Securing Bastion
This topic provides security information and recommendations for Bastion.
Oracle Cloud Infrastructure Bastion provides restricted and time-limited access to target resources that don't have public endpoints. Bastions let authorized users connect from specific IP addresses to target resources using Secure Shell (SSH) sessions. When connected, users can interact with the target resource by using any software or protocol supported by SSH. For example, you can use the Remote Desktop Protocol (RDP) to connect to a Windows host, or use Oracle Net Services to connect to a database.
Security Responsibilities
To use Bastion securely, learn about your security and compliance responsibilities.
Oracle is responsible for the following security requirements:
- Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.
Your security responsibilities are described on this page, which include the following areas:
- Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.
- Network Security: Limit the nodes in your cloud network that can access bastions.
- Host Security: Configure SSH on clients and target instances for maximum security.
Initial Security Tasks
Use this checklist to identify the tasks you perform to secure Bastion in a new Oracle Cloud Infrastructure tenancy.
Task | More Information |
---|---|
Use IAM policies to grant access to users and resources | IAM Policies |
When creating bastions, restrict network access | Network Security |
Routine Security Tasks
After getting started with Bastion, use this checklist to identify security tasks that we recommend you perform regularly.
Task | More Information |
---|---|
Integrate target instances with IAM | Access Control |
Secure communication between clients and bastions | Data Encryption |
Configure the SSH server on target instances for maximum security | Hardening |
Perform a security audit | Auditing |
IAM Policies
Use policies to limit access to Bastion.
A policy specifies who can access Oracle Cloud Infrastructure resources and how. For more information, see How Policies Work.
Assign a group the least privileges that are required to perform their responsibilities. Each policy has a verb that describes what actions the group is allowed to do. From the least amount of access to the most, the available verbs are: inspect
, read
, use
, and manage
.
Bastion supports policy variables to further restrict access to bastions, including:
target.bastion-session.username
- Restrict access to specific POSIX operating system user names when creating a session that connects to a compute instance.target.resource.ocid
- Restrict access to specific compute instances when creating a session.
We recommend that you restrict access to the
opc
user (and ubuntu
user in Ubuntu platform images) because by default, it has sudoer
capabilities on Oracle Cloud Infrastructure platform images.We recommend that you give DELETE
permissions to a minimum set of IAM users and groups. This practice minimizes loss of data from inadvertent deletes by authorized users or from malicious actors. Only give DELETE
permissions to tenancy and compartment administrators.
Allow users in the group SecurityAdmins
to create, update, and delete all Bastion resources in the entire tenancy:
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
Allow users in the group BastionUsers
to create, connect to, and terminate sessions in the entire tenancy:
Allow group BastionUsers to use bastion in tenancy
Allow group BastionUsers to manage bastion-session in tenancy
Allow group BastionUsers to manage virtual-network-family in tenancy
Allow group BastionUsers to read instance-family in tenancy
Allow group BastionUsers to read instance-agent-plugins in tenancy
Allow group BastionUsers to inspect work-requests in tenancy
Allow users in the group SalesAdmins
to create, connect to, and terminate sessions for a specific target host in the compartment SalesApps
:
Allow group SalesAdmins to use bastion in compartment SalesApps
Allow group SalesAdmins to manage bastion-session in compartment SalesApps where ALL {target.resource.ocid='<instance_OCID>'}
Allow group SalesAdmins to manage virtual-network-family in compartment SalesApps
Allow group SalesAdmins to read instance-family in compartment SalesApps
Allow group SalesAdmins to read instance-agent-plugins in compartment SalesApps
Allow group SalesAdmins to inspect work-requests in tenancy
Allow users in the group SalesAdmins
to create, connect to, and terminate sessions in the compartment SalesApps
and with the user opc
:
Allow group SalesAdmins to use bastion in compartment SalesApps
Allow group SalesAdmins to manage bastion-session in compartment SalesApps where ALL {target.bastion-session.username in ('opc')}
Allow group SalesAdmins to manage virtual-network-family in compartment SalesApps
Allow group SalesAdmins to read instance-family in compartment SalesApps
Allow group SalesAdmins to read instance-agent-plugins in compartment SalesApps
Allow group SalesAdmins to inspect work-requests in tenancy
Allow any user to create, connect to, and terminate sessions in the compartment HRProd
, but only if they specify a user name that exactly matches their IAM user name:
Allow any-user to manage bastion-session in compartment HRProd where ALL {target.bastion-session.username=request.user.name}
For more information about Bastion policies and to view more examples, see Bastion Policies.
Access Control
In addition to creating IAM policies, follow these additional best practices for securing access to the targets that you connect to with Bastion.
Enable Multifactor Authentication (MFA)
The Pluggable Authentication Module (PAM) allows you to integrate target Linux instances with IAM to perform end-user authentication with first and second factor authentication.
End users can log in to a Linux server using SSH and authenticate with their IAM user credentials. In addition, you can use the multi-factor authentication capabilities of IAM. With MFA, end users are prompted to authenticate with a second factor such as a One Time Password code sent using Email, SMS, a Mobile Authenticator application, or authenticate using security questions.
- Before configuring PAM and MFA, verify that the instance's SSH configuration meets the minimum requirements for Bastion. Refer to the section SSH Server is Not Configured Properly on Target Instance in Troubleshooting Bastion.
- Install and configure PAM on the instance, and then enable MFA. See Enabling MFA to Authentication into Linux.
Data Encryption
Follow these best practices for using SSH to encrypt communication between clients and bastions.
Use a FIPS Certified Module
We recommend that you use the OpenSSH 7.6 client with Federal Information Processing Standard (FIPS) protection for all client operating systems.
For more details, see the OpenSSL FIPS documentation and the Cryptographic Module Validation Program.
The Oracle Linux 7.8 OpenSSH Client Cryptographic Module has not received FIPS certification yet. See Oracle FIPS Certifications.
By default, RSA key pairs are not supported in the OpenSSH client version 8 and greater. To enable RSA key pairs, you must add the following stanza to your SSH configuration.
Host *
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
For more details, see the OpenSSH release notes.
Don't Reuse SSH Key Pairs for Sessions
Regenerate a new ephemeral SSH key pair for each new bastion session.
Do not reuse previously generated key pairs. Create new key pairs for both port forwarding and managed SSH session types.
Network Security
Secure network access to the resources that you connect to using Bastion.
When creating a bastion, use CIDR block allowlist to specify one or more address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion.
A more limited address range offers better security. Do not specify an open CIDR range like 0.0.0.0/0
.
Hardening
Configure the SSH server on target compute instances for maximum security.
We recommend that you update the default values for these settings in /etc/ssh/sshd_config
.
Setting | Description |
---|---|
MaxAuthTries |
Specifies the maximum number of authentication attempts permitted per connection. After the number of failures reaches half this value, failures are logged. |
ClientAliveCountMax |
Sets the number of client alive messages which can be sent without receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, the server disconnects the client, terminating the session. |
ClientAliveInterval |
Sets a timeout interval in seconds after which if no data has been received from the client, the server will send a message through the encrypted channel to request a response from the client. |
Auditing
Locate access logs and other security data for Bastion.
The Audit service automatically records all API calls to Oracle Cloud Infrastructure resources. You can achieve your security and compliance goals by using the Audit service to monitor all user activity within your tenancy. Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those sources is included. Audit records are available through an authenticated, filterable query API or they can be retrieved as batched files from Object Storage. Audit log contents include what activity occurred, the user that initiated it, the date and time of the request, as well as source IP, user agent, and HTTP headers of the request. See Viewing Audit Log Events.
The following is an excerpt from a log entry for the creation of a new bastion session.
{
"datetime": 1651547126164,
"logContent": {
"data": {
"additionalDetails": {
"X-Real-Port": 58181,
"bastionId": "ocid1.bastion.oc1.<unique_id>",
"bastionName": "mybastion",
"displayName": "mysession",
"lifecycleState": "CREATING",
"sessionId": "ocid1.bastionsession.oc1.<unique_id>",
"sessionType": "MANAGED_SSH",
"targetResourceDisplayName": "mylinuxinstance",
"targetResourceId": "ocid1.instance.oc1.<unique_id>",
"targetResourceOperatingSystemUserName": "opc",
"targetResourcePort": "22",
"targetResourcePrivateIpAddress": "<target_ip_address>"
},
"availabilityDomain": "AD2",
"compartmentId": "ocid1.compartment.oc1..<unique_id>",
"compartmentName": "mycompartment",
"definedTags": null,
"eventGroupingId": "ocid1.bastionworkrequest.oc1.<unique_id>",
"eventName": "CreateSession",
"freeformTags": null,
"identity": {
"authType": "natv",
"callerId": null,
"callerName": null,
"consoleSessionId": "<unique_id>",
"credentials": "<unique_id>",
"ipAddress": "<source_ip>",
"principalId": "ocid1.user.oc1..<unique_id>",
"principalName": "<user_id>",
"tenantId": "ocid1.tenancy.oc1..<unique_id>",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
},
"message": "Session-20220502-2304 CreateSession succeeded",
...
}
}
If you enabled Cloud Guard in your tenancy, then it reports any user activities that are potential security concerns. Upon detecting a problem, Cloud Guard suggests corrective actions. You can also configure Cloud Guard to automatically take certain actions. See Getting Started with Cloud Guard and Processing Reported Problems.