Auto Discover AWS RDS Instances

Automatically identify AWS RDS instances in an Account or Organization for JIT access management

Apono’s Auto Discovery feature identifies tagged AWS RDS instances, including MySQL and PostgreSQL. Rather than integrating each instance individually, you can integrate selected databases and their resources at once during your AWS Account or Organization setup.

This capability requires network access to each discoverable database. If your databases are in different AWS networks, make sure to create an AWS connector for each network.

Prerequisites

Item
Description

Apono Connector

One or more Apono connectors for AWS with network access to your AWS RDS databases

Minimum Required Version: 1.5.3

Follow these steps to update an existing connector.

AWS Permissions

Permissions to complete the following tasks in your AWS instance:

  • Create and manage AWS Secrets Store secrets

  • Tag RDS instances

Enable Auto Discovery

Follow these steps to enable Auto Discovery:

  1. In your AWS RDS database instance, create a user for the Apono connector. As part of this step, you will also create a secret.

  2. Tag your database instance based on the authentication method you selected in the previous step. In the tables below, the values shown in italics are the exact text you should enter when adding these tags.

IAM Authentication
Tag Key
Value or Description

auth_type

iam-auth

apono-connector-id

ID of the Apono connector in the same AWS Account or AWS Organization as the database

Password Authentication
Tag Key
Value or Description

auth_type

user-password

apono-connector-id

ID of the Apono connector in the same AWS Account or AWS Organization as the database

apono-secret

ARN of the secret containing the database credentials

region

AWS region where the secret is stored

  1. In the Apono UI, on the Catalog tab, click AWS. The Connect Integrations Group page appears.

  2. Under Discovery, click Amazon Account or Amazon Organization.

  3. Under Connect Sub Integration, select Database, Table, and Role to control the granularity of discovery in each discovered instance. \

    AWS RDS MySQL under Connect Sub Integration

  4. Complete the Amazon Account or Amazon Organization integration (steps 3-10).

After connecting your AWS Account or AWS Organization to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration, along with sub-integrations for each RDS instance, initialize during the first data fetch. The integration becomes Active once the process completes.

Now that you have completed this integration, you can create access flows that grant permission to your AWS RDS resources.

Troubleshooting

If RDS instances appear with errors on your Integrations page, follow these steps:

  1. Check Tags: Verify all required tags are present and correctly formatted.

  2. Connector Permissions: Ensure the Apono connector has necessary permissions to read tags and access secrets.

  3. Network connectivity: Ensure each RDS instance is accessible by an Apono connector within the same network.

For any questions about the discovery process, please contact Apono Support.

PreviousIntegrate an AWS account or organizationNextAWS Best Practices

Last updated

Was this helpful?