1 of 8

AWS Integrations

If your organization uses Amazon Web Services (AWS) as a cloud platform, Apono's AWS integrations can help you securely manage access to your AWS cloud-based services and databases.

By identifying and transforming existing privileges, Apono can shift your cloud management from broad permissions to on-demand access flows.

Through our AWS integrations, Apono enables you to perform the following access tasks:

Limit Access: Discover existing cloud privileges and convert them to just-in-time access flows.
Enable Self-Service Access: Allow developers to request access to AWS services, buckets, and instances via Slack.
Automate Approval Workflows: Create automatic approval processes for sensitive AWS resources.
Restrict Third-Party Access: Grant third-parties (customers or vendors) time-based access to specific S3 buckets, RDS, or EC2 instances with MFA verification.
Review Access: Audit user cloud access, permissions granted, and reasons for access across AWS.

Integrate an AWS account or organization

Learn how to complete an AWS integration in the Apono UI

Apono offers AWS users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple AWS services across various accounts and organizations.

Integrate an AWS account

Prerequisites

Apono connector installed in your AWS account
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS account:

On the Catalog tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Account.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.

Now that you have completed this integration, you can create access flows that grant permission to AWS IAM resources, such as AWS Roles.

Integrate an AWS organization

Prerequisites

Apono connector installed in your AWS management account OR a connector with delegate permissions
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS organization:

On the Catalog tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Organization.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to AWS IAM resources, such as AWS Roles.

Troubleshooting

Please refer to our troubleshooting guide if you encounter errors while integrating.

Amazon Redshift

Integrate with Apono to view existing permissions and create Access Flows to Amazon Redshift clusters

Amazon Redshift is a fast, scalable, and secure fully managed data warehouse service in the cloud, serving as a primary data store for vast datasets and analytic workloads. Amazon Web Services (AWS) enables businesses to analyze their data using standard SQL and existing business intelligence tools, promoting insightful decision-making and integration with various AWS services.

Through this integration, Apono helps you securely manage access to your Amazon Redshift instance.

Prerequisites

Item

Description

Integrate Amazon Redshift

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click Amazon Redshift. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Secret Store section expands.
Associate the secret or credentials.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your Amazon Redshift instance.

Troubleshooting

Refer to Troubleshooting Errors for information about errors that may occur.

RDS PostgreSQL

Integrate with AWS-managed PostgreSQL for JIT access management for RDS

PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance. AWS enables developers to create cloud-hosted PostgreSQL databases.

Through this integration, Apono helps you securely manage access to your AWS RDS for PostgreSQL instances.

Prerequisites

Item

Description

Create an AWS RDS PostgreSQL user

You must create a user in your AWS RDS PostgreSQL instance for the Apono connector and grant that user permissions to your databases.

Follow these steps to create a user and grant it database permissions:

Create a new user with either Built-in authentication or IAM authentication.

You can use only one authentication option on the RDS instance at a time.

Built-in authentication identifies a user through a username and password.

CREATE USER apono_connector WITH PASSWORD 'secret_passwd';

Be sure to select a strong password for the user.

After enabling IAM on your RDS instance, create an AWSAuthenticationPlugin user for the Apono connector. AWSAuthenticationPlugin is an AWS-provided plugin that works seamlessly with IAM to authenticate your users.

To create the user, run the following commands from your Postgre client.

CREATE USER apono_connector;
GRANT rds_iam TO apono_connector;

From your preferred client tool, grant rds_superuser access to the user.

ALTER USER apono_connector WITH CREATEROLE;
GRANT rds_superuser TO apono_connector;

(IAM authentication only) Create and attach the following IAM policy to your identity center permissions set or role.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": [
                 "rds-db:connect"
             ],
             "Resource": [
                 "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
             ]
         },
         {
             "Effect": "Allow",
             "Action": [
                 "rds:DescribeDBInstances"
             ],
             "Resource": [
                 "arn:aws:rds:*:*:db:*"
             ]
         }
     ]
 }

(Built-in authentication only) Create an AWS secret with the credentials from step 1.

When using IAM authentication, a secret does not need to be created.

The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the PostgreSQL instance instead of a secret.

Integrate Amazon RDS for PostgreSQL

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click AWS RDS PostgreSQL. The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an AWS connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Secret Store section expands.
Associate the secret or credentials.

A secret is not needed for IAM authentication.

Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your RDS for PostgreSQL database.

AWS RDS MySQL

Prerequisites

If you already have AWS Apono connector:
- Make sure the connector's minimum version is 1.5.3.
If you still don't have AWS Apono connector:
AWS command-line
MySQL command-line

Create AWS RDS MySQL Integration

Generate Credentials

Create user and grant permissions:

You can use only one authentication option on the RDS instance at a time.

(MySQL 8.0+) Grant the service account the authority to manage other roles. This enables Apono to create, alter, and drop roles. However, this role does not inherently grant specific database access permissions.

Password Authentication

With password authentication, your database performs all administration of user accounts. You create users with SQL statements such as CREATE USER, with the appropriate clause required by the DB engine for specifying passwords.

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

SHOW DATABASES Allows the user to view all databases in the RDS instance. CREATE USER Grants the ability to create new users. UPDATE Permits updates in the MySQL system database, including user privileges. PROCESS Allows viewing the server's process list, including all executing queries.

IAM Authentication

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance \
    --db-instance-identifier DBInstanceIdentifier \
    --apply-immediately \
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

IAM Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance ^
    --db-instance-identifier DBInstanceIdentifier ^
    --apply-immediately ^
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Sign in to the AWS Management Console and open the Amazon RDS console Amazon RDS console , and choose your DB instance.
Copy the following details:
- Endpoint: The DNS name of the DB instance.
- Port: The port number on which the DB instance accepts connections.
Connect to the DB instance using your SQL client using the copied details.
Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

IAM Authentication

Enable IAM database authentication
1. Open the Amazon RDS console.
2. In the navigation pane, choose Databases.
3. Choose the DB instance that you want to modify.

    Make sure that the DB instance is compatible with IAM authentication. Check the compatibility requirements in Region and version availability.

4. Choose Modify.
5. In the Database authentication section, choose Password and IAM database authentication to enable IAM database authentication. Choose Password authentication or Password and Kerberos authentication to disable IAM authentication.
6. Choose Continue.
7. To apply the changes immediately, choose Immediately in the Scheduling of modifications section.
8. Choose Modify DB instance.

2. Copy the following RDS SQL details: * Endpoint: The DNS name of the DB instance. * Port: The port number on which the DB instance accepts connections. 3. Connect to the DB instance using your SQL client using the copied details. 4. Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
        "Action": [
          "rds-db:connect"
        ],
      "Resource": [
        "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
      ]
    },
    {
      "Effect": "Allow",
        "Action": [
          "rds:DescribeDBInstances"
        ],
        "Resource": [
          "arn:aws:rds:*:*:db:*"
        ]
      }
  ]
}

Create Integration in Apono

In the Apono admin console, go to the Integrations page and click the Add Integration button in the top-left side, or press on the Catalog blade.
In the Catalog page search for and select AWS RDS MySQL.
In Discovery step, select one or multiple AWS RDS MySQL resource types for Apono to discover.
In Apono connector step, select the connector with the required permissions to be used with your AWS RDS MySQL.
In Integration config step, provide the following information about your AWS RDS MySQL:

In Secret Store step, provide the connector credentials using one of the following secret store options:

When using IAM authentication, **a secret does not need to be created**. The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the MySQL instance instead of a secret.

For the AWS RDS MySQL integration, use the following secret format: username:<The database username> password:<The user password>\

(Optional) In Get more with Apono step, you can set up the following:

Next Steps

Integrate with EKS

Create an integration to manage access to a Kubernetes cluster on AWS

With Elastic Kubernetes Service (EKS) on AWS, EKS simplifies the management complexities of Kubernetes.

Through this integration, Apono helps you securely manage access to your AWS Elastic Kubernetes cluster.

Prerequisites

Configure user authentication

Authentication can be completed with an Identity and Access Management IAM user or an IAM role. To grant a user access to an EKS cluster, the IAM user or IAM role must be mapped with a specific user identifier, such as an email address.Apono supports this mapping with an IAM role through AWS SSO or SAML federation from any identity provider (IdP).

Create a new policy

Follow these steps to create a new policy:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Policies > Create policy. The Specify permission page appears.
Click JSON.

Replace the default policy with the following policy. Be sure to replace the placeholder.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:DescribeCluster",
            "Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
        }
    ]
}

Click Next. The Review and create page appears.
Enter a Policy name. This name is used to identify this policy.
Click Create policy.

Create the IAM role

Follow these steps to create the IAM role:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Roles > Create role. The Select trusted entity page appears.
Under Trusted entity type, select Custom trust policy.
Under Custom trust policy, replace the default policy with one of the following trust policies. Be sure to replace the placeholders.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "sts:RoleSessionName": "${SAML:sub}"
                },
                "ArnLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
                    ]
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:saml-provider/<SAML_PROVIDER>"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        }
    ]
}

Click Next. The Add permissions page appears.
Under Permissions policies, select the newly created policy.
Click Next. The Name, review, and create page appears.
For the Role name, enter apono-k8s-access.
For the Description, enter required for k8s access managed by Apono.
Click Create role.

If an Overly permission trust policy popup window appears, click Continue.

Authenticate the EKS cluster

Now that the IAM role has been created, you must authenticate the EKS cluster with the ConfigMap or EKS API.

Read Apply the aws-auth ConfigMap to your cluster to learn more about editing the aws-auth ConfigMap.

Follow these steps to authenticate the cluster:

Log into the EKS cluster with a user account that has the cluster admin permission.
Edit the aws-auth ConfigMap to include the following mapRoles entry. Be sure to replace the placeholder.
```
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
  username: "{{SessionNameRaw}}"
```

Follow these steps to authenticate the cluster:

Change the authentication mode to EKS API.
Create the access entry:
- For the IAM principal, enter arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access.
- For the Username use apono:{{SessionName}}.
- Choose Cluster as the access scope.

Now, you can integrate with EKS.

Integrate with Elastic Kubernetes Service (EKS)

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click Elastic Kubernetes Service (EKS). The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Click Next. The Apono connector section appears.
From the dropdown menu, select a connector.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono Connector for Kubernetes on an EKS cluster.

Click Next. The Integration Config section expands.
Define the Integration Config settings.

When the Apono connector is installed on the EKS cluster, you do not need to enter values for the other optional fields.

Click Next. The Secret Store section expands.

When the Apono connector is installed on the EKS cluster, you do not need to provide a secret.

(Optional) Associate the secret or credentials.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your Elastic Kubernetes Service cluster.

Log in to EKS with Apono access details

After a user gains access to an EKS resource, the user must authenticate with the cluster. The user must assume the apono-k8s-access role.

The following table shows two approaches to assume this role.

AWS Lambda Custom Integration

Learn how to integrate an AWS Lambda Custom Integration with Apono

AWS Lambda enables you to build and connect cloud services and internal web apps by writing single-purpose functions that are attached to events emitted from your cloud infrastructure and services.

Its serverless architecture frees you to write, test, and deploy functions quickly without having to manage infrastructure setup.

With this integration, you can connect your internal applications to AWS Lambda functions and manage access to those applications with Apono.

Prerequisites

Before starting this integration, create the items listed in the following table.

Item

Description

Integrate an AWS Lambda Custom Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 8, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

EC2 via Systems Manager Agent (SSM)

Apono AWS EC2 Integration utilizes SSM (System Manager) Agent to for JIT access management for AWS VMs

EC2 via Systems Manager Agent (SSM)

Have you connected an AWS account?

Make sure you integrated your AWS account to Apono. Follow this AWS Integration step-by-step guide.

Intro

This integration provides the ability to grant users permissions to connect to the EC2 with a secure connection - SSM.

Prerequisites

An integration between Apono and the AWS Organization or Account where the EC2 is.
EC2 machine with SSM agent installed. Installed by default in most EC2s docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent
End users will need to install the session manager plugin for AWS CLI on the local user's computer. docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin

Step-by-step guide

The EC2 instance role

Follow the steps below to create an EC2 instance role with the AmazonSSMManagedInstanceCore managed policy. Read more here.

In the AWS IAM, Click Create new IAM Role
1. Click Create Role
2. Choose the AWS Service option
3. From the dropdown list, choose EC2
4. Choose EC2 Role for AWS System Manager. Click Next.
5. Verify that the AmazonSSMManagerInstanceCore policy is added. Click Next
6. Fill the Role name box (for example, ec2-ssm)
7. Click Create role
Go back to the Modify IAM Role page
1. From the dropdown list, choose the new IAM role we created (ec2-ssm)
2. Click Update IAM role
3. Pleas note: it takes about 30 minutes for the AWS sync to finish.

Integrating Apono with the EC2 instances

In the Apono UI, edit an existing AWS Org or AWS Account integration or create a new one.
Add the EC2 Connect resource type.
Complete the integration and click Integrate.

Results

Apono should now discover EC2 machines! You can now create access flows to EC2 instances.

AWS RDS MySQL

Prerequisites

If you already have AWS Apono connector:
- Make sure the connector's minimum version is 1.5.3.
If you still don't have AWS Apono connector:
AWS command-line
MySQL command-line

Create AWS RDS MySQL Integration

Generate Credentials

Create user and grant permissions:

You can use only one authentication option on the RDS instance at a time.

Password Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

IAM Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance \
    --db-instance-identifier DBInstanceIdentifier \
    --apply-immediately \
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

IAM Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance ^
    --db-instance-identifier DBInstanceIdentifier ^
    --apply-immediately ^
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Sign in to the AWS Management Console and open the Amazon RDS console Amazon RDS console , and choose your DB instance.
Copy the following details:
- Endpoint: The DNS name of the DB instance.
- Port: The port number on which the DB instance accepts connections.
Connect to the DB instance using your SQL client using the copied details.
Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

IAM Authentication

Enable IAM database authentication
1. Open the Amazon RDS console.
2. In the navigation pane, choose Databases.
3. Choose the DB instance that you want to modify.

    Make sure that the DB instance is compatible with IAM authentication. Check the compatibility requirements in Region and version availability.

4. Choose Modify.
5. In the Database authentication section, choose Password and IAM database authentication to enable IAM database authentication. Choose Password authentication or Password and Kerberos authentication to disable IAM authentication.
6. Choose Continue.
7. To apply the changes immediately, choose Immediately in the Scheduling of modifications section.
8. Choose Modify DB instance.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON mysql.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
        "Action": [
          "rds-db:connect"
        ],
      "Resource": [
        "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
      ]
    },
    {
      "Effect": "Allow",
        "Action": [
          "rds:DescribeDBInstances"
        ],
        "Resource": [
          "arn:aws:rds:*:*:db:*"
        ]
      }
  ]
}

Create Integration in Apono

In the Apono admin console, go to the Integrations page and click the Add Integration button in the top-left side, or press on the Catalog blade.
In the Catalog page search for and select AWS RDS MySQL.
In Discovery step, select one or multiple AWS RDS MySQL resource types for Apono to discover.
In Apono connector step, select the connector with the required permissions to be used with your AWS RDS MySQL.
In Integration config step, provide the following information about your AWS RDS MySQL:

Variable

Value

Required

In Secret Store step, provide the connector credentials using one of the following secret store options:

For the AWS RDS MySQL integration, use the following secret format: username:<The database username> password:<The user password>\

(Optional) In Get more with Apono step, you can set up the following:

Setting

Description

Next Steps

Integrate with EKS

Create an integration to manage access to a Kubernetes cluster on AWS

With Elastic Kubernetes Service (EKS) on AWS, EKS simplifies the management complexities of Kubernetes.

Through this integration, Apono helps you securely manage access to your AWS Elastic Kubernetes cluster.

Prerequisites

Configure user authentication

Create a new policy

Follow these steps to create a new policy:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Policies > Create policy. The Specify permission page appears.
Click JSON.

Replace the default policy with the following policy. Be sure to replace the placeholder.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:DescribeCluster",
            "Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
        }
    ]
}

Placeholder

Description

Click Next. The Review and create page appears.
Enter a Policy name. This name is used to identify this policy.
Click Create policy.

Create the IAM role

Follow these steps to create the IAM role:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Roles > Create role. The Select trusted entity page appears.
Under Trusted entity type, select Custom trust policy.
Under Custom trust policy, replace the default policy with one of the following trust policies. Be sure to replace the placeholders.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "sts:RoleSessionName": "${SAML:sub}"
                },
                "ArnLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
                    ]
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:saml-provider/<SAML_PROVIDER>"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        }
    ]
}

Placeholder

Description

Click Next. The Add permissions page appears.
Under Permissions policies, select the newly created policy.
Click Next. The Name, review, and create page appears.
For the Role name, enter apono-k8s-access.
For the Description, enter required for k8s access managed by Apono.
Click Create role.

If an Overly permission trust policy popup window appears, click Continue.

Authenticate the EKS cluster

Now that the IAM role has been created, you must authenticate the EKS cluster with the ConfigMap or EKS API.

Read Apply the aws-auth ConfigMap to your cluster to learn more about editing the aws-auth ConfigMap.

Follow these steps to authenticate the cluster:

Log into the EKS cluster with a user account that has the cluster admin permission.
Edit the aws-auth ConfigMap to include the following mapRoles entry. Be sure to replace the placeholder.
```
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
  username: "{{SessionNameRaw}}"
```
Placeholder Description

Follow these steps to authenticate the cluster:

Change the authentication mode to EKS API.
Create the access entry:
- For the IAM principal, enter arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access.
- For the Username use apono:{{SessionName}}.
- Choose Cluster as the access scope.

Now, you can integrate with EKS.

Integrate with Elastic Kubernetes Service (EKS)

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click Elastic Kubernetes Service (EKS). The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Click Next. The Apono connector section appears.
From the dropdown menu, select a connector.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono Connector for Kubernetes on an EKS cluster.

Click Next. The Integration Config section expands.
Define the Integration Config settings.

When the Apono connector is installed on the EKS cluster, you do not need to enter values for the other optional fields.

Setting

Description

Click Next. The Secret Store section expands.

When the Apono connector is installed on the EKS cluster, you do not need to provide a secret.

(Optional) Associate the secret or credentials.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Setting Description
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your Elastic Kubernetes Service cluster.

Log in to EKS with Apono access details

After a user gains access to an EKS resource, the user must authenticate with the cluster. The user must assume the apono-k8s-access role.

The following table shows two approaches to assume this role.

Approach

Details

Placeholder

Description

AWS Integrations

Integrate an AWS account or organization

Integrate an AWS account

Prerequisites

Integration

Integrate an AWS organization

Prerequisites

Integration

Troubleshooting

Amazon Redshift

Prerequisites

Integrate Amazon Redshift

Troubleshooting

RDS PostgreSQL

Prerequisites

Create an AWS RDS PostgreSQL user

Integrate Amazon RDS for PostgreSQL

AWS RDS MySQL

In this article

Prerequisites

Create AWS RDS MySQL Integration

Generate Credentials

Create Integration in Apono

Next Steps

Integrate with EKS

Prerequisites

Configure user authentication

Create a new policy

Create the IAM role

Authenticate the EKS cluster

Integrate with Elastic Kubernetes Service (EKS)

Log in to EKS with Apono access details

AWS Lambda Custom Integration

Prerequisites

Integrate an AWS Lambda Custom Integration

EC2 via Systems Manager Agent (SSM)

EC2 via Systems Manager Agent (SSM)

Intro

Prerequisites

Step-by-step guide

The EC2 instance role

Integrating Apono with the EC2 instances

Results

EC2 via Systems Manager Agent (SSM)

EC2 via Systems Manager Agent (SSM)

Intro

Prerequisites

Step-by-step guide

The EC2 instance role

Integrating Apono with the EC2 instances

Results

AWS RDS MySQL

In this article

Prerequisites

Create AWS RDS MySQL Integration

Generate Credentials

Create Integration in Apono

Next Steps

AWS Integrations

Amazon Redshift

Prerequisites

Integrate Amazon Redshift

Troubleshooting

Integrate with EKS

Prerequisites

Configure user authentication

Create a new policy

Create the IAM role

Authenticate the EKS cluster

Integrate with Elastic Kubernetes Service (EKS)

Log in to EKS with Apono access details

Integrate an AWS account or organization

Integrate an AWS account

Prerequisites

Integration

Integrate an AWS organization

Prerequisites

Integration

Troubleshooting

RDS PostgreSQL