Page cover

Create an assessment

Evaluate access usage across your cloud environments

Before you can begin identifying and remediating overprivileged access, you must first run an Access Discovery assessment.

An assessment scans your cloud environments and analyzes how principals use their permissions. This enables Apono to surface unused, excessive, or high-risk access across your infrastructure.

Prerequisites

Item
Description

CloudTrails

Record of AWS activities that is delivered and stored in an Amazon S3 bucket

When enabling CloudTrail trails, the following are required:

  • Trails enabled for all regions and desired accounts to scan

  • Full Management events and Data events enabled

NOTE: If AWS Cloudtrail Delegated Account is enabled, the connector must be installed in the delegated account.

Apono connector & Cloud integration

On-prem connection serving as a bridge between a cloud instance and Apono and at least one cloud integration with Apono

Minimum Required Version: 1.7.3

Set up the Apono connector and cloud organization integration

If you choose to use an existing connector, be sure to complete the following:

  • Set all the parameters in step 9 below.

  • Upgrade your connector to version 1.7.3 or greater.

  • Complete step 12 below to finish the cloud organization integration.

Follow these steps to set up an Apono connector:

  1. On the Catalog tab, click AWS. The Connect Integrations Group page appears.

  2. Under Discovery, click Amazon Organization.

  3. Select the Permission Boundary resource to allow Apono to temporarily restrict overprivileged access.

  4. Click one or more resource additional types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

  1. Click Next. The Apono connector section expands.

  2. From the Select Connector dropdown menu, click + Add new connector. The Select connector installation strategy section appears.

  3. Select Cloud installation > CloudFormation (ECS).

  4. Under Follow these steps to install connector, click Open Cloud Formation. AWS CloudFormation opens. The Create stack page appears with one of Apono's AWS Account stack templates associated.

If you are not already signed in, AWS will prompt you to your AWS user account. Be sure to sign in with your Root user account.

  1. Define the following Parameters:

    1. (Optional) Update the AponoConnectorId with a descriptive name.

    2. From the Permissions dropdown menu, select Full Access (Manage IAM).

    3. From the S3AWSLogsScanning, select Enabled to allow Apono to read Cloudtrail logs.

    4. Select one or several SubnetIDs.

    5. Select a VpcId.

  2. Under Capabilities, select I acknowledge that AWS CloudFormation might create IAM resources with custom names.

  3. Click Create stack.

  4. Complete steps 6-10 of the AWS organization integration.

You can now create your first assessment.

Create an assessment

Follow these steps to assess an integration:

  1. On the Access Discovery page, click New Assessment. The Create Access Discovery Assessment page appears.

  2. Under Select Cloud Provider, select an environment.

  3. Under Select Integration, select one integration from the list.

  4. Click Assess to evaluate permissions and usage.

Once configured, assessments will run nightly and present data from the last 7 days.

After the assessment is completed, click Explore to analyze the assessment and remediate overprivileged access.

Reassess an assessment

After an assessment has been created, you can always run a new assessment between the nightly runs.

Follow these steps to reassess an assessment:

  1. On the Access Discovery page, in the row of an assessment, click Explore. The View Assessment page opens.

  2. Click Reassess.

After the assessment is completed, click Explore to analyze the assessment and remediate overprivileged access.

PreviousAccess DiscoveryNextAnalyze an assessment

Last updated

Was this helpful?