LogoLogo
Documentation and Guides
Documentation and Guides
  • ABOUT APONO
    • Why Choose Apono
    • Security and Architecture
    • Glossary
  • GETTING STARTED
    • How Apono Works
    • Getting started
    • Access Discovery
    • Integrating with Apono
  • CONNECTORS AND SECRETS
    • Apono Integration Secret
    • High Availability for Connectors
    • Installing a connector with Docker
    • Manage integrations
    • Manage connectors
  • AWS ENVIRONMENT
    • AWS Overview
    • Apono Connector for AWS
      • Installing a connector on EKS Using Terraform
      • Updating a connector in AWS
      • Installing a connector on AWS ECS using Terraform
    • AWS Integrations
      • Integrate an AWS account or organization
        • Auto Discover AWS RDS Instances
        • AWS Best Practices
      • Amazon Redshift
      • RDS PostgreSQL
      • AWS RDS MySQL
      • Integrate with EKS
      • AWS Lambda Custom Integration
      • EC2 via Systems Manager Agent (SSM)
  • AZURE ENVIRONMENT
    • Apono Connector for Azure
      • Install an Azure connector on ACI using Azure CLI
      • Install an Azure connector on ACI using PowerShell
      • Install an Azure connector on ACI using Terraform
      • Updating a connector in Azure
    • Azure Integrations
      • Integrate with Azure Management Group or Subscription
        • Auto Discover Azure SQL Databases
      • Azure MySQL
      • Azure PostgreSQL
      • Integrate with AKS
  • GCP ENVIRONMENT
    • Apono Connector for GCP
      • Installing a GCP connector on Cloud Run using CLI
      • Installing a GCP connector on GKE using CLI (Helm)
      • Installing a GCP connector on GKE using Terraform
      • Updating a connector in Google Cloud
    • GCP Integrations
      • Integrate a GCP organization or project
      • CloudSQL - MySQL
      • CloudSQL - PostgreSQL
      • Google Cloud Functions
      • Integrate with GKE
      • AlloyDB
  • KUBERNETES ENVIRONMENT
    • Apono Connector for Kubernetes
      • Installing a connector on Kubernetes with AWS permissions
      • Updating a Kubernetes connector
    • Kubernetes Integrations
      • Integrate with Self-Managed Kubernetes
  • ADDITIONAL INTEGRATIONS
    • Databases and Data Repositories
      • Microsoft SQL Server
      • MongoDB
      • MongoDB Atlas
      • MongoDB Atlas Portal
      • MySQL
      • Oracle Database
      • PostgreSQL
      • Redis Cloud (Redislabs)
      • Snowflake
      • Vertica
      • MariaDB
    • Network Management
      • SSH Servers
      • RDP Servers
      • Windows Domain Controller
      • AWS EC2 SSH Servers
      • Azure VM SSH Servers
      • Installing the Apono HTTP Proxy
    • Development Tools
      • GitHub
      • Rancher
    • Identity Providers
      • Okta SCIM
      • Okta Groups
      • Okta SSO for Apono logins
      • Google Workspace (Gsuite)
      • Google Workspace (GSuite) Groups
      • Azure Active Directory (Microsoft Entra ID)
      • Azure Active Directory (Entra ID) Groups
      • Jumpcloud
      • JumpCloud Groups
      • OneLogin
      • OneLogin Group
      • LDAP Groups
      • The Manager Attribute in Access Flows
      • HiBob
      • Ping Identity SSO
    • Incident Response Integrations
      • Opsgenie
      • PagerDuty
      • VictorOps (Splunk On-Call)
      • Zenduty
    • ChatOps Integrations
      • Slack integration
      • Teams integration
      • Backstage Integration
  • WEBHOOK INTEGRATIONS
    • Webhooks Overview
    • Anomaly Webhook
    • Audit Log Webhook
    • Request Webhook
      • Custom Webhooks
      • Communications and Notifications
        • Slack Outbound Webhooks
        • Teams
        • Outlook and Gmail (Using Azure Logic App)
      • ITSM
        • Freshdesk
        • Jira
        • ServiceNow
        • Zendesk
        • Freshservice
        • ServiceDesk Plus
      • Logs and SIEMs
        • Coralogix
        • Datadog
        • Logz.io
        • Grafana
        • New Relic
        • SolarWinds
        • Sumo Logic
        • Cortex
        • Logpoint
        • Splunk
        • Microsoft Sentinel
      • Orchestration and workflow builders
        • Okta Workflows
        • Torq
    • Integration Webhook
    • Webhook Payload References
      • Audit Log Webhook Payload Schema Reference
      • Webhook Payload Schema Reference
    • Manage webhooks
    • Troubleshoot a webhook
    • Manual Webhook
      • ITSM
        • PagerDuty
  • ACCESS FLOWS
    • Access Flows
      • What are Access Flows?
    • Create Access Flows
      • Self Serve Access Flows
      • Automatic Access Flows
      • Access Duration
    • Manage Access Flows
      • Right Sizing
    • Revoke Access
    • Dynamic Access Management
      • Resource and Integration Owners
    • Common Use Cases
      • Ensuring SLA
      • Protecting PII and Customer Data
      • Production Stability and Management
      • Break Glass Protocol
    • Create Bundles
    • Manage Bundles
  • ACCESS REQUESTS AND APPROVALS
    • Slack
      • Requesting Access with Slack
      • Approving Access with Slack
    • Teams
      • Requesting Access with Teams
      • Approving Access with Teams
    • CLI
      • Install and manage the Apono CLI
      • Requesting Access with CLI
    • Web Portal
      • Requesting Access with the Web Portal
      • Approving Access with the Web Portal
      • Reviewing historical requests with the Web Portal
    • Freshservice
    • Favorites
  • Inventory
    • Inventory Overview
    • Inventory
    • Access Scopes
    • Risk Scores
    • Apono Query Language
  • AUDITS AND REPORTS
    • Activity Overview
      • Activity
      • Create Reports
      • Manage Reports
    • Compliance: Audit and Reporting
    • Auditing Access in Apono
    • Admin Audit Log (Syslog)
  • HELP AND DEBUGGING
    • Integration Status Page
    • Troubleshooting Errors
  • ARCHITECTURE AND SECURITY
    • Anomaly Detection
    • Multi-factor Authentication
    • Credentials Rotation Policy
    • Periodic User Cleanup & Deletion
    • End-user Authentication
    • Personal API Tokens
  • User Administration
    • Role-Based Access Control (RBAC) Reference
    • Create Identities
    • Manage Identities
Powered by GitBook
On this page
  • Overview
  • How to install the Connector
  • AWS Account Connector
  • AWS Organization Connector on the management account
  • Connector with assumable permissions to the AWS management account
  • Results

Was this helpful?

Export as PDF
  1. AWS ENVIRONMENT

Apono Connector for AWS

How to install a Connector on an AWS account to integrate an AWS Account or Organization with Apono

PreviousAWS OverviewNextInstalling a connector on EKS Using Terraform

Last updated 27 days ago

Was this helpful?

Overview

To integrate with AWS and start managing JIT access to AWS cloud resources, you must first install a connector in your AWS environment.

The connector should match the level of access management you want to achieve with Apono: on a single account or on the entire organization.

  • To manage access to a single AWS account, install a connector on that account. Follow .

  • To manage access to all the accounts in the AWS organization:

    • Install a connector on the management account. Follow . OR

    • Install a connector in any account with ECS or EKS and give it assumable permissions to the management account. Follow .

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal .

Read more about the recommended .

How to install the Connector

First, decide if you want to integrate Apono with a specific AWS Account or with the entire Organization (containing multiple Accounts).

Now, follow one of the guides below depending on your selection:

AWS Account Connector

Prerequisites

  • Administrator permissions to the AWS account you want to connect.

  • VPC with outbound connectivity

1. In Apono

  1. Login to the Apono platform

  2. Go to the Apono Integrations page

  3. From the Catalog, pick AWS

2. In CloudFormation

  1. Choose Cloudformation

  2. Click "Open Cloud Formation"

  3. Sign in to your AWS user and click Next

  1. Within the AWS create stack page, scroll down

  2. Make sure you pick at least one Subnet and one VPC from the dropdown lists

  3. Tick the acknowledge box and then select Create Stack

Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.

AWS Organization Connector on the management account

Prerequisites

  • Administrator permissions to the AWS management account in the Organization.

  • VPC with outbound connectivity.

1. In Apono

  1. Login to the Apono platform

  2. Go to the Apono Integrations page

  3. From the Catalog, pick AWS

2. In CloudFormation

  1. Click "Open Cloud Formation"

  2. Sign in to your AWS user and click Next

  1. The new stack should be installed in the management account (which manages the organization's Identity Center)

  2. Within the AWS create stack page, scroll down

  3. Make sure you pick at least one Subnet and one VPC from the dropdown lists

  4. Tick the acknowledge box and then select Create Stack

Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.

Connector with assumable permissions to the AWS management account

Prerequisites

  • Administrator permissions to the AWS management account in the Organization

  • For EKS: admin permissions on the cluster

Step 1: Deploy a connector in an AWS account

Using CloudFormation (ECS)

  1. Follow the link to open the CloudFormation in the member account you want to deploy.

  2. Fill the SubnetIDs, VpcId parameters.

  3. Click Create stack, and wait to finish.

  4. Copy the connector role from the "Outputs" tab and the connector ID from the "Parameters" tab. These will be required for the next step.

Using Helm (EKS)

  2. Set the following environment variables, to set the AWS Role for the connector deployed in EKS.

export AWS_ACCOUNT_ID=  
export AWS_ROLE_NAME=
export CONNECTOR_TOKEN=
export CONNECTOR_ID=

Where:

AWS_ACCOUNT_ID is the account where the EKS deployment is hosted AWS_ROLE_NAME is the role defined for the connector in step 1 CONNECTOR_TOKEN is the token generated in the Apono UI when creating a new connector

CONNECTOR_ID is the connector name. Set any name of your choosing.

  1. Run the following helm command to deploy the connector

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$CONNECTOR_TOKEN \
    --set-string apono.connectorId=$CONNECTOR_ID \
    --set serviceAccount.awsRoleAccountId=$AWS_ACCOUNT_ID \
    --set serviceAccount.awsRoleName=$AWS_ROLE_NAME \
    --set serviceAccount.manageClusterRoles=false \
    --namespace apono-connector \
    --create-namespace

  1. Copy the role given to the connector (arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_ROLE_NAME)

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Step 2: Deploy roles in the Management Account (assumable by the connector)

Purpose: The connector will assume this role in order to manage the entire AWS organization.

  2. For the "AponoConnectorId" and "ConnectorRoleArn" parameters, paste the copied values from the previous step.

  3. Fill the "OrganizationalUnitId" parameter. You can find it under AWS organizations.

  4. Create stack, and wait to finish.

Results

Verify that the Stackset was created successfully and that Cloudformation finished.

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

Hurray!

Pick Account

Install a new connector in AWS. Read more .

Choose the desired deployment method

Pick Organization

Choose Cloudformation

Verify that "trusted access" is activated for your organization. Read more .

Create an AWS role for the connector. Follow step 3 in .

Read more .

Open CloudFormation in the AWS Management account using .

You can now !

here
here
this guide
here
this link
integrate an AWS Account or Organization
security
this guide
this guide
this guide
AWS Installation Architecture
Acknowledge and Create Stack