Integrate an AWS account or organization

Learn how to complete an AWS integration in the Apono UI

Apono offers AWS users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple AWS services across various accounts and organizations.

Integrate an AWS account

Prerequisites

  • Apono connector installed in your AWS account

  • To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role

Integration

AWS tile

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS account:

  1. On the Catalog tab, click AWS. The Connect Integrations Group page appears.

  2. Under Discovery, click Amazon Account.

  3. Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

  1. Click Next. The Apono connector section expands.

  2. From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.

  1. Click Next. The Integration Config section expands.

  2. Define the Integration Config settings.

    Setting
    Description

    Integration Name

    Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow

    Region

    Region in which the organization runs

    AWS Profile Name

    (Optional) Name of the AWS profile By default, Apono sets this value to apono.

  3. Click Next. The Get more with Apono section expands.

  4. Define the Get more with Apono settings.

    Setting
    Description

    Credential Rotation

    (Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.

    User cleanup after access is revoked (in days)

    (Optional) Defines the number of days after access has been revoked that the user should be deleted

    Learn more about Periodic User Cleanup & Deletion.

    Custom Access Details

    (Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.

    Integration Owner

    (Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:

    1. From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.

    2. From the Value dropdown menu, select one or multiple users or groups.

    NOTE: When Resource Owner is defined, an Integration Owner must be defined.

    Resource Owner

    (Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:

    1. Enter a Key name. This value is the name of the tag created in your cloud environment.

    2. From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.

    NOTE: When this setting is defined, an Integration Owner must also be defined.

  5. Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

  1. At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.

  2. Click to copy the code.

  3. Make any additional edits.

  4. Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.

Now that you have completed this integration, you can create access flows that grant permission to AWS IAM resources, such as AWS Roles.

Integrate an AWS organization

Prerequisites

Integration

AWS tile

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS organization:

  1. On the Catalog tab, click AWS. The Connect Integrations Group page appears.

  2. Under Discovery, click Amazon Organization.

  3. Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

  1. Select the Permission Boundary resource to allow Apono to temporarily restrict overprivileged access.

To learn more about how to manage overprivileged access, read about Access Discovery.

  1. Click Next. The Apono connector section expands.

  2. From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.

  1. Click Next. The Integration Config section expands.

  2. Define the Integration Config settings.

    Setting
    Description

    Integration Name

    Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow

    Region

    Region in which the organization runs

    AWS SSO Region

    Region for which your single sign-on is configured

    SSO Portal

    Single sign-on URL This is required for Apono to generate a sign-in link for end users to use their granted access.

    Management Account Role ARN

    (Optional) ARN (step 5) of the role to assume in the management account

    Exclude Organization Unit IDs

    (Optional) Comma-separated list of organizational unit IDs to exclude Example: ou-aaa1-1111,ou-bbb2-2222

    Exclude Account IDs

    (Optional) Comma-separated list of account IDs to exclude Example: 7665544332211,7665544332222,766554433333333

  3. Click Next. The Get more with Apono section expands.

  4. Define the Get more with Apono settings.

    Setting
    Description

    Custom Access Details

    (Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.

    Integration Owner

    (Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:

    1. From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.

    2. From the Value dropdown menu, select one or multiple users or groups.

    NOTE: When Resource Owner is defined, an Integration Owner must be defined.

    Resource Owner

    (Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:

    1. Enter a Key name. This value is the name of the tag created in your cloud environment.

    2. From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.

    NOTE: When this setting is defined, an Integration Owner must also be defined.

  5. Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

  1. At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.

  2. Click to copy the code.

  3. Make any additional edits.

  4. Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.

Enable multi-region resource discovery in Apono

Apono leverages AWS Resource Explorer for multi-region scans for your AWS Organization integration. Apono uses this organization-level configuration to automatically deploy local indexes and aggregate them into a single searchable view.

This configuration provides:

  • A centralized aggregator index for organization-wide search

  • Automated creation and maintenance of local indexes

  • Consistent visibility across teams, regions, and environments

  • Less manual setup and fewer cross-account visibility gaps

Prerequisites

Item
Description

AWS Organization

An AWS organization must be integrated with Apono.

All organizational units (OUs) or accounts you plan to include as part of the target must be structured within the AWS organization.

Admin account user or role

A user or role used to run Quick Setup in the management (Admin) account.

This user or role must be able to complete these tasks:

  • Enable trusted access in AWS Organizations

  • Configure Resource Explorer

  • Use Systems Manager Quick Setup

  • Use AWS Resource Access Manager (RAM)

  • View CloudFormation, SSM, and Resource Explorer status

Option A

Use a role or user with the AWS-managed AdministratorAccess policy in the Admin account to prevent hidden blocking conditions.

Option B

Create a role in the Admin account (such as ResourceExplorerAdmin) with a custom managed policy similar to the following example.

Service Control Policy (SCP)

SCPs must not deny CloudFormation in any target account or region:

  • SCPs must not explicitly deny:

    • cloudformation:CreateStack

    • cloudformation:UpdateStack

    • cloudformation:*

  • Region-restriction SCPs (aws:RequestedRegion) must adhere to one of the following:

    • Include all required regions in the allowlist.

    • Explicitly exempt CloudFormation from an explicit denial by adding cloudformation:* to NotAction.

IMPORTANT: Failure to adhere to these SCP requirements will prevent Quick Setup from successfully deploying in regions where the SCP has denied CloudFormation.

Enable trusted access for Resource Explorer

Follow these steps to enable trusted access:

  1. From your Admin account, open AWS Resource Explorer.

  2. From the navigation, click Settings. The Settings page appears.

  3. In the multi-account/organization section, follow the prompt to Enable trusted access.

You can also enable trusted access from AWS Organizations.

Follow these steps:

  1. From your Admin account, open AWS Organizations.

  2. From the navigation, click Services. The Services page appears.

  3. Click AWS Resource Explorer. The AWS Resource Explorer page opens.

  4. If Trusted access is disabled, click Enable trusted access. The Enable trusted access for AWS Resource Explorer pop-up window appears.

  5. Click Show the option to enable trusted access for AWS Resource Explorer without performing additional setup tasks.

  6. Type enable in the text field.

  7. Click Enable trusted access.

Configure the organization deployment

Follow these steps to configure the organization deployment:

  1. Open the Quick Setup from the Systems manager or Resource Explorer.

Systems Manager

  1. Open AWS Systems Manager.

  2. From the navigation, click Change Management Tools > Quick Setup. The AWS Quick Setup page opens.

  3. Click Get started. The Library tab opens.

  4. On the Resource Explorer card, click Create. The Configure Resource Explorer for your Organization page opens.

Resource Explorer

  1. Open AWS Resource Explorer.

  2. From the navigation, click Settings. The Settings page opens.

  3. Under Multi-account search in Resource Explorer, click Create configuration on Quick Setup. The Configure Resource Explorer for your Organization page opens.

  1. Select the Aggregator Index Region. This region becomes the central location for organization-wide search.

  2. Under Targets, select the accounts that include the resources you want discovered:

    • Entire Organization: (Recommended) Enables complete visibility

    • Specific OUs: Enables scoping deployment

  3. From the regions selector, choose all regions where Resource Explorer should create indexes.

If a regions selector is not present, all supported regions for the selected targets may be implicitly included.

  1. Under Summary, review the aggregator region, targets, and regions.

  2. Select Create. The Quick Setup will deploy the following:

    • Local indexes in each selected region or account

    • An aggregator index in the Aggregator Region

    • Default views for centralized search

Verify the deployment

After the deployment has completed, follow these steps to verify the deployment:

  1. From the Admin account, open AWS Resource Explorer.

  2. From the navigation, click Settings. The Settings page opens.

  3. Under Indexes, locate the region set as the aggregator index during the Quick Setup. The region should be denoted as Aggregator.

  4. Spot check a member account:

    1. Log in as or assume the role of a sample member account.

    2. Open AWS Resource Explorer in one region that should have an index to ensure an index exists and is Active.

    3. Open AWS Resource Explorer in one region that should not have an index to confirm an index does not exist.

If some regions or accounts are missing the index, read The index is missing in some regions or accounts.

Troubleshoot Quick Setup

Quick Setup fails in some regions.

Symptoms

  • Quick Setup shows Failed for some configs.

  • Error text mentions cloudformation:CreateStack (or similar) and an explicit denial in a service control policy.

Likely Cause

A Service Control Policy denies CloudFormation in some regions, often with aws:RequestedRegion. This results in regions that are allowed by SCP to be successful. And all other regions fail.

Solution

Follow these steps:

  1. From the Admin account, open AWS Organizations.

  2. From the navigation, click Policies. The Policies page opens.

  3. Under Service control policies, examine SCPs attached to the affected organizational unit or account for "Effect": "Deny" statements that mention cloudformation:* or specific Cloudformation actions.

  4. Fix the issues through one of the following options:

    1. Add the required regions to the allowlist in aws:RequestedRegion.

    2. Exclude CloudFormation from the deny list. For example, add cloudformation:* to NotAction.

    3. Temporarily relax or detach the SCP, re-run Quick Setup, then restore the SCP.

The index is missing in some regions or accounts.

Symptoms

  • Some accounts or regions have no index.

  • Quick Setup shows partial success.

Possible Causes

  • The region was not included in the Quick Setup region selection.

  • The account or organizational unit was not part of the Quick Setup target scope.

  • CloudFormation has been denied by SCP in that region.

Solution

Follow these steps:

  1. Review the Targets and Regions (if applicable) selected when you configured the organization deployment.

  2. Check the SCP for the relevant accounts or regions.

If CloudFormation must stay blocked, you can manually create indexes.

The aggregator index is missing from the Admin account.

Symptoms

  • In the Admin account, in the chosen Aggregator Region:

    • The index exists but is not marked as Aggregator.

    • The index does not exist.

  • The organization-wide view does not show everything.

Possible Causes

  • The Admin account is not in one of the Quick Setup targets, such as the selected organizational unit.

  • AWS created aggregator indexes only in member accounts based on your config.

  • The index was manually created as Local, not Aggregator.

Solution

Follow these steps:

  1. In the Admin account, in the Aggregator Region, ensure an index exists.

  2. In the console, change the index to Aggregator.

If the index cannot be changed to Aggregator, manually recreate the index as an Aggregator.

  1. Create the organization-wide view in the specific account or region.

Now that you have completed this integration, you can create access flows that grant permission to AWS IAM resources, such as AWS Roles.

Troubleshooting

Please refer to our troubleshooting guide if you encounter errors while integrating.

PreviousAWS IntegrationsNextAuto Discover AWS RDS Instances

Last updated

Was this helpful?