Automatically discover all AWS RDS instances in an Account or Organization for JIT access management
AWS RDS PostgreSQL and MySQL databases provide powerful and flexible relational database services in the cloud. This guide shows you how to enable Apono to discover and manage your AWS RDS databases, including MySQL and PostgreSQL instances.
Before you start, ensure you have:
One or more Apono AWS connectors installed with network access to your AWS RDS databases.
Minimum required version: 1.5.3
Permissions to create and manage AWS Secrets Store secrets and tag RDS instances.
This capabiltiy requires network access to each discovered database. If you have databases in different networks, make sure to create an AWS connector for each one.
To enable Deep Discovery for your AWS RDS databases, you will need to tag your database instances with specific key-value pairs. The tagging process varies based on your authentication method.
Tag your RDS database instance with the following key-value pairs:
auth_type
iam-auth
apono-connector-id
The ID of the Apono connector in the same account as the database
Tag your RDS database instance with the following key-value pairs:
auth_type
user-password
apono-connector-id
The ID of the Apono connector in the same account as the database
apono-secret
The ARN of the secret containing the database credentials
region
The AWS region where the secret is stored
Go to the Integrations Catalog in the Apono web application.
Click "AWS" and select either "Account" or "Organization". Make sure to pick resources under Connect Sub Integrations:
Choose the Apono connector set up for your Account or Organization. Read more here.
Complete the integration by providing the required config.
Click Confirm.
After connecting your AWS Account or Organization to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration and sub-integrations for each RDS instance will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.
Now that you have completed this integration, you can create access flows that grant permission to RDS resources.
If RDS instances appear with errors in your Integrations page, follow these steps:
Check Tags: Verify all required tags are present and correctly formatted.
Connector Permissions: Ensure the Apono connector has necessary permissions to read tags and access secrets.
Network connectivity: Ensure each RDS instance has a connector with network access to the RDS.
Scale AWS resource management in access flows
When granting AWS access permissions, listing individual ARNs in IAM policies can quickly cause you to exceed AWS's inline policy character limit. Apono solves this through access scopes and the Apono Query Language (AQL). These solutions use regex patterns to efficiently manage resource groups instead of listing individual ARNs.
For additional protection, Apono has implemented a 100-resource threshold as a guardrail when individual ARN specification is needed.
The following sections explain how Apono prevents you from exceeding AWS's inline policy limit:
Create strategic AWS resource groupings for access flows
Understand how Apono provides clear warnings when the AWS policy limit is exceeded
Learn how Apono maintains consistent behavior whether your team uses Portal, Teams, or Slack
For example, instead of individually specifying 200 S3 buckets in a policy (which would exceed AWS's limit), you can use resource tags to group them by environment or function.
Apono validates for the following types of AWS resources:
ASM Secret
DynamoDB table
EC2 Connect
EC2 Manage
S3 Bucket (by "any resource" and region tags)
SNS Topic
SQS queue
Apono Connector
Minimum Required Version: 1.7.0
When defining access flows that include AWS resources, your resource definition strategy directly impacts policy management.
Before selecting AWS resources for an access flow, consider the following questions:
Can all resources of an integration be selected?
Have tags been applied to logically group resources by environment, function, or team?
Can an access scope be created to group resources across multiple AWS integrations?
Is individual resource selection truly necessary for security requirements?
To effectively manage AWS permissions while avoiding policy character limits, you can use access scopes, integrations, or bundles. When possible, we strongly recommend using access scopes or AQL.
The following table explains the strategy for each approach.
Access Scopes
Access scopes and AQL let you create flexible filters that adapt to your changing infrastructure. This makes them ideal for scenarios like all production databases or EC2 instances in the eu-region.
Integrations
Integrations let you align permissions with your organization structure:
Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
Apply Any resources when all resources of the integration can be included.
This strategy is ideal for scenarios like managing cross-account DevOps access or regional support team permissions.
Bundles
Bundles let you create logical groupings of permissions that serve specific functions.
Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
Apply Any resources when all resources of the integration can be included.
This strategy is ideal for scenarios like complete development environment access or full analytics platform access.
If you select too many AWS resources for an access flow, the Apono UI will display a warning message instructing you to reduce the number of selected resources.
Automatic
You have selected more than 100 AWS resources by name (Select by name) from one integration or between multiple integrations.
You have selected more than 100 AWS resources by name (Select by name) within one bundle or between multiple bundles.
Self Serve
You have selected more than 100 AWS resources within one bundle or between multiple bundles.
When requesting access to many AWS resources, Apono will warn you if you have selected too many AWS resources.
You will receive different notifications about AWS resource limits depending on which platform you use to submit your access request:
Portal & Teams: Apono displays a warning before submission when you click Request, preventing requests that exceed the limit.
In some cases, the request might pass initial validation but still trigger a post-submission notification to select fewer resources.
Slack: Apono processes your request first, then sends a message if you need to resubmit with fewer resources.
The following configurations within access flows or when bundling multiple resources will exceed AWS policy size constraints.
Specifying resources by name: Individually choosing resource names.
S3 buckets: as AWS does not support tagging buckets, it should be handled with region tags or through access scopes or AQL patterns where possible.
Excluding a list of resource names: choosing a list of resources to exclude can similarly inflate policy size and is best handled through access scopes or AQL patterns where possible.
Learn how to complete an AWS integration in the Apono UI
Apono offers AWS users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple AWS services across various accounts and organizations.
Apono connector installed in your AWS account
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to integrate Apono with your AWS account:
On the Catalog tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Account.
Click one or more resource types to sync with Apono.
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Region
Region in which the organization runs
AWS Profile Name
(Optional) Name of the AWS profile By default, Apono sets this value to apono.
Enable Audit
(Optional) Feature that allows Apono to ingest and aggregate session audit logs
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.
Now that you have completed this integration, you can create access flows that grant permission to AWS IAM resources, such as AWS Roles.
Apono connector installed in your AWS management account OR a connector with delegate permissions
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to integrate Apono with your AWS organization:
On the Catalog tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Organization.
Click one or more resource types to sync with Apono.
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Region
Region in which the organization runs
AWS SSO Region
Region for which your single sign-on is configured
SSO Portal
Management Account Role ARN
Exclude Organization Unit IDs
ID of organizational units to exclude Example: ou-aaa1-1111,ou-bbb2-2222
Enable Audit
(Optional) Feature that allows Apono to ingest and aggregate session audit logs
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.
Now that you have completed this integration, you can create access flows that grant permission to AWS IAM resources, such as AWS Roles.
Please refer to our troubleshooting guide if you encounter errors while integrating.
On-prem serving as a bridge between an AWS instance and Apono
Use the following steps to .
(Strongly Recommended, ) Use when you need dynamic, rule-based resource grouping
() Use when providing access to an entire AWS account or organization, or to resources that share specific tags
(, ) Use when packaging related resources as a cohesive unit for user requests
When explore one of the following options:
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
Learn more about .
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
This is required for Apono to generate a sign-in link for end users to use their granted access.
(step 5) of the role to assume in the management account
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
