# Integrate an AWS Account or Organization

Apono offers AWS users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple AWS services across various Accounts and Organizations.

***

### Integrate an AWS Account

#### Prerequisites

* [Apono connector](/docs/aws-environment/apono-connector-for-aws.md#aws-account-connector) installed in your AWS Account
* To sync and manage access to EC2 servers, make sure you add the `AmazonSSMManagedInstanceCore` policy to the connector's IAM role

#### Integration

<figure><img src="/files/2xqadQqKnNfDJZf38ZkY" alt="" width="363"><figcaption><p><em>Integrating an AWS Account</em></p></figcaption></figure>

{% hint style="success" %}
You can also use the steps below to integrate with Apono using Terraform.

In step **10**, instead of clicking **Confirm**, follow the **Are you integrating with Apono using Terraform?** guidance.
{% endhint %}

Follow these steps to integrate Apono with your AWS Account:

1. On the [**Catalog**](https://app.apono.io/catalog?search=aws) tab, click **AWS**. The **Connect Integrations Group** page appears.
2. Under **Discovery**, click **Amazon Account**.
3. Click one or more resource types to sync with Apono.

{% hint style="info" %}
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage **Access Flows** to these resources.
{% endhint %}

4. Click **Next**. The **Apono connector** section expands.
5. From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

{% hint style="info" %}
If the desired connector is not listed, click **+ Add new connector** and follow the instructions for creating an [Apono connector](/docs/aws-environment/apono-connector-for-aws.md#aws-account-connector).
{% endhint %}

6. Click **Next**. The **Integration Config** section expands.
7. Define the **Integration Config** settings.

   <table><thead><tr><th width="203">Setting</th><th>Description</th></tr></thead><tbody><tr><td><strong>Integration Name</strong></td><td>Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow</td></tr><tr><td><strong>Region</strong></td><td>Region in which the organization runs</td></tr><tr><td><strong>AWS Profile Name</strong></td><td>(Optional) Name of the AWS profile<br><br>By default, Apono sets this value to <em>apono</em>.</td></tr></tbody></table>
8. Click **Next**. The **Get more with Apono** section expands.
9. Define the **Get more with Apono** settings.

   <table><thead><tr><th width="207">Setting</th><th>Description</th></tr></thead><tbody><tr><td><strong>Credential Rotation</strong></td><td>(Optional) Number of days after which the database credentials must be rotated<br><br>Learn more about the <a href="/pages/UsMtClaCM1SlvPsARUsM">Credentials Rotation Policy</a>.</td></tr><tr><td><strong>User cleanup after access is revoked (in days)</strong></td><td><p>(Optional) Defines the number of days after access has been revoked that the user should be deleted</p><p><br>Learn more about <a href="/pages/zJwQEG15iEhbPYg9hpqp">Periodic User Cleanup &#x26; Deletion</a>.</p></td></tr><tr><td><strong>Custom Access Details</strong></td><td>(Optional) Instructions explaining how to access this integration's resources<br><br>Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to <strong>400 characters</strong>.<br><br>To view the message as it appears to end users, click <strong>Preview</strong>.</td></tr><tr><td><strong>Integration Owner</strong></td><td><p>(Optional) Fallback approver if no <a href="/pages/Ey4wuziyr2BzKYQnd5am">resource owner</a> is found<br><br>Follow these steps to define one or several integration owners:</p><ol><li>From the <strong>Attribute</strong> dropdown menu, select <strong>User</strong> or <strong>Group</strong> under the relevant identity provider (IdP) platform.</li><li>From the <strong>Value</strong> dropdown menu, select one or multiple users or groups.</li></ol><p><br><strong>NOTE</strong>: When <strong>Resource Owner</strong> is defined, an <strong>Integration Owner</strong> must be defined.</p></td></tr><tr><td><strong>Resource Owner</strong></td><td><p>(Optional) Group or role responsible for managing access approvals or rejections for the resource<br><br>Follow these steps to define one or several <a href="/pages/Ey4wuziyr2BzKYQnd5am">resource owners</a>:</p><ol><li>Enter a <strong>Key name</strong>. This value is the name of the tag created in your cloud environment.</li><li>From the <strong>Attribute</strong> dropdown menu, select an attribute under the IdP platform to which the key name is associated.<br><br>Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.</li></ol><p><br><strong>NOTE</strong>: When this setting is defined, an <strong>Integration Owner</strong> must also be defined.</p></td></tr></tbody></table>
10. Click **Confirm**.

<details>

<summary>💡Are you integrating with Apono using Terraform?</summary>

If you want to integrate with Apono using Terraform, follow these steps instead of clicking **Confirm**:

1. At the top of the screen, click **View as Code**. A modal appears with the completed Terraform configuration code.
2. Click to copy the code.
3. Make any additional edits.
4. Deploy the code in your Terraform.

Refer to [Integration Config Metadata](https://docs.apono.io/metadata-for-integration-config) for more details about the schema definition.

</details>

After connecting your AWS account to Apono, you will be redirected to the **Connected** tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked **Active**.

Now that you have completed this integration, you can [create access flows](/docs/access-flows/access-flows.md) that grant permission to AWS IAM resources, such as AWS Roles.

***

### Integrate an AWS Organization

You can integrate with Apono to manage resources across your Organization.

#### Prerequisite

<table><thead><tr><th width="199.9609375">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>Apono Connector</strong></td><td><p>On-prem connection serving as a bridge between AWS and Apono</p><p>Learn how to <a href="/pages/U4HFH35XWDo3jyqhJqgQ#aws-organization-connector-on-the-management-account">install a connector for your AWS Organization</a> or a <a href="/pages/U4HFH35XWDo3jyqhJqgQ#connector-with-delegated-permissions-to-the-aws-management-account">connector with delegate permissions</a>.<br><br><strong>Please note the following</strong>:</p><ul><li>To manage <strong>EKS Namespaces or Groups</strong>, you must have <strong>one or more</strong> <a href="https://docs.aws.amazon.com/eks/latest/userguide/creating-access-entries.html"><strong>access entries</strong></a> for the Apono connector to discover your clusters or namespaces. See the <a href="/pages/U4HFH35XWDo3jyqhJqgQ#prerequisites-1">connector’s prerequisites</a> for more information.</li><li>To manage access to <strong>EC2 servers</strong>, you must add the <code>AmazonSSMManagedInstanceCore</code> policy to the connector's IAM role.</li></ul></td></tr></tbody></table>

#### Integration

<figure><img src="/files/3Q8elmvosJCkk9xSwfIC" alt="" width="364"><figcaption><p><em>Integrating an AWS Organization</em></p></figcaption></figure>

{% hint style="success" %}
You can also use the steps below to integrate with Apono using Terraform.

In step **10**, instead of clicking **Confirm**, follow the **Are you integrating with Apono using Terraform?** guidance.
{% endhint %}

Follow these steps to integrate Apono with your AWS Organization:

1. On the [**Catalog**](https://app.apono.io/catalog?search=aws) tab, click **AWS**. The **Connect Integrations Group** page appears.
2. Under **Discovery**, click **Amazon Organization**.
3. Click one or more resource types to sync with Apono.

{% hint style="info" %}
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.
{% endhint %}

4. Select the **Permission Boundary** resource to allow Apono to temporarily restrict overprivileged access.

{% hint style="success" %}
To learn more about how to manage overprivileged access, read about [Access Discovery](/docs/getting-started/access-discovery.md).
{% endhint %}

5. Click **Next**. The **Apono connector** section expands.
6. From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

{% hint style="info" %}
If the desired connector is not listed, click **+ Add new connector** and follow the instructions for creating an [Apono connector](/docs/aws-environment/apono-connector-for-aws.md#aws-organization-connector-on-the-management-account).
{% endhint %}

6. Click **Next**. The **Integration Config** section expands.
7. Define the **Integration Config** settings.

   <table><thead><tr><th width="194">Setting</th><th>Description</th></tr></thead><tbody><tr><td><strong>Integration Name</strong></td><td>Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow</td></tr><tr><td><strong>Region</strong></td><td>Region in which the organization runs</td></tr><tr><td><strong>AWS SSO Region</strong></td><td>Region for which your single sign-on is configured</td></tr><tr><td><strong>SSO Portal</strong></td><td><a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/howtochangeURL.html">Single sign-on URL</a><br><br>This is required for Apono to generate a sign-in link for end users to use their granted access.</td></tr><tr><td><strong>Management Account Role ARN</strong></td><td>(Optional) <a href="/pages/U4HFH35XWDo3jyqhJqgQ#step-2-deploy-roles-in-the-management-account-assumable-by-the-connector">ARN</a> (step 5) of the role to assume in the management account</td></tr><tr><td><strong>Exclude Organization Unit IDs</strong></td><td>(Optional) Comma-separated list of organizational unit IDs to exclude<br><br><strong>Example</strong>: <em>ou-aaa1-1111,ou-bbb2-2222</em></td></tr><tr><td><strong>Exclude Account IDs</strong></td><td>(Optional) Comma-separated list of account IDs to exclude<br><br><strong>Example</strong>: <em>7665544332211,7665544332222,766554433333333</em></td></tr></tbody></table>
8. Click **Next**. The **Get more with Apono** section expands.
9. Define the **Get more with Apono** settings.

   <table><thead><tr><th width="195">Setting</th><th>Description</th></tr></thead><tbody><tr><td><strong>Custom Access Details</strong></td><td>(Optional) Instructions explaining how to access this integration's resources<br><br>Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to <strong>400 characters</strong>.<br><br>To view the message as it appears to end users, click <strong>Preview</strong>.</td></tr><tr><td><strong>Integration Owner</strong></td><td><p>(Optional) Fallback approver if no <a href="/pages/Ey4wuziyr2BzKYQnd5am">resource owner</a> is found<br><br>Follow these steps to define one or several integration owners:</p><ol><li>From the <strong>Attribute</strong> dropdown menu, select <strong>User</strong> or <strong>Group</strong> under the relevant identity provider (IdP) platform.</li><li>From the <strong>Value</strong> dropdown menu, select one or multiple users or groups.</li></ol><p><br><strong>NOTE</strong>: When <strong>Resource Owner</strong> is defined, an <strong>Integration Owner</strong> must be defined.</p></td></tr><tr><td><strong>Resource Owner</strong></td><td><p>(Optional) Group or role responsible for managing access approvals or rejections for the resource<br><br>Follow these steps to define one or several <a href="/pages/Ey4wuziyr2BzKYQnd5am">resource owners</a>:</p><ol><li>Enter a <strong>Key name</strong>. This value is the name of the tag created in your cloud environment.</li><li>From the <strong>Attribute</strong> dropdown menu, select an attribute under the IdP platform to which the key name is associated.<br><br>Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.</li></ol><p><br><strong>NOTE</strong>: When this setting is defined, an <strong>Integration Owner</strong> must also be defined.</p></td></tr></tbody></table>
10. Click **Confirm**.

<details>

<summary>💡Are you integrating with Apono using Terraform?</summary>

If you want to integrate with Apono using Terraform, follow these steps instead of clicking **Confirm**:

1. At the top of the screen, click **View as Code**. A modal appears with the completed Terraform configuration code.
2. Click to copy the code.
3. Make any additional edits.
4. Deploy the code in your Terraform.

Refer to [Integration Config Metadata](https://docs.apono.io/metadata-for-integration-config/integration-metadata/aws-organization) for more details about the schema definition.

</details>

After connecting your AWS account to Apono, you will be redirected to the **Connected** tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked **Active**.

### Enable multi-region resource discovery in Apono

Apono leverages AWS Resource Explorer for multi-region scans for your AWS Organization integration. Apono uses this organization-level configuration to automatically deploy local indexes and aggregate them into a single searchable view.

This configuration provides:

* A centralized aggregator index for organization-wide search
* Automated creation and maintenance of local indexes
* Consistent visibility across teams, regions, and environments
* Less manual setup and fewer cross-account visibility gaps

**Prerequisites**

<table><thead><tr><th width="271.28125">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>AWS Organization</strong></td><td><p>An <a href="#integrate-an-aws-organization">AWS organization must be integrated</a> with Apono.</p><p>All organizational units (OUs) or accounts you plan to include as part of the target must be structured within the AWS organization.</p></td></tr><tr><td>IAM <strong>user or role in the management account</strong></td><td><p>A user or role used to run Quick Setup in the management account.</p><p>This user or role must be able to complete these tasks:</p><ul><li>Enable trusted access in AWS Organizations</li><li>Configure Resource Explorer</li><li>Use Systems Manager Quick Setup</li><li>Use AWS Resource Access Manager (RAM)</li><li>View CloudFormation, SSM, and Resource Explorer status</li></ul><p><strong>Option A</strong></p><p>Use a role or user with the AWS-managed <strong>AdministratorAccess</strong> policy in the Management account to prevent hidden blocking conditions.</p><p><strong>Option B</strong></p><p>Create a role in the Management account (such as <em>ResourceExplorerAdmin</em>) with a custom managed policy similar to the following example.</p><pre class="language-json" data-overflow="wrap"><code class="lang-json">{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "organizations:*",
        "ssm:*",
        "cloudformation:*",
        "resource-explorer-2:*",
        "ram:*",
        "iam:PassRole"
      ],
      "Resource": "*"
    }
  ]
}
</code></pre></td></tr><tr><td><strong>Service Control Policy (SCP)</strong></td><td><p>SCPs must not deny CloudFormation in any target account or region:</p><ul><li><p>SCPs must not explicitly deny:</p><ul><li><code>cloudformation:CreateStack</code></li><li><code>cloudformation:UpdateStack</code></li><li><code>cloudformation:*</code></li></ul></li><li><p>Region-restriction SCPs (<code>aws:RequestedRegion</code>) must adhere to one of the following:</p><ul><li>Include all required regions in the allowlist.</li><li>Explicitly exempt CloudFormation from an explicit denial by adding <code>cloudformation:*</code> to <code>NotAction</code>.</li></ul></li></ul><p><em><strong>IMPORTANT</strong>: Failure to adhere to these SCP requirements will prevent Quick Setup from successfully deploying in regions where the SCP has denied CloudFormation.</em></p></td></tr></tbody></table>

**Enable trusted access for Resource Explorer**

Follow these steps to enable trusted access:

1. From theyour Management account, open **AWS Resource Explorer**.
2. From the navigation, click **Settings**. The **Settings** page appears.
3. In the multi-account/organization section, follow the prompt to **Enable trusted access**.

{% hint style="success" %}
You can also enable trusted access from AWS Organizations.

Follow these steps:

1. From your Management account, open **AWS Organizations**.
2. From the navigation, click **Services**. The **Services** page appears.
3. Click **AWS Resource Explorer**. The **AWS Resource Explorer** page opens.
4. If **Trusted access** is disabled, click **Enable trusted access**. The **Enable trusted access for AWS Resource Explorer** pop-up window appears.
5. Click **Show the option to enable trusted access for AWS Resource Explorer without performing additional setup tasks**.
6. Type *enable* in the text field.
7. Click **Enable trusted access**.
   {% endhint %}

**Configure the organization deployment**

Follow these steps to configure the organization deployment:

1. Open the Quick Setup from the Systems manager or Resource Explorer.

<details>

<summary>Systems Manager</summary>

1. Open **AWS Systems Manager**.
2. From the navigation, click **Change Management Tools > Quick Setup.** The **AWS Quick Setup** page opens.
3. Click **Get started**. The **Library** tab opens.
4. On the **Resource Explorer** card, click **Create**. The **Configure Resource Explorer for your Organization** page opens.

</details>

<details>

<summary>Resource Explorer</summary>

1. Open **AWS Resource Explorer**.
2. From the navigation, click **Settings**. The **Settings** page opens.
3. Under **Multi-account search in Resource Explorer**, click **Create configuration on Quick Setup**. The **Configure Resource Explorer for your Organization** page opens.

</details>

2. Select the **Aggregator Index Region**. This region becomes the central location for organization-wide search.
3. Under **Targets**, select the accounts that include the resources you want discovered:
   * **Entire Organization**: (Recommended) Enables complete visibility
   * **Specific OUs**: Enables scoping deployment
4. From the regions selector, choose all regions where Resource Explorer should create indexes.

{% hint style="info" %}
If a regions selector is not present, all supported regions for the selected targets may be implicitly included.
{% endhint %}

5. Under **Summary**, review the aggregator region, targets, and regions.
6. Select **Create**. The Quick Setup will deploy the following:
   * Local indexes in each selected region or account
   * An aggregator index in the Aggregator Region
   * Default views for centralized search

**Verify the deployment**

After the deployment has completed, follow these steps to verify the deployment:

1. From the Management account, open **AWS Resource Explorer**.
2. From the navigation, click **Settings**. The **Settings** page opens.
3. Under **Indexes**, locate the region set as the aggregator index during the Quick Setup. The region should be denoted as **Aggregator**.
4. Spot check a member account:
   1. Log in as or assume the role of a sample member account.
   2. Open **AWS Resource Explorer** in one region that should have an index to ensure an index exists and is Active.
   3. Open AWS Resource Explorer in one region that should not have an index to confirm an index does not exist.

{% hint style="info" %}
If some regions or accounts are missing the index, read [The index is missing in some regions or accounts.](#the-index-is-missing-in-some-regions-or-accounts)
{% endhint %}

**Troubleshoot Quick Setup**

<details>

<summary>Quick Setup fails in some regions.</summary>

**Symptoms**

* Quick Setup shows **Failed** for some configs.
* Error text mentions `cloudformation:CreateStack` (or similar) and an explicit denial in a service control policy.

**Likely Cause**

A Service Control Policy denies CloudFormation in some regions, often with `aws:RequestedRegion`. This results in regions that are allowed by SCP to be successful. And all other regions fail.

**Solution**

Follow these steps:

1. From the Admin account, open **AWS Organizations**.
2. From the navigation, click **Policies**. The **Policies** page opens.
3. Under **Service control policies**, examine SCPs attached to the affected organizational unit or account for `"Effect": "Deny"` statements that mention `cloudformation:*` or specific Cloudformation actions.
4. Fix the issues through one of the following options:
   1. Add the required regions to the allowlist in `aws:RequestedRegion`.
   2. Exclude CloudFormation from the deny list. For example, add `cloudformation:*` to `NotAction`.
   3. Temporarily relax or detach the SCP, re-run Quick Setup, then restore the SCP.

</details>

<details>

<summary>The index is missing in some regions or accounts.</summary>

**Symptoms**

* Some accounts or regions have no index.
* Quick Setup shows partial success.

**Possible Causes**

* The region was not included in the Quick Setup region selection.
* The account or organizational unit was not part of the Quick Setup target scope.
* CloudFormation has been denied by SCP in that region.

**Solution**

Follow these steps:

1. Review the **Targets** and **Regions** (if applicable) selected when you [configured the organization deployment](#configure-the-organization-deployment).
2. [Check the SCP](#quick-setup-fails-in-some-regions) for the relevant accounts or regions.

{% hint style="success" %}
If CloudFormation must stay blocked, you can manually create indexes.
{% endhint %}

</details>

<details>

<summary>The aggregator index is missing from the Management account.</summary>

**Symptoms**

* In the Management account, in the chosen **Aggregator Region**:
  * The index exists but is not marked as **Aggregator**.
  * The index does not exist.
* The organization-wide view does not show everything.

**Possible Causes**

* The Management account is not in one of the Quick Setup targets, such as the selected organizational unit.
* AWS created aggregator indexes only in member accounts based on your config.
* The index was manually created as **Local**, not **Aggregator**.

**Solution**

Follow these steps:

1. In the Management account, in the **Aggregator Region**, ensure an index exists.
2. In the console, change the index to **Aggregator**.

{% hint style="success" %}
If the index cannot be changed to **Aggregator**, manually recreate the index as an **Aggregator**.
{% endhint %}

3. Create the organization-wide view in the specific account or region.

</details>

<details>

<summary>The view that was created in Resource Explorer is empty.</summary>

After enabling Resource Explorer, it can take up to 36 hours for all supported resources across all regions to be fully indexed. Read more [here](https://docs.aws.amazon.com/resource-explorer/latest/userguide/troubleshooting_search.html).

</details>

Now that you have completed this integration, you can [create access flows](/docs/access-flows/access-flows.md) that grant permission to AWS IAM resources, such as AWS Roles.

***

### Troubleshooting

Please refer to our [troubleshooting guide](https://docs.apono.io/docs/troubleshooting-errors) if you encounter errors while integrating.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.apono.io/docs/aws-environment/aws-integrations/integrate-an-aws-account-or-organization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.