AWS Best Practices

Scale AWS resource management in access flows

When granting AWS access permissions, listing individual ARNs in IAM policies can quickly cause you to exceed AWS's inline policy character limit. Apono solves this through access scopes and the Apono Query Language (AQL). These solutions use regex patterns to efficiently manage resource groups instead of listing individual ARNs.

For additional protection, Apono has implemented a 100-resource threshold as a guardrail when individual ARN specification is needed.

The following sections explain how Apono prevents you from exceeding AWS's inline policy limit:

Create strategic AWS resource groupings for access flows
Understand how Apono provides clear warnings when the AWS policy limit is exceeded
Learn how Apono maintains consistent behavior whether your team uses Portal, Teams, or Slack

For example, instead of individually specifying 200 S3 buckets in a policy (which would exceed AWS's limit), you can use resource tags to group them by environment or function.

Apono validates for the following types of AWS resources:

ASM Secret
DynamoDB table
EC2 Connect
EC2 Manage
S3 Bucket (by "any resource" and region tags)
SNS Topic
SQS queue

Prerequisite

Item

Description

Apono Connector

On-prem serving as a bridge between an AWS instance and Apono

Minimum Required Version: 1.7.0

Use the following steps to .

Admin Guidance

When defining access flows that include AWS resources, your resource definition strategy directly impacts policy management.

Questions

Before selecting AWS resources for an access flow, consider the following questions:

Can all resources of an integration be selected?
Have tags been applied to logically group resources by environment, function, or team?
Can an access scope be created to group resources across multiple AWS integrations?
Is individual resource selection truly necessary for security requirements?

Resource Definition Strategies

To effectively manage AWS permissions while avoiding policy character limits, you can use access scopes, integrations, or bundles. When possible, we strongly recommend using access scopes or AQL.

The following table explains the strategy for each approach.

Type

Strategy

Access Scopes

(Strongly Recommended, ) Use when you need dynamic, rule-based resource grouping

Access scopes and AQL let you create flexible filters that adapt to your changing infrastructure. This makes them ideal for scenarios like all production databases or EC2 instances in the eu-region.

Integrations

() Use when providing access to an entire AWS account or organization, or to resources that share specific tags

Integrations let you align permissions with your organization structure:

Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
Apply Any resources when all resources of the integration can be included.

This strategy is ideal for scenarios like managing cross-account DevOps access or regional support team permissions.

Bundles

(, ) Use when packaging related resources as a cohesive unit for user requests

Bundles let you create logical groupings of permissions that serve specific functions.

When explore one of the following options:

Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
Apply Any resources when all resources of the integration can be included.

This strategy is ideal for scenarios like complete development environment access or full analytics platform access.

Apono Safeguard

If you select too many AWS resources for an access flow, the Apono UI will display a warning message instructing you to reduce the number of selected resources.

Access Flow

Conditions

Automatic

You have selected more than 100 AWS resources by name (Select by name) from one integration or between multiple integrations.
You have selected more than 100 AWS resources by name (Select by name) within one bundle or between multiple bundles.

Self Serve

You have selected more than 100 AWS resources within one bundle or between multiple bundles.

Requestor Guidance

When requesting access to many AWS resources, Apono will warn you if you have selected too many AWS resources.

You will receive different notifications about AWS resource limits depending on which platform you use to submit your access request:

Portal & Teams: Apono displays a warning before submission when you click Request, preventing requests that exceed the limit.

In some cases, the request might pass initial validation but still trigger a post-submission notification to select fewer resources.

Slack: Apono processes your request first, then sends a message if you need to resubmit with fewer resources.

Known Limitations While Building Access Flows And Bundles

The following configurations within access flows or when bundling multiple resources will exceed AWS policy size constraints.

Specifying resources by name: Individually choosing resource names.
S3 buckets: as AWS does not support tagging buckets, it should be handled with region tags or through access scopes or AQL patterns where possible.
Excluding a list of resource names: choosing a list of resources to exclude can similarly inflate policy size and is best handled through access scopes or AQL patterns where possible.

PreviousAuto Discover AWS RDS Instances NextAmazon Redshift

Last updated 16 hours ago

Was this helpful?