Apono Connector for AWS
How to install a Connector on an AWS account to integrate an AWS Account or Organization with Apono
Overview
To integrate with AWS and start managing JIT access to AWS cloud resources, you must first install a connector in your AWS environment.
The connector should match the level of access management you want to achieve with Apono: on a single account or on the entire organization.
To manage access to a single AWS account, install a connector on that account. Follow this guide.
To manage access to all the accounts in the AWS organization:
Install a connector on the management account. Follow this guide. OR
Install a connector in any account with ECS or EKS and give it delegated permissions to the management account. Follow this guide.
What's a connector? What makes it so secure?
The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.
Read more about the recommended AWS Installation Architecture.
How to install the Connector
First, decide if you want to integrate Apono with a specific AWS Account or with the entire Organization (containing multiple Accounts).
Now, follow one of the guides below depending on your selection:
AWS Account Connector
Prerequisites
Administrator permissions to the AWS account you want to connect.
VPC with outbound connectivity
1. In Apono
Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS
Pick Account
Install a new connector in AWS. Read more here.
Choose the desired deployment method
2. In CloudFormation
Choose Cloudformation
Click "Open Cloud Formation"
Sign in to your AWS user and click Next
Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack
Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.
AWS Organization Connector on the management account
Prerequisites
Administrator permissions to the AWS management account in the Organization.
VPC with outbound connectivity.
1. In Apono
Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS
Pick Organization
Choose Cloudformation
2. In CloudFormation
Click "Open Cloud Formation"
Sign in to your AWS user and click Next
The new stack should be installed in the management account (which manages the organization's Identity Center)
Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack
Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.
Verify that "trusted access" is activated for your organization. Read more here.
Connector with delegated permissions to the AWS management account
Prerequisites
Administrator permissions to the AWS management account in the Organization
For EKS: admin permissions on the cluster
Step 1: Deploy a connector in an AWS account
Using CloudFormation (ECS)
Open the CloudFormation in the member account you want to deploy at.
Fill the SubnetIDs, VpcId parameters
Create stack, and wait to finish
Copy the connector role from the "Outputs" tab
Using Helm (EKS)
Create an AWS role for the connector. Follow step 3 in this guide.
Set the following environment variables, to set the AWS Role for the connector deployed in EKS.
Where:
AWS_ACCOUNT_ID
is the account where the EKS deployment is hosted
AWS_ROLE_NAME
is the role defined for the connector in step 1
CONNECTOR_TOKEN
is the token generated in the Apono UI when creating a new connector
[block:image] { "images": [ { "image": [ "https://files.readme.io/78e94c2-image.png", null, "" ], "align": "center", "sizing": "300px" } ] } [/block]
CONNECTOR_ID
is the connector name. Set any name of your choosing.
Run the following helm command to deploy the connector
Copy the role given to the connector (
arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_ROLE_NAME
)
Interested in HA for the connector?
Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:
--set-string replicaCount=<number_of_replicas>
Read more here.
Step 2: Deploy roles in the Management Account (assumable by the connector)
Open CloudFormation in the AWS Management account using this link.
In "ConnectorRoleArn" parameter, paste the connector role from the previous step.
Fill the "OrganizationalUnitId" parameter.
Create stack, and wait to finish.
Copy the Management Account Role ARN from the "Outputs" tab.
Results
Verify that the Stackset was created successfully and that Cloudformation finished.
Then, In the Apono app, you will see the connector was found and a green checkmark indication.
Hurray!
You can now integrate an AWS Account or Organization!
Last updated