Apono Connector for AWS

How to install a Connector on an AWS account to integrate an AWS Account or Organization with Apono

Overview

To integrate with AWS and start managing JIT access to AWS cloud resources, you must first install a connector in your AWS environment.

The connector should match the level of access management you want to achieve with Apono: on a single account or on the entire organization.

To manage access to a single AWS account, install a connector on that account. Follow this guide.
To manage access to all the accounts in the AWS organization:
- Install a connector on the management account. Follow this guide. OR
- Install a connector in any account with ECS or EKS and give it assumable permissions to the management account. Follow this guide.

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

Read more about the recommended AWS Installation Architecture.

How to install the Connector

First, decide if you want to integrate Apono with a specific AWS Account or with the entire Organization (containing multiple Accounts).

Now, follow one of the guides below depending on your selection:

AWS Account Connector

Prerequisites

Administrator permissions to the AWS account you want to connect.
VPC with outbound connectivity

1. In Apono

Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS
Install a new connector in AWS. Read more here.

2. In CloudFormation

Choose Cloudformation
Click "Open Cloud Formation"
Sign in to your AWS user and click Next

Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack

Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.

AWS Organization Connector on the management account

Prerequisites

Administrator permissions to the AWS management account in the Organization.
VPC with outbound connectivity.

1. In Apono

Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS

2. In CloudFormation

Click "Open Cloud Formation"
Sign in to your AWS user and click Next

The new stack should be installed in the management account (which manages the organization's Identity Center)
Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack

Verify that "trusted access" is activated for your organization. Read more here.

Connector with assumable permissions to the AWS management account

Prerequisites

Administrator permissions to the AWS management account in the Organization
For EKS: admin permissions on the cluster

Step 1: Deploy a connector in an AWS account

Using CloudFormation (ECS)

Follow the link to open the CloudFormation in the member account you want to deploy.
Fill the SubnetIDs, VpcId parameters.
Click Create stack, and wait to finish.
Copy the connector role from the "Outputs" tab and the connector ID from the "Parameters" tab. These will be required for the next step.

Using Helm (EKS)

Create an AWS role for the connector. Follow step 3 in this guide.
Set the following environment variables, to set the AWS Role for the connector deployed in EKS.

export AWS_ACCOUNT_ID=  
export AWS_ROLE_NAME=
export CONNECTOR_TOKEN=
export CONNECTOR_ID=

Where:

AWS_ACCOUNT_ID is the account where the EKS deployment is hosted AWS_ROLE_NAME is the role defined for the connector in step 1 CONNECTOR_TOKEN is the token generated in the Apono UI when creating a new connector

CONNECTOR_ID is the connector name. Set any name of your choosing.

Run the following helm command to deploy the connector

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$CONNECTOR_TOKEN \
    --set-string apono.connectorId=$CONNECTOR_ID \
    --set serviceAccount.awsRoleAccountId=$AWS_ACCOUNT_ID \
    --set serviceAccount.awsRoleName=$AWS_ROLE_NAME \
    --set serviceAccount.manageClusterRoles=false \
    --namespace apono-connector \
    --create-namespace

Copy the role given to the connector (arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_ROLE_NAME)

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Step 2: Deploy roles in the Management Account (assumable by the connector)

Purpose: The connector will assume this role in order to manage the entire AWS organization.

Open CloudFormation in the AWS Management account using this link. More detailed documentation can be found in this link.
For the "AponoConnectorId" and "ConnectorRoleArn" parameters, paste the copied values from the previous step.
Fill the "OrganizationalUnitId" parameter. You can find it under AWS organizations.
Create stack, and wait to finish.

Results

Verify that the Stackset was created successfully and that Cloudformation finished.

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

Hurray!

You can now integrate an AWS Account or Organization!

PreviousAWS Overview NextInstalling a connector on EKS Using Terraform

Last updated 1 month ago

Was this helpful?

Apono Connector for AWS

How to install a Connector on an AWS account to integrate an AWS Account or Organization with Apono

Overview

To integrate with AWS and start managing JIT access to AWS cloud resources, you must first install a connector in your AWS environment.

The connector should match the level of access management you want to achieve with Apono: on a single account or on the entire organization.

To manage access to a single AWS account, install a connector on that account. Follow this guide.
To manage access to all the accounts in the AWS organization:
- Install a connector on the management account. Follow this guide. OR
- Install a connector in any account with ECS or EKS and give it assumable permissions to the management account. Follow this guide.

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

Read more about the recommended AWS Installation Architecture.

How to install the Connector

First, decide if you want to integrate Apono with a specific AWS Account or with the entire Organization (containing multiple Accounts).

Now, follow one of the guides below depending on your selection:

AWS Account Connector

Prerequisites

Administrator permissions to the AWS account you want to connect.
VPC with outbound connectivity

1. In Apono

Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS
Pick Account
Install a new connector in AWS. Read more here.
Choose the desired deployment method

2. In CloudFormation

Choose Cloudformation
Click "Open Cloud Formation"
Sign in to your AWS user and click Next

Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack

AWS Organization Connector on the management account

Prerequisites

Administrator permissions to the AWS management account in the Organization.
VPC with outbound connectivity.

1. In Apono

Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS
Pick Organization
Choose Cloudformation

2. In CloudFormation

Click "Open Cloud Formation"
Sign in to your AWS user and click Next

The new stack should be installed in the management account (which manages the organization's Identity Center)
Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack

Verify that "trusted access" is activated for your organization. Read more here.

Connector with assumable permissions to the AWS management account

Prerequisites

Administrator permissions to the AWS management account in the Organization
For EKS: admin permissions on the cluster

Step 1: Deploy a connector in an AWS account

Using CloudFormation (ECS)

Follow the link to open the CloudFormation in the member account you want to deploy.
Fill the SubnetIDs, VpcId parameters.
Click Create stack, and wait to finish.
Copy the connector role from the "Outputs" tab and the connector ID from the "Parameters" tab. These will be required for the next step.

Using Helm (EKS)

Create an AWS role for the connector. Follow step 3 in this guide.
Set the following environment variables, to set the AWS Role for the connector deployed in EKS.

export AWS_ACCOUNT_ID=  
export AWS_ROLE_NAME=
export CONNECTOR_TOKEN=
export CONNECTOR_ID=

Where:

CONNECTOR_ID is the connector name. Set any name of your choosing.

Run the following helm command to deploy the connector

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$CONNECTOR_TOKEN \
    --set-string apono.connectorId=$CONNECTOR_ID \
    --set serviceAccount.awsRoleAccountId=$AWS_ACCOUNT_ID \
    --set serviceAccount.awsRoleName=$AWS_ROLE_NAME \
    --set serviceAccount.manageClusterRoles=false \
    --namespace apono-connector \
    --create-namespace

Copy the role given to the connector (arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_ROLE_NAME)

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Step 2: Deploy roles in the Management Account (assumable by the connector)

Purpose: The connector will assume this role in order to manage the entire AWS organization.

Open CloudFormation in the AWS Management account using this link. More detailed documentation can be found in this link.
For the "AponoConnectorId" and "ConnectorRoleArn" parameters, paste the copied values from the previous step.
Fill the "OrganizationalUnitId" parameter. You can find it under AWS organizations.
Create stack, and wait to finish.

Results

Verify that the Stackset was created successfully and that Cloudformation finished.

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

Hurray!

You can now integrate an AWS Account or Organization!

PreviousAWS Overview NextInstalling a connector on EKS Using Terraform

Last updated 1 month ago

Was this helpful?