1 of 100

Documentation and Guides

ABOUT APONO

Why Choose Apono

Apono is the best solution for just-in-time, temporary access to sensitive cloud resources

Apono lets you automate static access policies by turning them into declarative, dynamic Access Flows. Integrate your cloud environment, CI/CD stack, cloud infrastructure and databases with Apono. Create Access Flows with our declarative UI or in Terraform, and your developers can use Slack, Teams or CLI to request and approve access.

Protect what matters without breaking a sweat.

Who is Accessing Cloud Resources Right Now?

Do developers have admin/write access or read-only access to production?

Can you answer that, or must you sort through your cloud resources to find out? Of course, by the time you get to the last one, you'll have to recheck the first because so much time has elapsed, and access changes constantly. While discussing it, how long would it take to revoke access to a production cloud resource in an emergency?

With Apono, you have a single point of control for managing access without creating a single point of failure.

Apono Access: Automated, Just-in-Time, Just-Enough

Use Apono for on-demand access to critical resources. Grant an engineer permission to fix a production issue in an emergency. Grant a data scientist access to a data lake when needed. Just as important is to revoke access once it's no longer needed.

Apono's permissions are just-in-time and also ephemeral. Access is automatically revoked when no longer needed. No more forgotten privileges or group memberships left open. Access begins and ends according to Access Flow definition.

Access Management that Scales

No need to manually change permissions for each resource on your cloud platform every time someone needs access to one of its resources. While access can be granted at a granular level, large-scale environments can be managed efficiently by creating Access Flows, for individuals and groups, to all cloud resources and assets.

Your environment is always evolving, and so does Apono. Use hierarchies, tags and exclude for dynamic access management.

Apono Integrates with Terraform

Are you using Terraform to manage your cloud platforms?

That's great because Apono is a Terraform provider and can be provisioned to work alongside your resources by adding code blocks to integrate them into Apono. When you bring up a resource, it will immediately benefit from Apono access management.

Apono lets you turn static access policies into dynamic Access Flows directly from Terraform. Reuse a simple build file to build the perfect workflows for your organization without ever leaving Terraform.

Designed for DevX

With Apono, you will work smarter with less effort to manage and gain access to your cloud resources. You will take control of your cloud resource inventory from one central location.

Apono's Access Flows prepare for contingencies, emergency access and regular maintenance. Onboarding becomes quick and easy, with our dynamic Access Flows and access bundles. There's no need for writing and maintaining home-grown scripts and complex workflows.

Your developers can request access bundles and get just the access they need exactly when they need it, no hassle.

Deployed Via Slack and Teams

Developers and engineers love ChatOps and CLI, so why should they have to use another interface?

Apono integrates with Slack, Teams and CLI, so your R&D can use the tools they know to request & approve access, connect to the resources, and, after the access is automatically revoked, request the access again when they need it.

Speaks Your (Declarative) Language

Apono has developed a declarative, natural language format for defining access permissions. No need to edit config files. We call it Access Flow, and it looks like this:

Select a resource and then add (a) who is allowed to gain access (b) what kind of access (roles or permissions) to grant, (c) which specific resources in the integration to allow access to, (d) how long the access should last, (e) should access be approved automatically or by someone in the organization.

In fact, integrating with Apono and creating Access Flows has proven so intuitive that most Apono customers set up and deploy access control for their entire organizations within two weeks.

Keeps Your CISO Happy

Apono doesn't have access to any of your data. Ever.

How does it work? Install our connector in your environment, direct it to your secret store and you're done! The connector manages the data syncs to our app and handles access provisioning and de-provisioning to your services, without storing or caching secrets.

We call it SasS with on-premise level of security. And you can tell your customers that they can be confident that access to their data is protected.

A Home Run With SOX IT Controls

Apono's comprehensive access management covers your entire cloud, with Access Flows defined for every cloud service and resource type. Need to maintain least-privileges to production environments, financial data, PII, and other critical assets? Check!

Access requests and granted access are all logged, so you have a reliable audit of the access to your data. As part of your IT compliance reporting to SOX, HIPAA, GDPR, PCI DSS, SOC 2 and others, use Apono's audit logs and reports. Send them to external auditors, internal GRC and security teams, and export logs directly to ITSM, SIEM and compliance tools.

Security and Architecture

Apono helps you manage just-in-time access in a secure, least privilege way

Overview

Apono was built and designed with security in mind so that any company is able to use it in their environment.

We applied the same least privilege principles to our product that Apono unlocks for its users:

Ensure users receive just the right amount of permissions they need
Ensure users receive access only for the limited time they need them

Security

Apono's secure architecture

The Apono platform is built by two separate components:

The Web App
The Connector

The web app continuously receives basic data about users, resources and permissions from the connector.

The connector is fully deployed within the organization’s environment and has a limited set of template functions that can be invoked and are fully in the organization control.

This architecture ensures high reliability as well as segregation of environments, keeping any access to the environment within the environment.

The Web App security

Our web app is a portal for admins to create and manage integrations and Access Flows.

The portal:

Could only be accessed by admins of the system who've authenticated using the organizational identity provider.
Doesn't require access to the organization's environment resources. No roles, permissions, privileges, or actions are granted to the app.
Integrates with the organizational identity provider as the source of truth for the organizational identities.
Doesn't access your data or environment, and only communicates with the Apono connector.

The Connector security

Our connector is a component you install in your cloud environment (AWS, GCP, Azure, Kubernetes). It communicates with your cloud services and cloud apps using, but not caching or storing, your secrets.

The connector:

Is completely within the organization's control, as it is installed in your cloud provider.
Can be uninstalled or disconnected at any time without support from Apono.
Uses fully visible template functions, mutable by the organization’s environment owner. These functions limit the ability of the connector to only invoke specific actions that are predefined.
Has no permissions to access the data itself.
Does not store any secrets.

👍 The Apono Connector is High Availability
No downtime, no outages, no problem!
Our Round Robin method helps ensure uptime for your Apono integrations as users request access. Several connector instances will continue provisioning and deprovisioning access as needed.

Your data

When you integrate your cloud applications and IdP with Apono, Apono syncs metadata and configuration information continuously. We only sync basic information needed for access management: users, groups, resources and permissions.

Apono:

Does not read your data, like datasets, files, documents, code, etc.
Does not collect any personal data about your employees: Apono needs a user's email, and that's it.
Does not store or cache secrets or credentials

Secrets

Apono does not store or cache any of your secrets.

When a data sync is required, the connector gets the secret from your cloud's Secret Store to access the data it needs. After authenticating, the secret is not saved anywhere.

👍 Credentials rotation as often as you need
When granting access to users, Apono enforces password reset and credentials rotation out of the box to meet the strictest compliance and security standards. Read more here.

Architecture

Apono and AWS

Apono and GCP

Apono and Azure

Glossary

Commonly used Apono terms

GETTING STARTED

CONNECTORS AND SECRETS

AWS ENVIRONMENT

AZURE ENVIRONMENT

GCP ENVIRONMENT

KUBERNETES ENVIRONMENT

ADDITIONAL INTEGRATIONS

Network Management

Manage just-in-time, just-enough access to servers, RDPs, internal apps, and more

Development Tools

Term

Meaning

Access Flow

A to manage and control access. The Access Flow, set by the admin, determines the: -Requester (the user or group of users) -Resource or bundle of resources -Permission or permissions -Approval flow (automatic or by approver) -Access duration

Visit the page to see how easily an Access Flow definition is created with step by step instructions.

Access Request

Users to resources controlled by Apono's Access Flows using Slack, Teams or CLI. This Access Request is either automatically approved or sent to the flow's approver who must then either .

Every access request is .

Admin role

Admins are users in Apono who integrate Apono with their environment and create and manage Access Flows.

Approver

A user, group of users, manager or shift member who have been listed on a specific Access Flow as those who must an access request.

Bundle

A bundle is a combination of resources and permissions, grouped together so that they can be easily requested and granted together.

Bundles are great for: - - Admins can create a bundle once and use it in different Access Flows with different requesters, approval flows, and access duration. -Ease of use - Requesters can request a bundle of access for the task or incident they are currently handling.

Connector

are very small apps added to a cloud service that allows secure data sync and access management functions to be run by Apono.

End-user/Grantee

The person who has been granted access to a resource or resources according to an Access Flow and will actually be using it.

Identities

Users in the organization, synced from your identity provider.

IdP

Identity Provider; A service that stores and manages digital identities. Companies use these services to allow their employees or users to connect with the resources they need. They provide a way to manage access, adding or removing privileges, while security remains tight. Read more .

Integration

Your cloud integrations must be connected with Apono to sync data on identities, resources and permissions and to manage access just-in-time. See the for a complete list of supported integrations.

Just In Time (JIT)

Just In Time refers to that part of the Access Flow that makes a resource available to a user only when they need it and only as long as it is needed. It is JIT, but it also means that access isn't left and forgotten and left available past the time it is used.

You might also have heard the terms short-lived access, ephemeral access or temporary access.

Permission

The type of action users can perform on a resource. Actions are usually grouped into roles; for example an Admin role usually contains all the possible actions, like read, write, delete, etc.

Some permissions are more powerful than other. For example, a write permission (which allows you to edit a resource) is more powerful than a read permission (which only allows you to view it).

Permissions are at the heart of the principal; permissions (especially strong ones/those that apply to sensitive or critical resources) should be kept to a minimum and be granted only upon need (just-in-time).

RBAC

Role-based access control (RBAC) systems assign access and actions according to a person's role within the system. Everyone who holds that role has the same set of rights. Those who hold different roles have different rights. Read more .

Resource

A resource is a cloud service or other instance that a user can gain access to. For example, repositories, servers, machines, buckets, databases, but also accounts, projects, folders, clusters, etc. Every cloud application artifact can be a resource, and if integrated with Apono - users can request and be granted access to it.

The permission determines which actions the user can perform on the resources.

Resource Type

The resource type is the family the resource belongs to. For example, every S3 bucket instance has a name and path, but all S3 Buckets belong to the S3 Bucket family.