommand", "ecs:DeleteCommand", "ecs:DescribeInvocations", "ecs:DescribeInvocationResults", "ecs:StopInvocation", "ecs:DescribeCloudAssistantStatus", "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/*" ], "Condition": { "StringNotEqualsIgnoreCase": { "ecs:CommandRunAs": [ "system", "root" ] } } } ], "Version": "1" }NoteIf you want to prevent other users from running Cloud Assistant commands on ECS instances, you can modify or add usernames in the Condition element.
Grant the RAM user read-only permissions on ECS and permissions on Cloud Assistant. For more information, see Grant permissions to a RAM user.
To grant the RAM user read-only permissions on ECS, select AliyunECSReadOnlyAccess.
To grant the RAM user permissions on Cloud Assistant, select the commandUserPolicy policy that you created in the previous step.
Log on to the Alibaba Cloud Management Console as the RAM user.
Run a Cloud Assistant command and verify the result. For more information, see Create and run a command.
The following figure shows the procedure that is performed in the ECS console. You must configure the Username parameter.
user01 can run the Cloud Assistant command, and an error is reported when the root user runs the command.
The following figure shows the procedure that is performed by using the CLI. user01 can run the Cloud Assistant command, and an error is reported when the root user runs the command.
Run Cloud Assistant commands on Windows instances as a regular user
To run Cloud Assistant commands on Windows instances, you must specify a username and a password. To ensure data security, you must host your logon password in CloudOps Orchestration Service and perform encryption by using Key Management Service (KMS). For more information, see What is OOS? and What is Key Management Service?
You can perform the following operations to restrict a RAM user from running Cloud Assistant commands as the root user or system user.
Log on to the RAM console with your Alibaba Cloud account.
Create a RAM user. For more information, see Create a RAM user.
The following table describes the parameters that are required to create a RAM user.
Parameter
Example
Logon Name
commandUser
Display Name
commandUser
Access Mode
You can use Cloud Assistant in the Alibaba Cloud Management Console or by calling API operations. In this example, select Console Access and OpenAPI Access.
NoteYou can select an access mode based on your business requirements to conform to the principle of least privilege.
Set Logon Password
Select Automatically Regenerate Default Password.
Password Reset
Select Required at Next Logon.
Enable MFA
Select Not Required.
After you create a RAM user, record the username, password, and AccessKey pair of the RAM user.
Create policies that include permissions on Cloud Assistant and on KMS. For more information, see Create custom policies.
Policy that includes permissions on Cloud Assistant:
Create a policy named commandUserPolicy to allow or deny users to run Cloud Assistant commands on ECS instances. The following section describes example policies. You can modify the policies based on your business requirements.
The following policy allows specific regular users, such as user01 and user02, to run Cloud Assistant commands on ECS instances:
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeTagKeys", "ecs:DescribeTags", "ecs:CreateCommand", "ecs:DescribeCommands", "ecs:InvokeCommand", "ecs:RunCommand", "ecs:DeleteCommand", "ecs:DescribeInvocations", "ecs:DescribeInvocationResults", "ecs:StopInvocation", "ecs:DescribeCloudAssistantStatus", "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/*" ], "Condition": { "StringEquals": { "ecs:CommandRunAs": [ "user01", "user02" ] } } } ], "Version": "1" }NoteIf you want to allow other users to run Cloud Assistant commands on ECS instances, you can modify or add usernames in the Condition element.
The following policy prevents specific users, such as the root user or system user, from running Cloud Assistant commands on ECS instances:
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeTagKeys", "ecs:DescribeTags", "ecs:CreateCommand", "ecs:DescribeCommands", "ecs:InvokeCommand", "ecs:RunCommand", "ecs:DeleteCommand", "ecs:DescribeInvocations", "ecs:DescribeInvocationResults", "ecs:StopInvocation", "ecs:DescribeCloudAssistantStatus", "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/*" ], "Condition": { "StringNotEqualsIgnoreCase": { "ecs:CommandRunAs": [ "system", "root" ] } } } ], "Version": "1" }NoteIf you want to prevent other users from running Cloud Assistant commands on ECS instances, you can modify or add usernames in the Condition element.
Policy that includes permissions on KMS:
Create a policy named kmsPolicy that contains the following content. For more information, see the Examples of RAM policies section of the "Use RAM to control access to KMS resources" topic.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:List*", "kms:Describe*", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "*" ] } ] }
Grant the RAM user permissions on ECS, OOS, Cloud Assistant, and KMS. For more information, see Grant permissions to a RAM user.
To grant the RAM user read-only permissions on ECS, select AliyunECSReadOnlyAccess.
To grant the RAM user read-only permissions on OOS, select AliyunOOSReadOnlyAccess.
To grant the RAM user permissions on Cloud Assistant, select the commandUserPolicy policy that you created in the previous step.
To grant the RAM user permissions on KMS, select the kmsPolicy policy that you created in the previous step.
Configure a RAM role for the Windows instance.
Create a policy. For more information, see Create custom policies.
Sample policy:
{ "Version": "1", "Statement": [ { "Action": [ "kms:GetSecretValue" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oos:GetSecretParameter" ], "Effect": "Allow", "Resource": "*" } ] }Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
The following table describes the parameters that are required to create a RAM role.
Parameter
Example
Select Trusted Entity
Select Alibaba Cloud Service.
Role Type
Select Normal Service Role.
RAM Role Name
AxtSecretRamRole
Select Trusted Service
Select Elastic Compute Service from the drop-down list.
Grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.
Attach the RAM role to the ECS instance. For more information, see Grant ECS access to resources of other Alibaba Cloud services by using instance RAM roles.
Create encryption parameters in OOS to host the logon passwords for the Windows instance. For more information, see the Create an encrypted parameter section of the "Encrypted parameters" topic.
NoteThe encryption parameters must be located in the same region as the ECS instance. Otherwise, the logon password for the ECS instance cannot be hosted in OOS.
The following table describes how to create an encryption parameter to host the password of a user. In this example, user01 is used.
Parameter
Example
Parameter Name
axtSecretPassword
KMS Key ID
Select Default Service CMK.
Value
The logon password for the Windows instance. In this example, enter the logon password of user01.
Log on to the Alibaba Cloud Management Console as the RAM user.
Run a Cloud Assistant command and verify the result. For more information, see Create and run a command.
Run a Cloud Assistant command on the Windows instance and check whether the permission settings take effect.
The following figure shows the procedure that is performed in the ECS console. You must specify the username and password parameters.
user01 can run the Cloud Assistant command, and an error is reported when the system user runs the command.
The following figure shows the procedure that is performed by using the CLI. user01 can run the Cloud Assistant command, and an error is reported when the system user runs the command.
