search

Apono Connector for AWS

How to install a Connector on an AWS account to integrate an AWS Account or Organization with Apono

hashtag
Overview

To integrate with AWS and start managing JIT access to AWS cloud resources, you must first install a connector in your AWS environment.

The connector should match the level of access management you want to achieve with Apono: on a single account or on the entire organization.

  • To manage access to a single AWS account, install a connector on that account. Follow this guide.

  • To manage access to all the accounts in the AWS organization:

    • Install a connector on the management account. Follow this guide. OR

    • Install a connector in any account with ECS or EKS and give it assumable permissions to the management account. Follow this guide.

circle-info

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

Read more about the recommended AWS Installation Architecture.

First, decide if you want to integrate Apono with a specific AWS Account or with the entire Organization (containing multiple Accounts).

Follow the guides below depending on your selection.

hashtag
AWS Account connector

hashtag
Prerequisites

  • Administrator permissions to the AWS account you want to connect.

  • VPC with outbound connectivity

hashtag
1. In Apono

  1. Login to the Apono platform

  2. Go to the Apono Integrations page

  3. From the Catalog, pick AWS

  4. Pick Account

  5. Install a new connector in AWS. Read more herearrow-up-right.

  6. Choose the desired deployment method

hashtag
2. In CloudFormation

  1. Choose Cloudformation

  2. Click "Open Cloud Formation"

  3. Sign in to your AWS user and click Next

  1. Within the AWS create stack page, scroll down

  2. Make sure you pick at least one Subnet and one VPC from the dropdown lists

  3. Tick the acknowledge box and then select Create Stack

Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.

hashtag
AWS Organization connector on the Management account

hashtag
Prerequisites

  • Administrator permissions to the AWS management account in the Organization.

  • VPC with outbound connectivity.

hashtag
1. In Apono

  1. Login to the Apono platform

  2. Go to the Apono Integrations page

  3. From the Catalog, pick AWS

  4. Pick Organization

  5. Choose Cloudformation

hashtag
2. In CloudFormation

  1. Click "Open Cloud Formation"

  2. Sign in to your AWS user and click Next

  1. The new stack should be installed in the management account (which manages the organization's Identity Center)

  2. Within the AWS create stack page, scroll down

  3. Make sure you pick at least one Subnet and one VPC from the dropdown lists

  4. Tick the acknowledge box and then select Create Stack

Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.

Acknowledge and Create Stack

  1. Verify that "trusted access" is activated for your organization. Read more herearrow-up-right.

hashtag
Connector with IAM role permissions for AWS Organization management

You can install a connector with assumable permissions to the AWS Management account using either AWS Elastic Container Service (ECS) or Elastic Kubernetes Service (EKS) in CloudFormation.

Once installed, the connector syncs data from cloud applications and enables you to manage access permissions through access flows within Amazon ECS or EKS.

hashtag
Prerequisites

Item
Description

AdminstratorAccess Policy

AWS role with AdministratorAccessarrow-up-right policy providing full access to AWS services and resources

Full AWS access is not granted to Apono.

OrganizationID

Unique identifier of the AWS Organization that will be connected via the integration (ex. o-k012345a67)

Follow these steps to find your OrganizationID:

  1. In your AWS console settings, click Organization. The AWS accounts page appears.

  2. In the left navigation, click Settings. The Settings page appears.

  3. Under Organization details, copy your OrganizationID.

OrganizationUnitID

Root ID for the AWS Organization Unit that will be connected via the integration (ex. r-1a2b)

Follow these steps to obtain your OrganizationUnitID:

  1. In your IAM Identity Center, expand Multi-account permissions.

  2. Click AWS accounts. The AWS accounts page appears.

  3. In the Organizational structure section, copy the ID from the Root folder. This is the parent organizational unit for all accounts in your organization.

VPC

Virtual Private Cloud (VPC) with outbound connectivity

Subnet

One or more Subnet IDs within the selected VPC where the connector resources will run

Permission

Full access (Manage IAM) permissions to enable the connector to create and manage the required IAM resources during deployment

hashtag
Install the connector

Installing the connector in Apono

Follow these steps to enable the connector to manage the entire AWS Organization:

  1. On the Connectorsarrow-up-right page, click Install Connector. The Install Connector page appears.

  2. Under Select connector installation strategy, click Cloud installation > AWS. The permission options appear.

  3. Click No, Just Install the Connector. The installation methods appear.

triangle-exclamation

Do not select Install and Connect AWS Account. This option creates IAM roles in the member account that will conflict with the CloudFormation roles deployed in the Management account, causing the installation to fail.

  1. Click the CloudFormation (ECS) or CloudFormation (EKS) installation method.

circle-check

You can also install the connector using Terraform.

  1. Finish installing the connectorarrow-up-right in CloudFormation for your AWS Account.

  2. Once the connector is installed, copy the following values from CloudFormation.

Key
Location

AponoConnectorRoleArn

On the Outputs tab, copy the Value for the AponoConnectorRoleArn.

AponoConnectorId

On the Parameters tab, copy the Value for the AponoConnectorId key.

  1. Open CloudFormationarrow-up-right with your Management account. The Quick create stack page appears.

  2. Under Parameters, enter values for the following fields:

    1. AponoConnectorId: Value copied in step 6.

    2. ConnectorRoleArn: Value copied in step 6.

    3. OrganizationId: Organization ID copied during the prerequisites.

    4. OrganizationUnitId: Root ID copied during the prerequisites.

    5. From the Permissions dropdown menu, select Full-Access (Manage IAM).

  3. Under Capabilities, select I acknowledge that AWS CloudFormation might create IAM resources with custom names.

  4. Click Create stack.

  5. (Optional) On the Outputs tab, copy the Value for the ManagementAccountRoleArnOutput.

circle-info

When integrating an AWS Organization, you can paste the ManagementAccountRoleArnOutput value in the Integration Config settings to use the connector.

  1. On the Connectorsarrow-up-right page, verify that the connector has been deployed.

  2. (Optional) Follow the steps to integrate an AWS organization.

PreviousAWS OverviewNextInstalling a connector on AWS ECS using Terraform (AWS Organization)

Last updated

Was this helpful?