Connector Management

This guide is intended for admins managing a Connector in the environment

What is a Connector

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and seperate the Apono web app from the environment for security purposes.

  • You can view the recommended AWS Installation Architecture or the GCP Installation Architecture.

  • Once you integrate with your cloud account an Apono Connector is deployed in the environment.

Automatic Installation

Using AWS CloudFormation or GCP Deployment Manager, the Connector is seamlessly installed in the environment.

Advanced Installation

  • You can also choose to install the Connector on an EKS or a Kubernetes cluster yourself.

Required Permissions

These are the required permissions for the Connector to function in AWS

S3

{
    "Statement": [
        {
            "Action": [
                "s3:GetBucketTagging",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::*"
        }
    ],
    "Version": "2012-10-17"
}

{
    "Statement": [
        {
            "Action": [
                "iam:ListPolicies",
                "iam:CreateInstanceProfile"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:TagRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:DeleteRolePolicy",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:UpdateAssumeRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*",
                "arn:aws:iam::*:role/*",
                "arn:aws:iam::*:instance-profile/*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "tag:GetResources",
            "Resource": "*"
        }
    ]
}

SSM

{
    "Statement": [
        {
            "Action": [
                "ssm:GetParameters*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:ssm:*:*:parameter/*"
        },
        {
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

{
    "Statement": [
        {
            "Action": [
                "iam:ListPolicies",
                "iam:CreateInstanceProfile"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:TagRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:DeleteRolePolicy",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:UpdateAssumeRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*",
                "arn:aws:iam::*:role/*",
                "arn:aws:iam::*:instance-profile/*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "tag:GetResources",
            "Resource": "*"
        }
    ]
}

IAM Policy

{
    "Statement": [
        {
            "Action": [
                "iam:ListPolicies",
                "iam:CreateInstanceProfile"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:TagRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:DeleteRolePolicy",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:UpdateAssumeRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*",
                "arn:aws:iam::*:role/*",
                "arn:aws:iam::*:instance-profile/*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "tag:GetResources",
            "Resource": "*"
        }
    ]
}