# AWS Best Practices When granting AWS access permissions, listing individual ARNs in IAM policies can quickly cause you to exceed [AWS's inline policy character limit](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length). Apono solves this through [access scopes](https://docs.apono.io/docs/inventory/access-scopes) and the [Apono Query Language (AQL)](https://docs.apono.io/docs/inventory/apono-query-language). These solutions use regex patterns to efficiently manage resource groups instead of listing individual ARNs. For additional protection, Apono has implemented a **100-resource threshold** as a guardrail when individual ARN specification is needed. The following sections explain how Apono prevents you from exceeding AWS's inline policy limit: * Create strategic AWS resource groupings for access flows * Understand how Apono provides clear warnings when the AWS policy limit is exceeded * Learn how Apono maintains consistent behavior whether your team uses Portal, Teams, or Slack For example, instead of individually specifying 200 S3 buckets in a policy (which would exceed AWS's limit), you can use resource tags to group them by environment or function. {% hint style="info" %} Apono validates for the following types of AWS resources: * ASM Secret * DynamoDB table * EC2 Connect * EC2 Manage * S3 Bucket (by "any resource" and region tags) * SNS Topic * SQS queue {% endhint %} *** ### Prerequisite
ItemDescription
Apono Connector

On-prem connection serving as a bridge between an AWS instance and Apono

Minimum Required Version: 1.7.0

Use the following steps to update an existing connector.

*** ### Admin Guidance When defining access flows that include AWS resources, your resource definition strategy directly impacts policy management. #### Questions Before selecting AWS resources for an access flow, consider the following questions: * Can all resources of an integration be selected? * Have tags been applied to logically group resources by environment, function, or team? * Can an [access scope](https://docs.apono.io/docs/inventory/access-scopes) be created to group resources across multiple AWS integrations? * Is individual resource selection truly necessary for security requirements? #### Resource Definition Strategies To effectively manage AWS permissions while avoiding policy character limits, you can use access scopes, integrations, or bundles. **When possible, we strongly recommend using access scopes or AQL.** The following table explains the strategy for each approach.
TypeStrategy
Access Scopes

(Strongly Recommended, All Access Flows) Use when you need dynamic, rule-based resource grouping


Access scopes and AQL let you create flexible filters that adapt to your changing infrastructure. This makes them ideal for scenarios like all production databases or EC2 instances in the eu-region.

Integrations

(Automatic Access Flow) Use when providing access to an entire AWS account or organization, or to resources that share specific tags

Integrations let you align permissions with your organization structure:

  • Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
  • Apply Any resources when all resources of the integration can be included.

This strategy is ideal for scenarios like managing cross-account DevOps access or regional support team permissions.

Bundles

(Automatic Access Flow, Self Serve Access Flow) Use when packaging related resources as a cohesive unit for user requests

Bundles let you create logical groupings of permissions that serve specific functions.

When creating a bundle explore one of the following options:

  • Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
  • Apply Any resources when all resources of the integration can be included.

This strategy is ideal for scenarios like complete development environment access or full analytics platform access.

#### Apono Safeguard If you select too many AWS resources for an access flow, the Apono UI will display a warning message instructing you to reduce the number of selected resources.

Warning message

Access FlowConditions
Automatic
  • You have selected more than 100 AWS resources by name (Select by name) from one integration or between multiple integrations.
  • You have selected more than 100 AWS resources by name (Select by name) within one bundle or between multiple bundles.
Self Serve
  • You have selected more than 100 AWS resources within one bundle or between multiple bundles.
*** ### Requestor Guidance When requesting access to many AWS resources, Apono will warn you if you have selected too many AWS resources.

Warning message

You will receive different notifications about AWS resource limits depending on which platform you use to submit your access request: * **Portal & Teams**: Apono displays a warning before submission when you click Request, preventing requests that exceed the limit. {% hint style="info" %} In some cases, the request might pass initial validation but still trigger a post-submission notification to select fewer resources. {% endhint %} * **Slack**: Apono processes your request first, then sends a message if you need to resubmit with fewer resources. #### Known Limitations While Building Access Flows, Bundles, and Access Scopes The following configurations within access flows or when bundling multiple resources will exceed AWS policy size constraints. * **Specifying resources by name or ID:** Selecting specific resource names or IDs one by one. * **S3 buckets**: as AWS does not support tagging buckets, it should be handled with region tags or through access scopes or AQL patterns where possible. * **Excluding a list of resource names or ID**: choosing a list of resources to exclude can similarly inflate policy size and is best handled through access scopes or AQL patterns where possible.