Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Apono AWS EC2 Integration utilizes SSM (System Manager) Agent to for JIT access management for AWS VMs
Have you connected an AWS account?
Make sure you integrated your AWS account to Apono. Follow this AWS Integration step-by-step guide.
This integration provides the ability to grant users permissions to connect to the EC2 with a secure connection - SSM.
An integration between Apono and the AWS Organization or Account where the EC2 is.
EC2 machine with SSM agent installed. Installed by default in most EC2s docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent
End users will need to install the session manager plugin for AWS CLI on the local user's computer. docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin
Follow the steps below to create an EC2 instance role with the AmazonSSMManagedInstanceCore
managed policy. Read more here.
In the AWS IAM, Click Create new IAM Role
Click Create Role
Choose the AWS Service option
From the dropdown list, choose EC2
Choose EC2 Role for AWS System Manager. Click Next.
Verify that the AmazonSSMManagerInstanceCore
policy is added. Click Next
Fill the Role name box (for example, ec2-ssm)
Click Create role
Go back to the Modify IAM Role page
From the dropdown list, choose the new IAM role we created (ec2-ssm)
Click Update IAM role
Pleas note: it takes about 30 minutes for the AWS sync to finish.
In the Apono UI, edit an existing AWS Org or AWS Account integration or create a new one.
Add the EC2 Connect resource type.
Complete the integration and click Integrate.
Apono should now discover EC2 machines! You can now create access flows to EC2 instances.
Automatically discover all AWS RDS instances in an Account or Organization for JIT access management
AWS RDS PostgreSQL and MySQL databases provide powerful and flexible relational database services in the cloud. This guide shows you how to enable Apono to discover and manage your AWS RDS databases, including MySQL and PostgreSQL instances.
Before you start, ensure you have:
One or more Apono AWS connectors installed with network access to your AWS RDS databases.
Minimum required version: 1.5.3
Permissions to create and manage AWS Secrets Store secrets and tag RDS instances.
This capabiltiy requires network access to each discovered database. If you have databases in different networks, make sure to create an AWS connector for each one.
To enable Deep Discovery for your AWS RDS databases, you will need to tag your database instances with specific key-value pairs. The tagging process varies based on your authentication method.
Tag your RDS database instance with the following key-value pairs:
auth_type
iam-auth
apono-connector-id
The ID of the Apono connector in the same account as the database
Tag your RDS database instance with the following key-value pairs:
auth_type
user-password
apono-connector-id
The ID of the Apono connector in the same account as the database
apono-secret
The ARN of the secret containing the database credentials
region
The AWS region where the secret is stored
Go to the Integrations Catalog in the Apono web application.
Click "AWS" and select either "Account" or "Organization". Make sure to pick resources under Connect Sub Integrations:
Choose the Apono connector set up for your Account or Organization. Read more here.
Complete the integration by providing the required config.
Click Confirm.
After connecting your AWS Account or Organization to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration and sub-integrations for each RDS instance will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.
Now that you have completed this integration, you can create access flows that grant permission to RDS resources.
If RDS instances appear with errors in your Integrations page, follow these steps:
Check Tags: Verify all required tags are present and correctly formatted.
Connector Permissions: Ensure the Apono connector has necessary permissions to read tags and access secrets.
Network connectivity: Ensure each RDS instance has a connector with network access to the RDS.
Scale AWS resource management in access flows
When granting AWS access permissions, listing individual ARNs in IAM policies can quickly cause you to exceed AWS's inline policy character limit. Apono solves this through access scopes and the Apono Query Language (AQL). These solutions use regex patterns to efficiently manage resource groups instead of listing individual ARNs.
For additional protection, Apono has implemented a 100-resource threshold as a guardrail when individual ARN specification is needed.
The following sections explain how Apono prevents you from exceeding AWS's inline policy limit:
Create strategic AWS resource groupings for access flows
Understand how Apono provides clear warnings when the AWS policy limit is exceeded
Learn how Apono maintains consistent behavior whether your team uses Portal, Teams, or Slack
For example, instead of individually specifying 200 S3 buckets in a policy (which would exceed AWS's limit), you can use resource tags to group them by environment or function.
Apono validates for the following types of AWS resources:
ASM Secret
DynamoDB table
EC2 Connect
EC2 Manage
S3 Bucket (by "any resource" and region tags)
SNS Topic
SQS queue
Apono Connector
Minimum Required Version: 1.7.0
When defining access flows that include AWS resources, your resource definition strategy directly impacts policy management.
Before selecting AWS resources for an access flow, consider the following questions:
Can all resources of an integration be selected?
Have tags been applied to logically group resources by environment, function, or team?
Can an access scope be created to group resources across multiple AWS integrations?
Is individual resource selection truly necessary for security requirements?
To effectively manage AWS permissions while avoiding policy character limits, you can use access scopes, integrations, or bundles. When possible, we strongly recommend using access scopes or AQL.
The following table explains the strategy for each approach.
Access Scopes
Access scopes and AQL let you create flexible filters that adapt to your changing infrastructure. This makes them ideal for scenarios like all production databases or EC2 instances in the eu-region.
Integrations
Integrations let you align permissions with your organization structure:
Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
Apply Any resources when all resources of the integration can be included.
This strategy is ideal for scenarios like managing cross-account DevOps access or regional support team permissions.
Bundles
Bundles let you create logical groupings of permissions that serve specific functions.
Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
Apply Any resources when all resources of the integration can be included.
This strategy is ideal for scenarios like complete development environment access or full analytics platform access.
If you select too many AWS resources for an access flow, the Apono UI will display a warning message instructing you to reduce the number of selected resources.
Automatic
You have selected more than 100 AWS resources by name (Select by name) from one integration or between multiple integrations.
You have selected more than 100 AWS resources by name (Select by name) within one bundle or between multiple bundles.
Self Serve
You have selected more than 100 AWS resources within one bundle or between multiple bundles.
When requesting access to many AWS resources, Apono will warn you if you have selected too many AWS resources.
You will receive different notifications about AWS resource limits depending on which platform you use to submit your access request:
Portal & Teams: Apono displays a warning before submission when you click Request, preventing requests that exceed the limit.
In some cases, the request might pass initial validation but still trigger a post-submission notification to select fewer resources.
Slack: Apono processes your request first, then sends a message if you need to resubmit with fewer resources.
The following configurations within access flows or when bundling multiple resources will exceed AWS policy size constraints.
Specifying resources by name: Individually choosing resource names.
S3 buckets: as AWS does not support tagging buckets, it should be handled with region tags or through access scopes or AQL patterns where possible.
Excluding a list of resource names: choosing a list of resources to exclude can similarly inflate policy size and is best handled through access scopes or AQL patterns where possible.
Learn how to complete an AWS integration in the Apono UI
Apono offers AWS users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple AWS services across various accounts and organizations.
Apono connector installed in your AWS account
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore
policy to the connector's IAM role
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to integrate Apono with your AWS account:
On the Catalog tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Account.
Click one or more resource types to sync with Apono.
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Region
Region in which the organization runs
AWS Profile Name
(Optional) Name of the AWS profile By default, Apono sets this value to apono.
Enable Audit
(Optional) Feature that allows Apono to ingest and aggregate session audit logs
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.
Now that you have completed this integration, you can create access flows that grant permission to AWS IAM resources, such as AWS Roles.
Apono connector installed in your AWS management account OR a connector with delegate permissions
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore
policy to the connector's IAM role
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to integrate Apono with your AWS organization:
On the Catalog tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Organization.
Click one or more resource types to sync with Apono.
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Region
Region in which the organization runs
AWS SSO Region
Region for which your single sign-on is configured
SSO Portal
Management Account Role ARN
Exclude Organization Unit IDs
ID of organizational units to exclude Example: ou-aaa1-1111,ou-bbb2-2222
Enable Audit
(Optional) Feature that allows Apono to ingest and aggregate session audit logs
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.
Now that you have completed this integration, you can create access flows that grant permission to AWS IAM resources, such as AWS Roles.
Please refer to our troubleshooting guide if you encounter errors while integrating.
Integrate with Apono to view existing permissions and create Access Flows to Amazon Redshift clusters
Amazon Redshift is a fast, scalable, and secure fully managed data warehouse service in the cloud, serving as a primary data store for vast datasets and analytic workloads. Amazon Web Services (AWS) enables businesses to analyze their data using standard SQL and existing business intelligence tools, promoting insightful decision-making and integration with various AWS services.
Through this integration, Apono helps you securely manage access to your Amazon Redshift instance.
Apono Connector
Secret
User
Redshift user for Apono with the CREATEUSER
permission
Amazon Redshift Info
Information for the Amazon Redshift instance to be integrated:
Hostname
Port Number
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click Amazon Redshift. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Hostname
Hostname of the Amazon Redshift instance to connect
Port
Port value for the instance By default, Apono sets this value to 5439.
Database Name
Name of the database
Click Next. The Secret Store section expands.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.\
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your Amazon Redshift instance.
Refer to Troubleshooting Errors for information about errors that may occur.
Learn how to integrate an AWS Lambda Custom Integration with Apono
AWS Lambda enables you to build and connect cloud services and internal web apps by writing single-purpose functions that are attached to events emitted from your cloud infrastructure and services.
Its serverless architecture frees you to write, test, and deploy functions quickly without having to manage infrastructure setup.
With this integration, you can connect your internal applications to AWS Lambda functions and manage access to those applications with Apono.
Before starting this integration, create the items listed in the following table.
Apono Connector
Lambda Function
You can also use the steps below to integrate with Apono using Terraform.
In step 8, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click AWS Lambda Custom Integration. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an AWS connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Custom Parameters
Key-value pairs to send to the lambda function For example, you can provide a lambda function with a redirect URL that is used for internal provisioning access and passed as part of the action requests.
Region
Region of the AWS Lambda instance
Function Name
Named of the AWS Lambda function
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.\
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your AWS Lambda function.
If your organization uses Amazon Web Services (AWS) as a cloud platform, Apono's AWS integrations can help you securely manage access to your AWS cloud-based services and databases.
By identifying and transforming existing privileges, Apono can shift your cloud management from broad permissions to on-demand access flows.
Through our AWS integrations, Apono enables you to perform the following access tasks:
Limit Access: Discover existing cloud privileges and convert them to just-in-time access flows.
Enable Self-Service Access: Allow developers to request access to AWS services, buckets, and instances via Slack.
Automate Approval Workflows: Create automatic approval processes for sensitive AWS resources.
Restrict Third-Party Access: Grant third-parties (customers or vendors) time-based access to specific S3 buckets, RDS, or EC2 instances with MFA verification.
Review Access: Audit user cloud access, permissions granted, and reasons for access across AWS.
On-prem serving as a bridge between an AWS instance and Apono
Use the following steps to .
(Strongly Recommended, ) Use when you need dynamic, rule-based resource grouping
() Use when providing access to an entire AWS account or organization, or to resources that share specific tags
(, ) Use when packaging related resources as a cohesive unit for user requests
When explore one of the following options:
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
Learn more about .
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
This is required for Apono to generate a sign-in link for end users to use their granted access.
(step 5) of the role to assume in the management account
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
On-prem serving as a bridge between an Amazon Redshift instance and Apono Minimum Required Version: 1.3.2 Use the following steps to .
Value generated through or
Apono does not store credentials. The Apono Connector uses the secret to communicate with services in your environment and separate the Apono web app from the environment for maximal .
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
Learn more about .
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
On-prem serving as a bridge between your AWS Lambda functions and Apono Minimum Required Version: 1.4.1 Use the following steps to .
Named function set up within
💡 When creating the Lambda function, apply the
apono-connector-access: "true"
.
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
Learn more about .
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Amazon RDS for MySQL is an open-source relational database management service in the cloud. Through AWS RDS MySQL integration, you will be able to integrate with AWS RDS MySQL:
Database
Table
Role
If you already have AWS Apono connector:
Make sure the connector's minimum version is 1.5.3.
If you still don't have AWS Apono connector:
Create user and grant permissions:
You can use only one authentication option on the RDS instance at a time.
(MySQL 8.0+) Grant the service account the authority to manage other roles. This enables Apono to create, alter, and drop roles. However, this role does not inherently grant specific database access permissions.
In the Apono admin console, go to the Integrations page and click the Add Integration button in the top-left side, or press on the Catalog blade.
In the Catalog page search for and select AWS RDS MySQL.
In Discovery step, select one or multiple AWS RDS MySQL resource types for Apono to discover.
In Apono connector step, select the connector with the required permissions to be used with your AWS RDS MySQL.
In Integration config step, provide the following information about your AWS RDS MySQL:
Integration Name
The integration name.
Yes
Auth Type
The authentication method for connecting to an AWS RDS instance, with options for password (username and password) or iam (IAM-based authentication).
Yes
Region
AWS region where the RDS instance is located.
Yes
Instance ID
The unique identifier of the AWS RDS instance.
Yes
Credentials rotation period (in days)
i.e.: 90
No
User cleanup after access is revoked (in days)
i.e.: 90
No
In Secret Store step, provide the connector credentials using one of the following secret store options:
When using IAM authentication, **a secret does not need to be created**. The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the MySQL instance instead of a secret.
For the AWS RDS MySQL integration, use the following secret format:
username:<The database username>
password:<The user password>
\
(Optional) In Get more with Apono step, you can set up the following:
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Integrate with AWS-managed PostgreSQL for JIT access management for RDS
PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance. AWS enables developers to create cloud-hosted PostgreSQL databases.
Through this integration, Apono helps you securely manage access to your AWS RDS for PostgreSQL instances.
Apono Connector
NOTE: When installing the Apono connector with CloudFormation, the AWS RDS database policy is automatically created.
If you do not use CloudFormation, you must create the following policy and assign it to the Apono connector role.
PostgreSQL Info
Information for the database instance to be integrated:
Instance ID
Database Name
AWS Tag
Tag key: apono-secret
You must create a user in your AWS RDS PostgreSQL instance for the Apono connector and grant that user permissions to your databases.
Follow these steps to create a user and grant it database permissions:
Create a new user with either Built-in authentication or IAM authentication.
You can use only one authentication option on the RDS instance at a time.
Built-in authentication identifies a user through a username and password.
Be sure to select a strong password for the user.
After enabling IAM on your RDS instance, create an AWSAuthenticationPlugin
user for the Apono connector. AWSAuthenticationPlugin
is an AWS-provided plugin that works seamlessly with IAM to authenticate your users.
To create the user, run the following commands from your Postgre client.
From your preferred client tool, grant rds_superuser
access to the user.
ALTER USER apono_connector WITH CREATEROLE;
Allows Apono connector to create, alter, and drop user roles
GRANT rds_superuser TO apono_connector;
Assigns the RDS superuser role to the Apono connector, providing comprehensive permissions for database management
(IAM authentication only) Create and attach the following IAM policy to your identity center permissions set or role.
(Built-in authentication only) Create an AWS secret with the credentials from step 1.
When using IAM authentication, a secret does not need to be created.
The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the PostgreSQL instance instead of a secret.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click AWS RDS PostgreSQL. The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an AWS connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.\
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Auth Type
Authorization type for the MySQL service account user:
IAM Auth: IAM authentication
User / Password: Built-in authentication
Region
Location where the PostgreSQL database is deployed
Instance ID
ID of the PostgreSQL instance
Database Name
Name of the PostgreSQL database
SSL Mode
(Optional) Mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server
require: An SSL-encrypted connection must be used.
allow: An SSL-encrypted or unencrypted connection is used. If an SSL encrypted connection is unavailable, the unencrypted connection is used.
disable: An unencrypted connection is used.
prefer: An SSL-encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used.
verify-ca: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
verify-full: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass. Additionally, the server hostname is checked against the certificate's names.
Enable Audit
(Optional) Feature that allows Apono to ingest and aggregate session audit logs
Click Next. The Secret Store section expands.
A secret is not needed for IAM authentication.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.\
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your RDS for PostgreSQL database.
Create an integration to manage access to a Kubernetes cluster on AWS
With Elastic Kubernetes Service (EKS) on AWS, EKS simplifies the management complexities of Kubernetes.
Through this integration, Apono helps you securely manage access to your AWS Elastic Kubernetes cluster.
Item
Description
Apono Connector
Apono Premium
Cluster Admin Access
EKS Cluster Name
AWS SSO | SAML Federation
Authentication for requester Security Assertion Markup Language (SAML) federation for authentication can be provided by providers such as Okta, Onelogin, Jumpcloud, and Ping Identity.
Authentication can be completed with an Identity and Access Management IAM user or an IAM role. To grant a user access to an EKS cluster, the IAM user or IAM role must be mapped with a specific user identifier, such as an email address.Apono supports this mapping with an IAM role through AWS SSO or SAML federation from any identity provider (IdP).
Follow these steps to create a new policy:
Under Access management on the Identity and Access Management (IAM) page in AWS, click Policies > Create policy. The Specify permission page appears.
Click JSON.
Replace the default policy with the following policy. Be sure to replace the placeholder.
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
Click Next. The Review and create page appears.
Enter a Policy name. This name is used to identify this policy.
Click Create policy.
Follow these steps to create the IAM role:
Under Access management on the Identity and Access Management (IAM) page in AWS, click Roles > Create role. The Select trusted entity page appears.
Under Trusted entity type, select Custom trust policy.
Under Custom trust policy, replace the default policy with one of the following trust policies. Be sure to replace the placeholders.
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
<SAML_PROVIDER>
Identity provider name
Click Next. The Add permissions page appears.
Under Permissions policies, select the newly created policy.
Click Next. The Name, review, and create page appears.
For the Role name, enter apono-k8s-access.
For the Description, enter required for k8s access managed by Apono.
Click Create role.
If an Overly permission trust policy popup window appears, click Continue.
Now that the IAM role has been created, you must authenticate the EKS cluster with the ConfigMap or EKS API.
Read Apply the aws-auth ConfigMap
to your cluster to learn more about editing the aws-auth ConfigMap
.
Follow these steps to authenticate the cluster:
Log into the EKS cluster with a user account that has the cluster admin permission.
Edit the aws-auth ConfigMap
to include the following mapRoles
entry. Be sure to replace the placeholder.
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
Follow these steps to authenticate the cluster:
Change the authentication mode to EKS API.
For the IAM principal, enter arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access.
For the Username use apono:{{SessionName}}
.
Choose Cluster as the access scope.
Now, you can integrate with EKS.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click Elastic Kubernetes Service (EKS). The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.
Click Next. The Apono connector section appears.
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono Connector for Kubernetes on an EKS cluster.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
When the Apono connector is installed on the EKS cluster, you do not need to enter values for the other optional fields.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Server URL
(Optional) URL of the Kubernetes API server used to interact with the Kubernetes cluster
Certification Authority
(Optional) Certificate that ensures that the Kubernetes API server is trusted and authentic Leave this field empty if you want to connect the cluster where the connector is deployed.
EKS Cluster Name
Unique name of the cluster to integrate
AWS Role Name
(Optional) Role defined for the connector
Region
(Optional) Location where the AWS Elastic Kubernetes cluster is deployed
Click Next. The Secret Store section expands.
When the Apono connector is installed on the EKS cluster, you do not need to provide a secret.
(Optional) Associate the secret or credentials.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.\
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your Elastic Kubernetes Service cluster.
After a user gains access to an EKS resource, the user must authenticate with the cluster. The user must assume the apono-k8s-access
role.
The following table shows two approaches to assume this role.
AWS CLI
In the AWS CLI, run the aws sts assume-role
command. Be sure to replace the placeholders.
Config File
Edit ~/.aws/config to contain the following profile. Be sure to replace the placeholders.
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
<EMAIL>
User email listed in the IdP
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
Learn more about .
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
On-prem with network access to your AWS RDS for PostgreSQL instances Minimum Required Version: 1.5.3 Use the following steps to .
(Optional) Metadata label assigned to AWS resources Adding an AWS tag, enables Apono to discover and add resources on your behalf. When , use the following information:
Value: ()
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
Learn more about .
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
installed on the EKS cluster that serves as a bridge between the cluster and Apono
providing all available features and dedicated account support
Admin access to the cluster to integrate The cluster admin access can be the built-in role or equivalent permission level. Apono does not require admin permissions to the Kubernetes environment.
Unique to integrate
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
Learn more about .
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :