Apono Connector for AWS

How to install a Connector on an AWS account to integrate an AWS Account or Organization with Apono

Overview

To integrate with AWS and start managing JIT access to AWS cloud resources, you must first install a connector in your AWS environment.

The connector should match the level of access management you want to achieve with Apono: on a single account or on the entire organization.

  • To manage access to a single AWS account, install a connector on that account. Follow this guide.

  • To manage access to all the accounts in the AWS organization:

    • Install a connector on the management account. Follow this guide. OR

    • Install a connector in any account with ECS or EKS and give it delegated permissions to the management account. Follow this guide.

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

Read more about the recommended AWS Installation Architecture.

How to install the Connector

First, decide if you want to integrate Apono with a specific AWS Account or with the entire Organization (containing multiple Accounts).

Now, follow one of the guides below depending on your selection:

AWS Account Connector

Prerequisites

  • Administrator permissions to the AWS account you want to connect.

  • VPC with outbound connectivity

1. In Apono

  1. Login to the Apono platform

  2. Go to the Apono Integrations page

  3. From the Catalog, pick AWS

  4. Install a new connector in AWS. Read more here.

2. In CloudFormation

  1. Choose Cloudformation

  2. Click "Open Cloud Formation"

  3. Sign in to your AWS user and click Next

  1. Within the AWS create stack page, scroll down

  2. Make sure you pick at least one Subnet and one VPC from the dropdown lists

  3. Tick the acknowledge box and then select Create Stack

Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.

AWS Organization Connector on the management account

Prerequisites

  • Administrator permissions to the AWS management account in the Organization.

  • VPC with outbound connectivity.

1. In Apono

  1. Login to the Apono platform

  2. Go to the Apono Integrations page

  3. From the Catalog, pick AWS

2. In CloudFormation

  1. Click "Open Cloud Formation"

  2. Sign in to your AWS user and click Next

  1. The new stack should be installed in the management account (which manages the organization's Identity Center)

  2. Within the AWS create stack page, scroll down

  3. Make sure you pick at least one Subnet and one VPC from the dropdown lists

  4. Tick the acknowledge box and then select Create Stack

Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.

  1. Verify that "trusted access" is activated for your organization. Read more here.

Connector with delegated permissions to the AWS management account

Prerequisites

  • Administrator permissions to the AWS management account in the Organization

  • For EKS: admin permissions on the cluster

Step 1: Deploy a connector in an AWS account

Using CloudFormation (ECS)

  1. Open the CloudFormation in the member account you want to deploy at.

  2. Fill the SubnetIDs, VpcId parameters

  3. Create stack, and wait to finish

  4. Copy the connector role from the "Outputs" tab

Using Helm (EKS)

  1. Create an AWS role for the connector. Follow step 3 in this guide.

  2. Set the following environment variables, to set the AWS Role for the connector deployed in EKS.

export AWS_ACCOUNT_ID=  
export AWS_ROLE_NAME=
export CONNECTOR_TOKEN=
export CONNECTOR_ID=

Where:

AWS_ACCOUNT_ID is the account where the EKS deployment is hosted

AWS_ROLE_NAME is the role defined for the connector in step 1

CONNECTOR_TOKEN is the token generated in the Apono UI when creating a new connector

[block:image] { "images": [ { "image": [ "https://files.readme.io/78e94c2-image.png", null, "" ], "align": "center", "sizing": "300px" } ] } [/block]

CONNECTOR_ID is the connector name. Set any name of your choosing.

  1. Run the following helm command to deploy the connector

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$CONNECTOR_TOKEN \
    --set-string apono.connectorId=$CONNECTOR_ID \
    --set serviceAccount.awsRoleAccountId=$AWS_ACCOUNT_ID \
    --set serviceAccount.awsRoleName=$AWS_ROLE_NAME \
    --set serviceAccount.manageClusterRoles=false \
    --namespace apono-connector \
    --create-namespace
  1. Copy the role given to the connector (arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_ROLE_NAME)

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Read more here.

Step 2: Deploy roles in the Management Account (assumable by the connector)

  1. Open CloudFormation in the AWS Management account using this link.

  2. In "ConnectorRoleArn" parameter, paste the connector role from the previous step.

  3. Fill the "OrganizationalUnitId" parameter.

  4. Create stack, and wait to finish.

  5. Copy the Management Account Role ARN from the "Outputs" tab.

Results

Verify that the Stackset was created successfully and that Cloudformation finished.

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

Last updated