Apono Connector for AWS
How to install a Connector on an AWS account to integrate an AWS Account or Organization with Apono
Last updated
Was this helpful?
How to install a Connector on an AWS account to integrate an AWS Account or Organization with Apono
Last updated
Was this helpful?
To integrate with AWS and start managing JIT access to AWS cloud resources, you must first install a connector in your AWS environment.
The connector should match the level of access management you want to achieve with Apono: on a single account or on the entire organization.
To manage access to a single AWS account, install a connector on that account. Follow .
To manage access to all the accounts in the AWS organization:
Install a connector on the management account. Follow . OR
Install a connector in any account with ECS or EKS and give it assumable permissions to the management account. Follow .
First, decide if you want to integrate Apono with a specific AWS Account or with the entire Organization (containing multiple Accounts).
Now, follow one of the guides below depending on your selection:
Administrator permissions to the AWS account you want to connect.
VPC with outbound connectivity
Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS
Choose Cloudformation
Click "Open Cloud Formation"
Sign in to your AWS user and click Next
Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack
Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.
Administrator permissions to the AWS management account in the Organization.
VPC with outbound connectivity.
Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS
Click "Open Cloud Formation"
Sign in to your AWS user and click Next
The new stack should be installed in the management account (which manages the organization's Identity Center)
Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack
Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.
Administrator permissions to the AWS management account in the Organization
For EKS: admin permissions on the cluster
Using CloudFormation (ECS)
Follow the link to open the CloudFormation in the member account you want to deploy.
Fill the SubnetIDs, VpcId parameters.
Click Create stack, and wait to finish.
Copy the connector role from the "Outputs" tab and the connector ID from the "Parameters" tab. These will be required for the next step.
Using Helm (EKS)
Set the following environment variables, to set the AWS Role for the connector deployed in EKS.
Where:
AWS_ACCOUNT_ID
is the account where the EKS deployment is hosted
AWS_ROLE_NAME
is the role defined for the connector in step 1
CONNECTOR_TOKEN
is the token generated in the Apono UI when creating a new connector
CONNECTOR_ID
is the connector name. Set any name of your choosing.
Run the following helm command to deploy the connector
Copy the role given to the connector (arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_ROLE_NAME
)
Interested in HA for the connector?
Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:
--set-string replicaCount=<number_of_replicas>
Purpose: The connector will assume this role in order to manage the entire AWS organization.
For the "AponoConnectorId" and "ConnectorRoleArn" parameters, paste the copied values from the previous step.
Fill the "OrganizationalUnitId" parameter. You can find it under AWS organizations.
Create stack, and wait to finish.
Verify that the Stackset was created successfully and that Cloudformation finished.
Then, In the Apono app, you will see the connector was found and a green checkmark indication.
Hurray!
Pick Account
Install a new connector in AWS. Read more .
Choose the desired deployment method
Pick Organization
Choose Cloudformation
Verify that "trusted access" is activated for your organization. Read more .
Create an AWS role for the connector. Follow step 3 in .
Read more .
Open CloudFormation in the AWS Management account using .
You can now !