1 of 10

AWS Integrations

If your organization uses Amazon Web Services (AWS) as a cloud platform, Apono's AWS integrations can help you securely manage access to your AWS cloud-based services and databases.

By identifying and transforming existing privileges, Apono can shift your cloud management from broad permissions to on-demand access flows.

Through our AWS integrations, Apono enables you to perform the following access tasks:

Limit Access: Discover existing cloud privileges and convert them to just-in-time access flows.
Enable Self-Service Access: Allow developers to request access to AWS services, buckets, and instances via Slack.
Automate Approval Workflows: Create automatic approval processes for sensitive AWS resources.
Restrict Third-Party Access: Grant third-parties (customers or vendors) time-based access to specific S3 buckets, RDS, or EC2 instances with MFA verification.
Review Access: Audit user cloud access, permissions granted, and reasons for access across AWS.

Integrate an AWS account or organization

Learn how to complete an AWS integration in the Apono UI

Apono offers AWS users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple AWS services across various accounts and organizations.

Integrate an AWS account

Prerequisites

Apono connector installed in your AWS account
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS account:

On the Catalog tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Account.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Region
Region in which the organization runs
AWS Profile Name
(Optional) Name of the AWS profile By default, Apono sets this value to apono.
Enable Audit
(Optional) Feature that allows Apono to ingest and aggregate session audit logs
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Setting
Description
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.

Now that you have completed this integration, you can create access flows that grant permission to AWS IAM resources, such as AWS Roles.

Integrate an AWS organization

Prerequisites

Apono connector installed in your AWS management account OR a connector with delegate permissions
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role

Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to integrate Apono with your AWS organization:

On the Catalog tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Organization.
Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Region
Region in which the organization runs
AWS SSO Region
Region for which your single sign-on is configured
SSO Portal
Management Account Role ARN
Exclude Organization Unit IDs
ID of organizational units to exclude Example: ou-aaa1-1111,ou-bbb2-2222
Enable Audit
(Optional) Feature that allows Apono to ingest and aggregate session audit logs
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Setting
Description
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to AWS IAM resources, such as AWS Roles.

Troubleshooting

Please refer to our troubleshooting guide if you encounter errors while integrating.

Auto Discover AWS RDS Instances

Automatically discover all AWS RDS instances in an Account or Organization for JIT access management

Discover RDS Instances in AWS

AWS RDS PostgreSQL and MySQL databases provide powerful and flexible relational database services in the cloud. This guide shows you how to enable Apono to discover and manage your AWS RDS databases, including MySQL and PostgreSQL instances.

Prerequisites

Before you start, ensure you have:

One or more Apono AWS connectors installed with network access to your AWS RDS databases.

Minimum required version: 1.5.3

Permissions to create and manage AWS Secrets Store secrets and tag RDS instances.

This capabiltiy requires network access to each discovered database. If you have databases in different networks, make sure to create an AWS connector for each one.

Steps to Enable SQL Database Discovery

To enable Deep Discovery for your AWS RDS databases, you will need to tag your database instances with specific key-value pairs. The tagging process varies based on your authentication method.

Create credentials to the RDS instances.

Read more on RDS MySQL here.
Read more on RDS PostgreSQL here.

Option 1: For Databases with IAM Authentication

Tag your RDS database instance with the following key-value pairs:
Key
Value
auth_type
iam-auth
apono-connector-id
The ID of the Apono connector in the same account as the database

Option 2: For Databases with Username and Password Authentication

Tag your RDS database instance with the following key-value pairs:
Key
Value
auth_type
user-password
apono-connector-id
The ID of the Apono connector in the same account as the database
apono-secret
The ARN of the secret containing the database credentials
region
The AWS region where the secret is stored

Set Up the Apono Integration

Go to the Integrations Catalog in the Apono web application.
Click "AWS" and select either "Account" or "Organization". Make sure to pick resources under Connect Sub Integrations:

Choose the Apono connector set up for your Account or Organization. Read more here.
Complete the integration by providing the required config.
Click Confirm.

After connecting your AWS Account or Organization to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration and sub-integrations for each RDS instance will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.

Now that you have completed this integration, you can create access flows that grant permission to RDS resources.

Troubleshooting

If RDS instances appear with errors in your Integrations page, follow these steps:

Check Tags: Verify all required tags are present and correctly formatted.
Connector Permissions: Ensure the Apono connector has necessary permissions to read tags and access secrets.
Network connectivity: Ensure each RDS instance has a connector with network access to the RDS.

AWS Best Practices

Scale AWS resource management in access flows

When granting AWS access permissions, listing individual ARNs in IAM policies can quickly cause you to exceed AWS's inline policy character limit. Apono solves this through access scopes and the Apono Query Language (AQL). These solutions use regex patterns to efficiently manage resource groups instead of listing individual ARNs.

For additional protection, Apono has implemented a 100-resource threshold as a guardrail when individual ARN specification is needed.

The following sections explain how Apono prevents you from exceeding AWS's inline policy limit:

Create strategic AWS resource groupings for access flows
Understand how Apono provides clear warnings when the AWS policy limit is exceeded
Learn how Apono maintains consistent behavior whether your team uses Portal, Teams, or Slack

For example, instead of individually specifying 200 S3 buckets in a policy (which would exceed AWS's limit), you can use resource tags to group them by environment or function.

Apono validates for the following types of AWS resources:

ASM Secret
DynamoDB table
EC2 Connect
EC2 Manage
S3 Bucket (by "any resource" and region tags)
SNS Topic
SQS queue

Prerequisite

Item

Description

Apono Connector

Minimum Required Version: 1.7.0

Admin Guidance

When defining access flows that include AWS resources, your resource definition strategy directly impacts policy management.

Questions

Before selecting AWS resources for an access flow, consider the following questions:

Can all resources of an integration be selected?
Have tags been applied to logically group resources by environment, function, or team?
Can an access scope be created to group resources across multiple AWS integrations?
Is individual resource selection truly necessary for security requirements?

Resource Definition Strategies

To effectively manage AWS permissions while avoiding policy character limits, you can use access scopes, integrations, or bundles. When possible, we strongly recommend using access scopes or AQL.

The following table explains the strategy for each approach.

Type

Strategy

Access Scopes

Access scopes and AQL let you create flexible filters that adapt to your changing infrastructure. This makes them ideal for scenarios like all production databases or EC2 instances in the eu-region.

Integrations

Integrations let you align permissions with your organization structure:

Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
Apply Any resources when all resources of the integration can be included.

This strategy is ideal for scenarios like managing cross-account DevOps access or regional support team permissions.

Bundles

Bundles let you create logical groupings of permissions that serve specific functions.

Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
Apply Any resources when all resources of the integration can be included.

This strategy is ideal for scenarios like complete development environment access or full analytics platform access.

Apono Safeguard

If you select too many AWS resources for an access flow, the Apono UI will display a warning message instructing you to reduce the number of selected resources.

Access Flow

Conditions

Automatic

You have selected more than 100 AWS resources by name (Select by name) from one integration or between multiple integrations.
You have selected more than 100 AWS resources by name (Select by name) within one bundle or between multiple bundles.

Self Serve

You have selected more than 100 AWS resources within one bundle or between multiple bundles.

Requestor Guidance

When requesting access to many AWS resources, Apono will warn you if you have selected too many AWS resources.

You will receive different notifications about AWS resource limits depending on which platform you use to submit your access request:

Portal & Teams: Apono displays a warning before submission when you click Request, preventing requests that exceed the limit.

In some cases, the request might pass initial validation but still trigger a post-submission notification to select fewer resources.

Slack: Apono processes your request first, then sends a message if you need to resubmit with fewer resources.

Known Limitations While Building Access Flows And Bundles

The following configurations within access flows or when bundling multiple resources will exceed AWS policy size constraints.

Specifying resources by name: Individually choosing resource names.
S3 buckets: as AWS does not support tagging buckets, it should be handled with region tags or through access scopes or AQL patterns where possible.
Excluding a list of resource names: choosing a list of resources to exclude can similarly inflate policy size and is best handled through access scopes or AQL patterns where possible.

Amazon Redshift

Integrate with Apono to view existing permissions and create Access Flows to Amazon Redshift clusters

Amazon Redshift is a fast, scalable, and secure fully managed data warehouse service in the cloud, serving as a primary data store for vast datasets and analytic workloads. Amazon Web Services (AWS) enables businesses to analyze their data using standard SQL and existing business intelligence tools, promoting insightful decision-making and integration with various AWS services.

Through this integration, Apono helps you securely manage access to your Amazon Redshift instance.

Prerequisites

Item

Description

Apono Connector

Secret

"username": "REDSHIFT_USERNAME", 
"password": "PASSWORD"

User

Redshift user for Apono with the CREATEUSER permission

CREATE USER apono_connector WITH PASSWORD 'password';
ALTER USER apono_connector WITH CREATEUSER;

Amazon Redshift Info

Information for the Amazon Redshift instance to be integrated:

Hostname
Port Number

Integrate Amazon Redshift

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click Amazon Redshift. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Hostname
Hostname of the Amazon Redshift instance to connect
Port
Port value for the instance By default, Apono sets this value to 5439.
Database Name
Name of the database
Click Next. The Secret Store section expands.
Associate the secret or credentials.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.\
Setting
Description
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your Amazon Redshift instance.

Troubleshooting

Refer to Troubleshooting Errors for information about errors that may occur.

RDS PostgreSQL

Integrate with AWS-managed PostgreSQL for JIT access management for RDS

PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance. AWS enables developers to create cloud-hosted PostgreSQL databases.

Through this integration, Apono helps you securely manage access to your AWS RDS for PostgreSQL instances.

Prerequisites

Item

Description

Apono Connector

NOTE: When installing the Apono connector with CloudFormation, the AWS RDS database policy is automatically created.

If you do not use CloudFormation, you must create the following policy and assign it to the Apono connector role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "rds-db:connect",
            "Resource": "arn:aws:rds-db:*:*:dbuser:*/apono_connector",
            "Effect": "Allow"
        }
    ]
}

PostgreSQL Info

Information for the database instance to be integrated:

Instance ID
Database Name

AWS Tag

Tag key: apono-secret

Create an AWS RDS PostgreSQL user

You must create a user in your AWS RDS PostgreSQL instance for the Apono connector and grant that user permissions to your databases.

Follow these steps to create a user and grant it database permissions:

Create a new user with either Built-in authentication or IAM authentication.

You can use only one authentication option on the RDS instance at a time.

Built-in authentication identifies a user through a username and password.

CREATE USER apono_connector WITH PASSWORD 'secret_passwd';

Be sure to select a strong password for the user.

After enabling IAM on your RDS instance, create an AWSAuthenticationPlugin user for the Apono connector. AWSAuthenticationPlugin is an AWS-provided plugin that works seamlessly with IAM to authenticate your users.

To create the user, run the following commands from your Postgre client.

CREATE USER apono_connector;
GRANT rds_iam TO apono_connector;

From your preferred client tool, grant rds_superuser access to the user.

ALTER USER apono_connector WITH CREATEROLE;
GRANT rds_superuser TO apono_connector;

Permission

Description

ALTER USER apono_connector WITH CREATEROLE;

Allows Apono connector to create, alter, and drop user roles

GRANT rds_superuser TO apono_connector;

Assigns the RDS superuser role to the Apono connector, providing comprehensive permissions for database management

(IAM authentication only) Create and attach the following IAM policy to your identity center permissions set or role.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": [
                 "rds-db:connect"
             ],
             "Resource": [
                 "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
             ]
         },
         {
             "Effect": "Allow",
             "Action": [
                 "rds:DescribeDBInstances"
             ],
             "Resource": [
                 "arn:aws:rds:*:*:db:*"
             ]
         }
     ]
 }

(Built-in authentication only) Create an AWS secret with the credentials from step 1.

When using IAM authentication, a secret does not need to be created.

The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the PostgreSQL instance instead of a secret.

Integrate Amazon RDS for PostgreSQL

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click AWS RDS PostgreSQL. The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an AWS connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.\
Setting
Description
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Auth Type
Authorization type for the MySQL service account user:
IAM Auth: IAM authentication
User / Password: Built-in authentication
Region
Location where the PostgreSQL database is deployed
Instance ID
ID of the PostgreSQL instance
Database Name
Name of the PostgreSQL database
SSL Mode
(Optional) Mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server
require: An SSL-encrypted connection must be used.
allow: An SSL-encrypted or unencrypted connection is used. If an SSL encrypted connection is unavailable, the unencrypted connection is used.
disable: An unencrypted connection is used.
prefer: An SSL-encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used.
verify-ca: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
verify-full: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass. Additionally, the server hostname is checked against the certificate's names.
Enable Audit
(Optional) Feature that allows Apono to ingest and aggregate session audit logs
Click Next. The Secret Store section expands.
Associate the secret or credentials.

A secret is not needed for IAM authentication.

Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.\
Setting
Description
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your RDS for PostgreSQL database.

AWS RDS MySQL

Prerequisites

If you already have AWS Apono connector:
- Make sure the connector's minimum version is 1.5.3.
If you still don't have AWS Apono connector:
AWS command-line
MySQL command-line

Create AWS RDS MySQL Integration

Generate Credentials

Create user and grant permissions:

You can use only one authentication option on the RDS instance at a time.

(MySQL 8.0+) Grant the service account the authority to manage other roles. This enables Apono to create, alter, and drop roles. However, this role does not inherently grant specific database access permissions.

Password Authentication

With password authentication, your database performs all administration of user accounts. You create users with SQL statements such as CREATE USER, with the appropriate clause required by the DB engine for specifying passwords.

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

SHOW DATABASES Allows the user to view all databases in the RDS instance. CREATE USER Grants the ability to create new users. UPDATE Permits updates in the MySQL system database, including user privileges. PROCESS Allows viewing the server's process list, including all executing queries.

IAM Authentication

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance \
    --db-instance-identifier DBInstanceIdentifier \
    --apply-immediately \
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

IAM Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance ^
    --db-instance-identifier DBInstanceIdentifier ^
    --apply-immediately ^
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Sign in to the AWS Management Console and open the Amazon RDS console Amazon RDS console , and choose your DB instance.
Copy the following details:
- Endpoint: The DNS name of the DB instance.
- Port: The port number on which the DB instance accepts connections.
Connect to the DB instance using your SQL client using the copied details.
Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

IAM Authentication

Enable IAM database authentication
1. Open the Amazon RDS console.
2. In the navigation pane, choose Databases.
3. Choose the DB instance that you want to modify.

    Make sure that the DB instance is compatible with IAM authentication. Check the compatibility requirements in Region and version availability.

4. Choose Modify.
5. In the Database authentication section, choose Password and IAM database authentication to enable IAM database authentication. Choose Password authentication or Password and Kerberos authentication to disable IAM authentication.
6. Choose Continue.
7. To apply the changes immediately, choose Immediately in the Scheduling of modifications section.
8. Choose Modify DB instance.

2. Copy the following RDS SQL details: * Endpoint: The DNS name of the DB instance. * Port: The port number on which the DB instance accepts connections. 3. Connect to the DB instance using your SQL client using the copied details. 4. Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
        "Action": [
          "rds-db:connect"
        ],
      "Resource": [
        "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
      ]
    },
    {
      "Effect": "Allow",
        "Action": [
          "rds:DescribeDBInstances"
        ],
        "Resource": [
          "arn:aws:rds:*:*:db:*"
        ]
      }
  ]
}

Create Integration in Apono

In the Apono admin console, go to the Integrations page and click the Add Integration button in the top-left side, or press on the Catalog blade.
In the Catalog page search for and select AWS RDS MySQL.
In Discovery step, select one or multiple AWS RDS MySQL resource types for Apono to discover.
In Apono connector step, select the connector with the required permissions to be used with your AWS RDS MySQL.
In Integration config step, provide the following information about your AWS RDS MySQL:

Variable

Value

Required

Integration Name

The integration name.

Yes

Auth Type

The authentication method for connecting to an AWS RDS instance, with options for password (username and password) or iam (IAM-based authentication).

Yes

Region

AWS region where the RDS instance is located.

Yes

Instance ID

The unique identifier of the AWS RDS instance.

Yes

Credentials rotation period (in days)

i.e.: 90

User cleanup after access is revoked (in days)

i.e.: 90

In Secret Store step, provide the connector credentials using one of the following secret store options:

When using IAM authentication, **a secret does not need to be created**. The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the MySQL instance instead of a secret.

For the AWS RDS MySQL integration, use the following secret format: username:<The database username> password:<The user password>\

(Optional) In Get more with Apono step, you can set up the following:

Setting

Description

Credential Rotation

User cleanup after access is revoked (in days)

(Optional) Defines the number of days after access has been revoked that the user should be deleted

Custom Access Details

(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.

Integration Owner

From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.

NOTE: When Resource Owner is defined, an Integration Owner must be defined.

Resource Owner

Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.

NOTE: When this setting is defined, an Integration Owner must also be defined.

Next Steps

Integrate with EKS

Create an integration to manage access to a Kubernetes cluster on AWS

With Elastic Kubernetes Service (EKS) on AWS, EKS simplifies the management complexities of Kubernetes.

Through this integration, Apono helps you securely manage access to your AWS Elastic Kubernetes cluster.

Prerequisites

Item

Description

Apono Connector

Apono Premium

Cluster Admin Access

EKS Cluster Name

AWS SSO | SAML Federation

Authentication for requester Security Assertion Markup Language (SAML) federation for authentication can be provided by providers such as Okta, Onelogin, Jumpcloud, and Ping Identity.

Configure user authentication

Authentication can be completed with an Identity and Access Management IAM user or an IAM role. To grant a user access to an EKS cluster, the IAM user or IAM role must be mapped with a specific user identifier, such as an email address.Apono supports this mapping with an IAM role through AWS SSO or SAML federation from any identity provider (IdP).

Create a new policy

Follow these steps to create a new policy:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Policies > Create policy. The Specify permission page appears.
Click JSON.

Replace the default policy with the following policy. Be sure to replace the placeholder.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:DescribeCluster",
            "Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
        }
    ]
}

Placeholder

Description

<AWS_ACCOUNT_ID>

AWS account ID where the EKS is hosted

Click Next. The Review and create page appears.
Enter a Policy name. This name is used to identify this policy.
Click Create policy.

Create the IAM role

Follow these steps to create the IAM role:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Roles > Create role. The Select trusted entity page appears.
Under Trusted entity type, select Custom trust policy.
Under Custom trust policy, replace the default policy with one of the following trust policies. Be sure to replace the placeholders.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "sts:RoleSessionName": "${SAML:sub}"
                },
                "ArnLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
                    ]
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:saml-provider/<SAML_PROVIDER>"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        }
    ]
}

Placeholder

Description

<AWS_ACCOUNT_ID>

AWS account ID where the EKS is hosted

<SAML_PROVIDER>

Identity provider name

Click Next. The Add permissions page appears.
Under Permissions policies, select the newly created policy.
Click Next. The Name, review, and create page appears.
For the Role name, enter apono-k8s-access.
For the Description, enter required for k8s access managed by Apono.
Click Create role.

If an Overly permission trust policy popup window appears, click Continue.

Authenticate the EKS cluster

Now that the IAM role has been created, you must authenticate the EKS cluster with the ConfigMap or EKS API.

Read Apply the aws-auth ConfigMap to your cluster to learn more about editing the aws-auth ConfigMap.

Follow these steps to authenticate the cluster:

Log into the EKS cluster with a user account that has the cluster admin permission.
Edit the aws-auth ConfigMap to include the following mapRoles entry. Be sure to replace the placeholder.
```
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
  username: "{{SessionNameRaw}}"
```
Placeholder
Description
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted

Follow these steps to authenticate the cluster:

Change the authentication mode to EKS API.
Create the access entry:
- For the IAM principal, enter arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access.
- For the Username use apono:{{SessionName}}.
- Choose Cluster as the access scope.

Now, you can integrate with EKS.

Integrate with Elastic Kubernetes Service (EKS)

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click Elastic Kubernetes Service (EKS). The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Click Next. The Apono connector section appears.
From the dropdown menu, select a connector.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono Connector for Kubernetes on an EKS cluster.

Click Next. The Integration Config section expands.
Define the Integration Config settings.

When the Apono connector is installed on the EKS cluster, you do not need to enter values for the other optional fields.

Setting

Description

Integration Name

Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow

Server URL

(Optional) URL of the Kubernetes API server used to interact with the Kubernetes cluster

Certification Authority

(Optional) Certificate that ensures that the Kubernetes API server is trusted and authentic Leave this field empty if you want to connect the cluster where the connector is deployed.

EKS Cluster Name

Unique name of the cluster to integrate

AWS Role Name

(Optional) Role defined for the connector

Region

(Optional) Location where the AWS Elastic Kubernetes cluster is deployed

Click Next. The Secret Store section expands.

When the Apono connector is installed on the EKS cluster, you do not need to provide a secret.

(Optional) Associate the secret or credentials.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.\
Setting
Description
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your Elastic Kubernetes Service cluster.

Log in to EKS with Apono access details

After a user gains access to an EKS resource, the user must authenticate with the cluster. The user must assume the apono-k8s-access role.

The following table shows two approaches to assume this role.

Approach

Details

AWS CLI

In the AWS CLI, run the aws sts assume-role command. Be sure to replace the placeholders.

aws sts assume-role \
  --role-arn arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access \
  --role-session-name <EMAIL> \
  --duration-seconds 3600

Config File

Edit ~/.aws/config to contain the following profile. Be sure to replace the placeholders.

[profile apono-k8s-access]
role_arn = arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access
role_session_name = <EMAIL>
source_profile = default

Placeholder

Description

<AWS_ACCOUNT_ID>

AWS account ID where the EKS is hosted

<EMAIL>

User email listed in the IdP

AWS Lambda Custom Integration

Learn how to integrate an AWS Lambda Custom Integration with Apono

AWS Lambda enables you to build and connect cloud services and internal web apps by writing single-purpose functions that are attached to events emitted from your cloud infrastructure and services.

Its serverless architecture frees you to write, test, and deploy functions quickly without having to manage infrastructure setup.

With this integration, you can connect your internal applications to AWS Lambda functions and manage access to those applications with Apono.

Prerequisites

Before starting this integration, create the items listed in the following table.

Item

Description

Apono Connector

Lambda Function

Sample Function

function listResources(params) {
  return {
    resources: [
      {
        'id': 'resource1',
        'name': 'Resource 1',
        'type': params.resource_type,
        'metadata': {
          'key1': 'value1'
        }
      },
      {
        'id': 'resource2',
        'name': 'Resource 2',
        'type': params.resource_type,
        'metadata': {
          'key2': 'value2'
        }
      },
      {
        'id': 'resource3',
        'name': 'Resource 3',
        'type': params.resource_type,
        'metadata': {
          'key3': 'value3'
        }
      },
    ],
    permissions: [
      {
        'id': 'admin',
        'name': 'Admin'
      },
      {
        'id': 'reader',
        'name': 'Reader'
      }
    ]
  };
}
function grantAccess(params) {
const username = params.username;
const grantId = params.grant_id;
const resources = params.resources;
const permission = params.permission;
const param1 = params.custom_parameters.param1
const param2 = params.custom_parameters.param2
console.log(param1)
console.log(param2)
return {
status: 'ok'
};
}
function revokeAccess(params) {
const username = params.username;
const grantId = params.grant_id;
const resources = params.resources;
const permission = params.permission;
const param1 = params.custom_parameters.param1
const param2 = params.custom_parameters.param2
return {
status: 'ok'
};
}
function createCredentials(params) {
const username = params.username;
const grantId = params.grant_id;
const resources = params.resources;
const param1 = params.custom_parameters.param1
const param2 = params.custom_parameters.param2
return {
status: 'ok'
};
}
export const handler = async (event) => {
const params = event.params;
switch (event.event_type) {
case 'create-credentials':
return createCredentials(params);
case 'list-resources':
return listResources(params);
case 'grant-access':
return grantAccess(params);
case 'revoke-access':
return revokeAccess(params);
case 'create-credentials':
return {
status: 'ok',
secret: 'created-credentials-secret'
}
case 'reset-credentials':
return {
status: 'ok',
secret: 'reset-credentials-secret'
}
default:
return {
status: 'active'
};
}
};

Integrate an AWS Lambda Custom Integration

You can also use the steps below to integrate with Apono using Terraform.

In step 8, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click AWS Lambda Custom Integration. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an AWS connector.

Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Custom Parameters
Key-value pairs to send to the lambda function For example, you can provide a lambda function with a redirect URL that is used for internal provisioning access and passed as part of the action requests.
Region
Region of the AWS Lambda instance
Function Name
Named of the AWS Lambda function
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.\
Setting
Description
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your AWS Lambda function.

EC2 via Systems Manager Agent (SSM)

Apono AWS EC2 Integration utilizes SSM (System Manager) Agent to for JIT access management for AWS VMs

EC2 via Systems Manager Agent (SSM)

Have you connected an AWS account?

Make sure you integrated your AWS account to Apono. Follow this AWS Integration step-by-step guide.

Intro

This integration provides the ability to grant users permissions to connect to the EC2 with a secure connection - SSM.

Prerequisites

An integration between Apono and the AWS Organization or Account where the EC2 is.
EC2 machine with SSM agent installed. Installed by default in most EC2s docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent
End users will need to install the session manager plugin for AWS CLI on the local user's computer. docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin

Step-by-step guide

The EC2 instance role

Follow the steps below to create an EC2 instance role with the AmazonSSMManagedInstanceCore managed policy. Read more here.

In the AWS IAM, Click Create new IAM Role
1. Click Create Role
2. Choose the AWS Service option
3. From the dropdown list, choose EC2
4. Choose EC2 Role for AWS System Manager. Click Next.
5. Verify that the AmazonSSMManagerInstanceCore policy is added. Click Next
6. Fill the Role name box (for example, ec2-ssm)
7. Click Create role
Go back to the Modify IAM Role page
1. From the dropdown list, choose the new IAM role we created (ec2-ssm)
2. Click Update IAM role
3. Pleas note: it takes about 30 minutes for the AWS sync to finish.

Integrating Apono with the EC2 instances

In the Apono UI, edit an existing AWS Org or AWS Account integration or create a new one.
Add the EC2 Connect resource type.
Complete the integration and click Integrate.

Results

Apono should now discover EC2 machines! You can now create access flows to EC2 instances.

AWS RDS MySQL

Prerequisites

If you already have AWS Apono connector:
- Make sure the connector's minimum version is 1.5.3.
If you still don't have AWS Apono connector:
AWS command-line
MySQL command-line

Create AWS RDS MySQL Integration

Generate Credentials

Create user and grant permissions:

You can use only one authentication option on the RDS instance at a time.

Password Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

IAM Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances \
  --filters "Name=engine,Values=mysql" \
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance \
    --db-instance-identifier DBInstanceIdentifier \
    --apply-immediately \
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[Endpoint.Address,Endpoint.Port]"

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

IAM Authentication

Get your AWS RDS DB details.

aws rds describe-db-instances ^
  --filters "Name=engine,Values=mysql" ^
  --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"

Enable IAM database authentication.

aws rds modify-db-instance ^
    --db-instance-identifier DBInstanceIdentifier ^
    --apply-immediately ^
    --enable-iam-database-authentication

Connect RDS MySQL.

mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -p

Create a user for the Apono connector. Replace USER_NAME with your desired credentials.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ]
        }
    ]
}'

Password Authentication

Sign in to the AWS Management Console and open the Amazon RDS console Amazon RDS console , and choose your DB instance.
Copy the following details:
- Endpoint: The DNS name of the DB instance.
- Port: The port number on which the DB instance accepts connections.
Connect to the DB instance using your SQL client using the copied details.
Create a user for the Apono connector. Replace USER_NAME and PASSWORD with your desired credentials.

CREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

IAM Authentication

Enable IAM database authentication
1. Open the Amazon RDS console.
2. In the navigation pane, choose Databases.
3. Choose the DB instance that you want to modify.

    Make sure that the DB instance is compatible with IAM authentication. Check the compatibility requirements in Region and version availability.

4. Choose Modify.
5. In the Database authentication section, choose Password and IAM database authentication to enable IAM database authentication. Choose Password authentication or Password and Kerberos authentication to disable IAM authentication.
6. Choose Continue.
7. To apply the changes immediately, choose Immediately in the Scheduling of modifications section.
8. Choose Modify DB instance.

CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Grant the necessary permissions to the user.

GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';  
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';

To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
        "Action": [
          "rds-db:connect"
        ],
      "Resource": [
        "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
      ]
    },
    {
      "Effect": "Allow",
        "Action": [
          "rds:DescribeDBInstances"
        ],
        "Resource": [
          "arn:aws:rds:*:*:db:*"
        ]
      }
  ]
}

Create Integration in Apono

In the Apono admin console, go to the Integrations page and click the Add Integration button in the top-left side, or press on the Catalog blade.
In the Catalog page search for and select AWS RDS MySQL.
In Discovery step, select one or multiple AWS RDS MySQL resource types for Apono to discover.
In Apono connector step, select the connector with the required permissions to be used with your AWS RDS MySQL.
In Integration config step, provide the following information about your AWS RDS MySQL:

Variable

Value

Required

Integration Name

The integration name.

Yes

Auth Type

The authentication method for connecting to an AWS RDS instance, with options for password (username and password) or iam (IAM-based authentication).

Yes

Region

AWS region where the RDS instance is located.

Yes

Instance ID

The unique identifier of the AWS RDS instance.

Yes

Credentials rotation period (in days)

i.e.: 90

User cleanup after access is revoked (in days)

i.e.: 90

In Secret Store step, provide the connector credentials using one of the following secret store options:

For the AWS RDS MySQL integration, use the following secret format: username:<The database username> password:<The user password>\

(Optional) In Get more with Apono step, you can set up the following:

Setting

Description

Credential Rotation

(Optional) Number of days after which the database credentials must be rotated Learn more about the .

User cleanup after access is revoked (in days)

(Optional) Defines the number of days after access has been revoked that the user should be deleted

Learn more about .

Custom Access Details

Integration Owner

(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:

From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.

NOTE: When Resource Owner is defined, an Integration Owner must be defined.

Resource Owner

(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :

Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.

NOTE: When this setting is defined, an Integration Owner must also be defined.

Next Steps

Integrate with EKS

Create an integration to manage access to a Kubernetes cluster on AWS

With Elastic Kubernetes Service (EKS) on AWS, EKS simplifies the management complexities of Kubernetes.

Through this integration, Apono helps you securely manage access to your AWS Elastic Kubernetes cluster.

Prerequisites

Item

Description

Apono Connector

installed on the EKS cluster that serves as a bridge between the cluster and Apono

Apono Premium

providing all available features and dedicated account support

Cluster Admin Access

Admin access to the cluster to integrate The cluster admin access can be the built-in role or equivalent permission level. Apono does not require admin permissions to the Kubernetes environment.

EKS Cluster Name

Unique to integrate

AWS SSO | SAML Federation

Authentication for requester Security Assertion Markup Language (SAML) federation for authentication can be provided by providers such as Okta, Onelogin, Jumpcloud, and Ping Identity.

Configure user authentication

Create a new policy

Follow these steps to create a new policy:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Policies > Create policy. The Specify permission page appears.
Click JSON.

Replace the default policy with the following policy. Be sure to replace the placeholder.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:DescribeCluster",
            "Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
        }
    ]
}

Placeholder

Description

<AWS_ACCOUNT_ID>

AWS account ID where the EKS is hosted

Click Next. The Review and create page appears.
Enter a Policy name. This name is used to identify this policy.
Click Create policy.

Create the IAM role

Follow these steps to create the IAM role:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Roles > Create role. The Select trusted entity page appears.
Under Trusted entity type, select Custom trust policy.
Under Custom trust policy, replace the default policy with one of the following trust policies. Be sure to replace the placeholders.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "sts:RoleSessionName": "${SAML:sub}"
                },
                "ArnLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
                    ]
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:saml-provider/<SAML_PROVIDER>"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        }
    ]
}

Placeholder

Description

<AWS_ACCOUNT_ID>

AWS account ID where the EKS is hosted

<SAML_PROVIDER>

Identity provider name

Click Next. The Add permissions page appears.
Under Permissions policies, select the newly created policy.
Click Next. The Name, review, and create page appears.
For the Role name, enter apono-k8s-access.
For the Description, enter required for k8s access managed by Apono.
Click Create role.

If an Overly permission trust policy popup window appears, click Continue.

Authenticate the EKS cluster

Now that the IAM role has been created, you must authenticate the EKS cluster with the ConfigMap or EKS API.

Read Apply the aws-auth ConfigMap to your cluster to learn more about editing the aws-auth ConfigMap.

Follow these steps to authenticate the cluster:

Log into the EKS cluster with a user account that has the cluster admin permission.
Edit the aws-auth ConfigMap to include the following mapRoles entry. Be sure to replace the placeholder.
```
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
  username: "{{SessionNameRaw}}"
```
Placeholder
Description
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted

Follow these steps to authenticate the cluster:

Change the authentication mode to EKS API.
Create the access entry:
- For the IAM principal, enter arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access.
- For the Username use apono:{{SessionName}}.
- Choose Cluster as the access scope.

Now, you can integrate with EKS.

Integrate with Elastic Kubernetes Service (EKS)

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click Elastic Kubernetes Service (EKS). The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Click Next. The Apono connector section appears.
From the dropdown menu, select a connector.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono Connector for Kubernetes on an EKS cluster.

Click Next. The Integration Config section expands.
Define the Integration Config settings.

When the Apono connector is installed on the EKS cluster, you do not need to enter values for the other optional fields.

Setting

Description

Integration Name

Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow

Server URL

(Optional) URL of the Kubernetes API server used to interact with the Kubernetes cluster

Certification Authority

(Optional) Certificate that ensures that the Kubernetes API server is trusted and authentic Leave this field empty if you want to connect the cluster where the connector is deployed.

EKS Cluster Name

Unique name of the cluster to integrate

AWS Role Name

(Optional) Role defined for the connector

Region

(Optional) Location where the AWS Elastic Kubernetes cluster is deployed

Click Next. The Secret Store section expands.

When the Apono connector is installed on the EKS cluster, you do not need to provide a secret.

(Optional) Associate the secret or credentials.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.\
Setting
Description
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your Elastic Kubernetes Service cluster.

Log in to EKS with Apono access details

After a user gains access to an EKS resource, the user must authenticate with the cluster. The user must assume the apono-k8s-access role.

The following table shows two approaches to assume this role.

Approach

Details

AWS CLI

In the AWS CLI, run the aws sts assume-role command. Be sure to replace the placeholders.

aws sts assume-role \
  --role-arn arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access \
  --role-session-name <EMAIL> \
  --duration-seconds 3600

Config File

Edit ~/.aws/config to contain the following profile. Be sure to replace the placeholders.

[profile apono-k8s-access]
role_arn = arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access
role_session_name = <EMAIL>
source_profile = default

Placeholder

Description

<AWS_ACCOUNT_ID>

AWS account ID where the EKS is hosted

<EMAIL>

User email listed in the IdP

AWS Integrations

Integrate an AWS account or organization

Integrate an AWS account

Prerequisites

Integration

Integrate an AWS organization

Prerequisites

Integration

Troubleshooting

Auto Discover AWS RDS Instances

Discover RDS Instances in AWS

Prerequisites

Steps to Enable SQL Database Discovery

Create credentials to the RDS instances.

Option 1: For Databases with IAM Authentication

Option 2: For Databases with Username and Password Authentication

Set Up the Apono Integration

Troubleshooting

AWS Best Practices

Prerequisite

Admin Guidance

Questions

Resource Definition Strategies

Apono Safeguard

Requestor Guidance

Known Limitations While Building Access Flows And Bundles

Amazon Redshift

Prerequisites

Integrate Amazon Redshift

Troubleshooting

RDS PostgreSQL

Prerequisites

Create an AWS RDS PostgreSQL user

Integrate Amazon RDS for PostgreSQL

AWS RDS MySQL

In this article

Prerequisites

Create AWS RDS MySQL Integration

Generate Credentials

Create Integration in Apono

Next Steps

Integrate with EKS

Prerequisites

Configure user authentication

Create a new policy

Create the IAM role

Authenticate the EKS cluster

Integrate with Elastic Kubernetes Service (EKS)

Log in to EKS with Apono access details

AWS Lambda Custom Integration

Prerequisites

Integrate an AWS Lambda Custom Integration

EC2 via Systems Manager Agent (SSM)

EC2 via Systems Manager Agent (SSM)

Intro

Prerequisites

Step-by-step guide

The EC2 instance role

Integrating Apono with the EC2 instances

Results

EC2 via Systems Manager Agent (SSM)

EC2 via Systems Manager Agent (SSM)

Intro

Prerequisites

Step-by-step guide

The EC2 instance role

Integrating Apono with the EC2 instances

Results

Auto Discover AWS RDS Instances

Discover RDS Instances in AWS

Prerequisites

Steps to Enable SQL Database Discovery

Create credentials to the RDS instances.

Option 1: For Databases with IAM Authentication

Option 2: For Databases with Username and Password Authentication

Set Up the Apono Integration

Troubleshooting

AWS Best Practices

Prerequisite

Admin Guidance