1 of 10

AWS Integrations

If your organization uses Amazon Web Services (AWS) as a cloud platform, Apono's AWS integrations can help you securely manage access to your AWS cloud-based services and databases.

By identifying and transforming existing privileges, Apono can shift your cloud management from broad permissions to on-demand access flows.

Through our AWS integrations, Apono enables you to perform the following access tasks:

Limit Access: Discover existing cloud privileges and convert them to just-in-time access flows.
Enable Self-Service Access: Allow developers to request access to AWS services, buckets, and instances via Slack.
Automate Approval Workflows: Create automatic approval processes for sensitive AWS resources.
Restrict Third-Party Access: Grant third-parties (customers or vendors) time-based access to specific S3 buckets, RDS, or EC2 instances with MFA verification.
Review Access: Audit user cloud access, permissions granted, and reasons for access across AWS.

Integrate an AWS Account or Organization

Learn how to complete an AWS integration in the Apono UI

Apono offers AWS users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple AWS services across various Accounts and Organizations.

Integrate an AWS Account

Prerequisites

installed in your AWS Account
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS Account:

On the tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Account.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an .

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.

After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.

Now that you have completed this integration, you can that grant permission to AWS IAM resources, such as AWS Roles.

Integrate an AWS Organization

You can integrate with Apono to manage resources across your Organization.

Prerequisite

Item

Description

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS Organization:

On the tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Organization.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Select the Permission Boundary resource to allow Apono to temporarily restrict overprivileged access.

To learn more about how to manage overprivileged access, read about .

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an .

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.

Enable multi-region resource discovery in Apono

Apono leverages AWS Resource Explorer for multi-region scans for your AWS Organization integration. Apono uses this organization-level configuration to automatically deploy local indexes and aggregate them into a single searchable view.

This configuration provides:

A centralized aggregator index for organization-wide search
Automated creation and maintenance of local indexes
Consistent visibility across teams, regions, and environments

Prerequisites

Item

Description

Enable trusted access for Resource Explorer

Follow these steps to enable trusted access:

From theyour Management account, open AWS Resource Explorer.
From the navigation, click Settings. The Settings page appears.
In the multi-account/organization section, follow the prompt to Enable trusted access.

You can also enable trusted access from AWS Organizations.

Follow these steps:

From your Management account, open AWS Organizations.

Configure the organization deployment

Follow these steps to configure the organization deployment:

Open the Quick Setup from the Systems manager or Resource Explorer.

Systems Manager

Open AWS Systems Manager.
From the navigation, click Change Management Tools > Quick Setup. The AWS Quick Setup page opens.

Resource Explorer

Open AWS Resource Explorer.
From the navigation, click Settings. The Settings page opens.

Select the Aggregator Index Region. This region becomes the central location for organization-wide search.
Under Targets, select the accounts that include the resources you want discovered:
- Entire Organization: (Recommended) Enables complete visibility

If a regions selector is not present, all supported regions for the selected targets may be implicitly included.

Under Summary, review the aggregator region, targets, and regions.
Select Create. The Quick Setup will deploy the following:
- Local indexes in each selected region or account

Verify the deployment

After the deployment has completed, follow these steps to verify the deployment:

From the Management account, open AWS Resource Explorer.
From the navigation, click Settings. The Settings page opens.
Under Indexes, locate the region set as the aggregator index during the Quick Setup. The region should be denoted as Aggregator.

If some regions or accounts are missing the index, read

Troubleshoot Quick Setup

Quick Setup fails in some regions.

Symptoms

Quick Setup shows Failed for some configs.
Error text mentions cloudformation:CreateStack

The index is missing in some regions or accounts.

Symptoms

Some accounts or regions have no index.
Quick Setup shows partial success.

The aggregator index is missing from the Management account.

Symptoms

In the Management account, in the chosen Aggregator Region:

The view that was created in Resource Explorer is empty.

After enabling Resource Explorer, it can take up to 36 hours for all supported resources across all regions to be fully indexed. Read more .

Now that you have completed this integration, you can that grant permission to AWS IAM resources, such as AWS Roles.

Troubleshooting

Please refer to our if you encounter errors while integrating.

Auto Discover AWS RDS Instances

Automatically identify AWS RDS instances in an Account or Organization for JIT access management

Apono’s Auto Discovery feature identifies tagged AWS RDS instances, including MySQL and PostgreSQL. Rather than integrating each instance individually, you can integrate selected databases and their resources at once during your AWS Account or Organization setup.

This capability requires network access to each discoverable database. If your databases are in different AWS networks, make sure to create an AWS connector for each network.

Prerequisites

Item

Description

Enable Auto Discovery

Follow these steps to enable Auto Discovery:

In your AWS RDS database instance, create a user for the Apono connector. As part of this step, you will also create a secret.

IAM Authentication

Tag Key

Value or Description

Password Authentication

Tag Key

Value or Description

In the Apono UI, on the tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Account or Amazon Organization.
Under Connect Sub Integration, select Database, Table, and Role to control the granularity of discovery in each discovered instance.

After connecting your AWS Account or AWS Organization to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration, along with sub-integrations for each RDS instance, initialize during the first data fetch. The integration becomes Active once the process completes.

Now that you have completed this integration, you can that grant permission to your AWS RDS resources.

Troubleshooting

If RDS instances appear with errors on your Integrations page, follow these steps:

Check Tags: Verify all required tags are present and correctly formatted.
Connector Permissions: Ensure the Apono connector has necessary permissions to read tags and access secrets.
Network connectivity: Ensure each RDS instance is accessible by an Apono connector within the same network.

For any questions about the discovery process, please contact Apono Support.

AWS Best Practices

Scale AWS resource management in access flows

When granting AWS access permissions, listing individual ARNs in IAM policies can quickly cause you to exceed . Apono solves this through and the . These solutions use regex patterns to efficiently manage resource groups instead of listing individual ARNs.

For additional protection, Apono has implemented a 100-resource threshold as a guardrail when individual ARN specification is needed.

The following sections explain how Apono prevents you from exceeding AWS's inline policy limit:

Create strategic AWS resource groupings for access flows

S3 Storage

Amazon S3 (Simple Storage Service) object storage integration with Apono, enables Apono granular permission provisioning

This guide has been moved. Please visit instead

KMS-encrypted buckets

If your organization encrypts S3 Buckets with Customer Managed Keys (or KMS kets), users need access to the key to be able to decrypt the data when they gain JIT access to a bucket.

Apono supports this use case by granting access to both the bucket and the key when users request access. If S3 Buckets have KMS keys in their metadata, when users request access to S3 Buckets, they also gain access to the KMS key without having to create an extra request.

Amazon Redshift

Integrate with Apono to view existing permissions and create Access Flows to Amazon Redshift clusters

Amazon Redshift is a fast, scalable, and secure fully managed data warehouse service in the cloud, serving as a primary data store for vast datasets and analytic workloads. Amazon Web Services (AWS) enables businesses to analyze their data using standard SQL and existing business intelligence tools, promoting insightful decision-making and integration with various AWS services.

Through this integration, Apono helps you securely manage access to your Amazon Redshift instance.

Prerequisites

Item

Description

Integrate Amazon Redshift

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the tab, click Amazon Redshift. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an .

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.

Now that you have completed this integration, you can that grant permission to your Amazon Redshift instance.

Troubleshooting

Refer to for information about errors that may occur.

RDS PostgreSQL

Integrate with AWS-managed PostgreSQL for JIT access management for RDS

PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance. AWS enables developers to create cloud-hosted PostgreSQL databases.

Through this integration, Apono helps you securely manage access to your AWS RDS for PostgreSQL instances.

Prerequisites

Item

Description

Create an AWS RDS PostgreSQL user

You must create a user in your AWS RDS PostgreSQL instance for the Apono connector and grant that user permissions to your databases.

Follow these steps to create a user and grant it database permissions:

Create a new user with either Built-in authentication or IAM authentication.

You can use only one authentication option on the RDS instance at a time.

Built-in authentication identifies a user through a username and password.

Be sure to select a strong password for the user.

After on your RDS instance, create an AWSAuthenticationPlugin user for the Apono connector. AWSAuthenticationPlugin is an AWS-provided plugin that works seamlessly with IAM to authenticate your users.

To create the user, run the following commands from your Postgre client.

From your preferred client tool, grant rds_superuser access to the user.

Permission

Description

(IAM authentication only) Create and attach the following IAM policy to your identity center permissions set or role.

(Built-in authentication only) with the credentials from step 1.

When using IAM authentication, a secret does not need to be created.

The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the PostgreSQL instance instead of a secret.

Integrate Amazon RDS for PostgreSQL

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the tab, click AWS RDS PostgreSQL. The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an .

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description

A secret is not needed for IAM authentication.

Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Setting
Description

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.

Now that you have completed this integration, you can that grant permission to your RDS for PostgreSQL database.

EC2 via Systems Manager Agent (SSM)

Apono AWS EC2 Integration utilizes SSM (System Manager) Agent to for JIT access management for AWS VMs

EC2 via Systems Manager Agent (SSM)

Have you connected an AWS account?

Integrate an AWS Account or Organization

Learn how to complete an AWS integration in the Apono UI

Apono offers AWS users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple AWS services across various Accounts and Organizations.

Integrate an AWS Account

Prerequisites

installed in your AWS Account
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS Account:

On the tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Account.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an .

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.

Now that you have completed this integration, you can that grant permission to AWS IAM resources, such as AWS Roles.

Integrate an AWS Organization

You can integrate with Apono to manage resources across your Organization.

Prerequisite

Item

Description

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS Organization:

On the tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Organization.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Select the Permission Boundary resource to allow Apono to temporarily restrict overprivileged access.

To learn more about how to manage overprivileged access, read about .

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an .

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.

Enable multi-region resource discovery in Apono

This configuration provides:

A centralized aggregator index for organization-wide search
Automated creation and maintenance of local indexes
Consistent visibility across teams, regions, and environments

Prerequisites

Item

Description

Enable trusted access for Resource Explorer

Follow these steps to enable trusted access:

From theyour Management account, open AWS Resource Explorer.
From the navigation, click Settings. The Settings page appears.
In the multi-account/organization section, follow the prompt to Enable trusted access.

You can also enable trusted access from AWS Organizations.

Follow these steps:

From your Management account, open AWS Organizations.

Configure the organization deployment

Follow these steps to configure the organization deployment:

Open the Quick Setup from the Systems manager or Resource Explorer.

Systems Manager

Open AWS Systems Manager.
From the navigation, click Change Management Tools > Quick Setup. The AWS Quick Setup page opens.

Resource Explorer

Open AWS Resource Explorer.
From the navigation, click Settings. The Settings page opens.

Select the Aggregator Index Region. This region becomes the central location for organization-wide search.
Under Targets, select the accounts that include the resources you want discovered:
- Entire Organization: (Recommended) Enables complete visibility

If a regions selector is not present, all supported regions for the selected targets may be implicitly included.

Under Summary, review the aggregator region, targets, and regions.
Select Create. The Quick Setup will deploy the following:
- Local indexes in each selected region or account

Verify the deployment

After the deployment has completed, follow these steps to verify the deployment:

From the Management account, open AWS Resource Explorer.
From the navigation, click Settings. The Settings page opens.
Under Indexes, locate the region set as the aggregator index during the Quick Setup. The region should be denoted as Aggregator.

If some regions or accounts are missing the index, read

Troubleshoot Quick Setup

Quick Setup fails in some regions.

Symptoms

Quick Setup shows Failed for some configs.
Error text mentions cloudformation:CreateStack

The index is missing in some regions or accounts.

Symptoms

Some accounts or regions have no index.
Quick Setup shows partial success.

The aggregator index is missing from the Management account.

Symptoms

In the Management account, in the chosen Aggregator Region:

The view that was created in Resource Explorer is empty.

After enabling Resource Explorer, it can take up to 36 hours for all supported resources across all regions to be fully indexed. Read more .

Now that you have completed this integration, you can that grant permission to AWS IAM resources, such as AWS Roles.

Troubleshooting

Please refer to our if you encounter errors while integrating.

AWS Integrations

Integrate an AWS Account or Organization

hashtagIntegrate an AWS Account

hashtagPrerequisites

hashtagIntegration

hashtagIntegrate an AWS Organization

hashtagPrerequisite

hashtagIntegration

hashtagEnable multi-region resource discovery in Apono

hashtagTroubleshooting

Auto Discover AWS RDS Instances

hashtagPrerequisites

hashtagEnable Auto Discovery

hashtagTroubleshooting

AWS Best Practices

S3 Storage

hashtagKMS-encrypted buckets

Amazon Redshift

hashtagPrerequisites

hashtagIntegrate Amazon Redshift

hashtagTroubleshooting

RDS PostgreSQL

hashtagPrerequisites

hashtagCreate an AWS RDS PostgreSQL user

hashtagIntegrate Amazon RDS for PostgreSQL

EC2 via Systems Manager Agent (SSM)

hashtagEC2 via Systems Manager Agent (SSM)

Auto Discover AWS RDS Instances

hashtagPrerequisites

hashtagEnable Auto Discovery

hashtagTroubleshooting

S3 Storage

hashtagKMS-encrypted buckets

AWS Integrations

EC2 via Systems Manager Agent (SSM)

hashtagEC2 via Systems Manager Agent (SSM)

hashtagIntro

hashtagPrerequisites

hashtagStep-by-step guide

hashtagThe EC2 instance role

hashtagIntegrating Apono with the EC2 instances

hashtagResults

AWS Best Practices

hashtagPrerequisite

hashtagAdmin Guidance

hashtagQuestions

hashtagResource Definition Strategies

hashtagApono Safeguard

hashtagRequestor Guidance

hashtagKnown Limitations While Building Access Flows, Bundles, and Access Scopes

Integrate an AWS Account or Organization

hashtagIntegrate an AWS Account

hashtagPrerequisites

hashtagIntegration

hashtagIntegrate an AWS Organization

hashtagPrerequisite

hashtagIntegration

hashtagEnable multi-region resource discovery in Apono

hashtagTroubleshooting

Amazon Redshift

hashtagPrerequisites

hashtagIntegrate Amazon Redshift

hashtagTroubleshooting

RDS PostgreSQL

hashtagPrerequisites

hashtagCreate an AWS RDS PostgreSQL user

hashtagIntegrate Amazon RDS for PostgreSQL

AWS Lambda Custom Integration

hashtagPrerequisites

hashtagIntegrate an AWS Lambda Custom Integration

AWS RDS MySQL

hashtagIn this article

hashtagPrerequisites

hashtagCreate AWS RDS MySQL Integration

hashtagGenerate Credentials

hashtagCreate Integration in Apono

hashtagNext Steps

Integrate an AWS Account

Prerequisites

Integration

Integrate an AWS Organization

Prerequisite

Integration

Enable multi-region resource discovery in Apono

Troubleshooting

Prerequisites

Enable Auto Discovery

Troubleshooting

KMS-encrypted buckets

Prerequisites

Integrate Amazon Redshift

Troubleshooting

Prerequisites

Create an AWS RDS PostgreSQL user

Integrate Amazon RDS for PostgreSQL

EC2 via Systems Manager Agent (SSM)

Prerequisites

Enable Auto Discovery

Troubleshooting

KMS-encrypted buckets

EC2 via Systems Manager Agent (SSM)

Intro

Prerequisites

Step-by-step guide

The EC2 instance role

Integrating Apono with the EC2 instances

Results

Prerequisite

Admin Guidance

Questions

Resource Definition Strategies

Apono Safeguard

Requestor Guidance

Known Limitations While Building Access Flows, Bundles, and Access Scopes

Integrate an AWS Account

Prerequisites

Integration

Integrate an AWS Organization

Prerequisite

Integration

Enable multi-region resource discovery in Apono

Troubleshooting

Prerequisites

Integrate Amazon Redshift

Troubleshooting

Prerequisites

Create an AWS RDS PostgreSQL user

Integrate Amazon RDS for PostgreSQL

Prerequisites

Integrate an AWS Lambda Custom Integration

In this article

Prerequisites

Create AWS RDS MySQL Integration

Generate Credentials

Create Integration in Apono

Next Steps