Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
If your organization uses Amazon Web Services (AWS) as a cloud platform, Apono's AWS integrations can help you securely manage access to your AWS cloud-based services and databases.
By identifying and transforming existing privileges, Apono can shift your cloud management from broad permissions to on-demand access flows.
Through our AWS integrations, Apono enables you to perform the following access tasks:
Limit Access: Discover existing cloud privileges and convert them to just-in-time access flows.
Enable Self-Service Access: Allow developers to request access to AWS services, buckets, and instances via Slack.
Automate Approval Workflows: Create automatic approval processes for sensitive AWS resources.
Restrict Third-Party Access: Grant third-parties (customers or vendors) time-based access to specific S3 buckets, RDS, or EC2 instances with MFA verification.
Review Access: Audit user cloud access, permissions granted, and reasons for access across AWS.
Learn how to integrate an AWS Lambda Custom Integration with Apono
AWS Lambda enables you to build and connect cloud services and internal web apps by writing single-purpose functions that are attached to events emitted from your cloud infrastructure and services.
Its serverless architecture frees you to write, test, and deploy functions quickly without having to manage infrastructure setup.
With this integration, you can connect your internal applications to AWS Lambda functions and manage access to those applications with Apono.
Before starting this integration, create the items listed in the following table.
You can also use the steps below to integrate with Apono using Terraform.
In step 8, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click AWS Lambda Custom Integration. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Now that you have completed this integration, you can that grant permission to your AWS Lambda function.
Apono AWS EC2 Integration utilizes SSM (System Manager) Agent to for JIT access management for AWS VMs
This integration provides the ability to grant users permissions to connect to the EC2 with a secure connection through SSM.
An integration between Apono and the AWS Organization or Account where the EC2 is.
EC2 machine with SSM agent installed. Installed by default in most EC2s
End users will need to install the session manager plugin for AWS CLI on the local user's computer.
Follow the steps below to create an EC2 instance role with the AmazonSSMManagedInstanceCore managed policy. Read more .
In the AWS IAM, Click Create new IAM Role
Click Create Role
Choose the AWS Service option
From the dropdown list, choose EC2
In the Apono UI, edit an existing AWS Org or AWS Account integration or create a new one.
Add the EC2 Connect resource type.
Complete the integration and click Integrate.
Apono should now discover EC2 machines! You can now to EC2 instances.
Choose EC2 Role for AWS System Manager. Click Next.
Verify that the AmazonSSMManagerInstanceCore policy is added. Click Next
Fill the Role name box (for example, ec2-ssm)
Click Create role
Go back to the Modify IAM Role page
From the dropdown list, choose the new IAM role we created (ec2-ssm)
Click Update IAM role
Pleas note: it takes about 30 minutes for the AWS sync to finish.
Region
Region of the AWS Lambda instance
Function Name
Named of the AWS Lambda function
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection serving as a bridge between your AWS Lambda functions and Apono Minimum Required Version: 1.4.1 Use the following steps to update an existing connector.
Lambda Function
Named function set up within AWS Lambda
When creating the Lambda function, apply the tag
apono-connector-access: "true".
See: Sample Lambda Function.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Custom Parameters
function listResources(params) {
return {
resources: [
{
'id': 'resource1',
'name': 'Resource 1',
'type': params.resource_type,
'metadata': {
'key1': 'value1'
}
},
{
'id': 'resource2',
'name': 'Resource 2',
'type': params.resource_type,
'metadata': {
'key2': 'value2'
}
},
{
'id': 'resource3',
'name': 'Resource 3',
'type': params.resource_type,
'metadata': {
'key3': 'value3'
}
},
],
permissions: [
{
'id': 'admin',
'name': 'Admin'
},
{
'id': 'reader',
'name': 'Reader'
}
]
};
}
function grantAccess(params) {
const username = params.username;
const grantId = params.grant_id;
const resources = params.resources;
const permission = params.permission;
const param1 = params.custom_parameters.param1
const param2 = params.custom_parameters.param2
console.log(param1)
console.log(param2)
return {
status: 'ok'
};
}
function revokeAccess(params) {
const username = params.username;
const grantId = params.grant_id;
const resources = params.resources;
const permission = params.permission;
const param1 = params.custom_parameters.param1
const param2 = params.custom_parameters.param2
return {
status: 'ok'
};
}
function createCredentials(params) {
const username = params.username;
const grantId = params.grant_id;
const resources = params.resources;
const param1 = params.custom_parameters.param1
const param2 = params.custom_parameters.param2
return {
status: 'ok'
};
}
export const handler = async (event) => {
const params = event.params;
switch (event.event_type) {
case 'create-credentials':
return createCredentials(params);
case 'list-resources':
return listResources(params);
case 'grant-access':
return grantAccess(params);
case 'revoke-access':
return revokeAccess(params);
case 'create-credentials':
return {
status: 'ok',
secret: 'created-credentials-secret'
}
case 'reset-credentials':
return {
status: 'ok',
secret: 'reset-credentials-secret'
}
default:
return {
status: 'active'
};
}
};Key-value pairs to send to the lambda function For example, you can provide a lambda function with a redirect URL that is used for internal provisioning access and passed as part of the action requests.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Learn how to complete an AWS integration in the Apono UI
Apono offers AWS users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple AWS services across various accounts and organizations.
installed in your AWS account
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to integrate Apono with your AWS account:
On the tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Account.
Click one or more resource types to sync with Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.
Now that you have completed this integration, you can that grant permission to AWS IAM resources, such as AWS Roles.
installed in your AWS management account OR a
To sync and manage access to EC2 servers, make sure you add the AmazonSSMManagedInstanceCore policy to the connector's IAM role
Follow these steps to integrate Apono with your AWS organization:
On the tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Organization.
Click one or more resource types to sync with Apono.
Select the Permission Boundary resource to allow Apono to temporarily restrict overprivileged access.
To learn more about how to manage overprivileged access, read about .
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
After connecting your AWS account to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.
Apono leverages AWS Resource Explorer for multi-region scans for your AWS Organization integration. Apono uses this organization-level configuration to automatically deploy local indexes and aggregate them into a single searchable view.
This configuration provides:
A centralized aggregator index for organization-wide search
Automated creation and maintenance of local indexes
Consistent visibility across teams, regions, and environments
Less manual setup and fewer cross-account visibility gaps
Prerequisites
Enable trusted access for Resource Explorer
Follow these steps to enable trusted access:
From theyour Management account, open AWS Resource Explorer.
From the navigation, click Settings. The Settings page appears.
In the multi-account/organization section, follow the prompt to Enable trusted access.
You can also enable trusted access from AWS Organizations.
Follow these steps:
From your Management account, open AWS Organizations.
Configure the organization deployment
Follow these steps to configure the organization deployment:
Open the Quick Setup from the Systems manager or Resource Explorer.
Select the Aggregator Index Region. This region becomes the central location for organization-wide search.
Under Targets, select the accounts that include the resources you want discovered:
Entire Organization: (Recommended) Enables complete visibility
Under Summary, review the aggregator region, targets, and regions.
Select Create. The Quick Setup will deploy the following:
Local indexes in each selected region or account
An aggregator index in the Aggregator Region
Verify the deployment
After the deployment has completed, follow these steps to verify the deployment:
From the Management account, open AWS Resource Explorer.
From the navigation, click Settings. The Settings page opens.
Under Indexes, locate the region set as the aggregator index during the Quick Setup. The region should be denoted as Aggregator.
Spot check a member account:
Troubleshoot Quick Setup
Now that you have completed this integration, you can that grant permission to AWS IAM resources, such as AWS Roles.
Please refer to our if you encounter errors while integrating.
AWS Profile Name
(Optional) Name of the AWS profile By default, Apono sets this value to apono.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
AWS SSO Region
Region for which your single sign-on is configured
SSO Portal
This is required for Apono to generate a sign-in link for end users to use their granted access.
Management Account Role ARN
(Optional) (step 5) of the role to assume in the management account
Exclude Organization Unit IDs
(Optional) Comma-separated list of organizational unit IDs to exclude Example: ou-aaa1-1111,ou-bbb2-2222
Exclude Account IDs
(Optional) Comma-separated list of account IDs to exclude Example: 7665544332211,7665544332222,766554433333333
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Click AWS Resource Explorer. The AWS Resource Explorer page opens.
If Trusted access is disabled, click Enable trusted access. The Enable trusted access for AWS Resource Explorer pop-up window appears.
Click Show the option to enable trusted access for AWS Resource Explorer without performing additional setup tasks.
Type enable in the text field.
Click Enable trusted access.
On the Resource Explorer card, click Create. The Configure Resource Explorer for your Organization page opens.
From the regions selector, choose all regions where Resource Explorer should create indexes.
Default views for centralized search
Log in as or assume the role of a sample member account.
Open AWS Resource Explorer in one region that should have an index to ensure an index exists and is Active.
Open AWS Resource Explorer in one region that should not have an index to confirm an index does not exist.
A Service Control Policy denies CloudFormation in some regions, often with aws:RequestedRegion. This results in regions that are allowed by SCP to be successful. And all other regions fail.
Solution
Follow these steps:
From the Admin account, open AWS Organizations.
From the navigation, click Policies. The Policies page opens.
Under Service control policies, examine SCPs attached to the affected organizational unit or account for "Effect": "Deny" statements that mention cloudformation:* or specific Cloudformation actions.
Fix the issues through one of the following options:
Add the required regions to the allowlist in aws:RequestedRegion.
Exclude CloudFormation from the deny list. For example, add cloudformation:* to NotAction.
Temporarily relax or detach the SCP, re-run Quick Setup, then restore the SCP.
The region was not included in the Quick Setup region selection.
The account or organizational unit was not part of the Quick Setup target scope.
CloudFormation has been denied by SCP in that region.
Solution
Follow these steps:
Review the Targets and Regions (if applicable) selected when you configured the organization deployment.
Check the SCP for the relevant accounts or regions.
If CloudFormation must stay blocked, you can manually create indexes.
The index does not exist.
The organization-wide view does not show everything.
Possible Causes
The Management account is not in one of the Quick Setup targets, such as the selected organizational unit.
AWS created aggregator indexes only in member accounts based on your config.
The index was manually created as Local, not Aggregator.
Solution
Follow these steps:
In the Management account, in the Aggregator Region, ensure an index exists.
In the console, change the index to Aggregator.
If the index cannot be changed to Aggregator, manually recreate the index as an Aggregator.
Create the organization-wide view in the specific account or region.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Region
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Region
AWS Organization
An AWS organization must be integrated with Apono.
All organizational units (OUs) or accounts you plan to include as part of the target must be structured within the AWS organization.
IAM user or role in the management account
A user or role used to run Quick Setup in the management account.
This user or role must be able to complete these tasks:
Enable trusted access in AWS Organizations
Configure Resource Explorer
Use Systems Manager Quick Setup
Use AWS Resource Access Manager (RAM)
View CloudFormation, SSM, and Resource Explorer status
Option A
Use a role or user with the AWS-managed AdministratorAccess policy in the Management account to prevent hidden blocking conditions.
Option B
Create a role in the Management account (such as ResourceExplorerAdmin) with a custom managed policy similar to the following example.
Service Control Policy (SCP)
SCPs must not deny CloudFormation in any target account or region:
SCPs must not explicitly deny:
cloudformation:CreateStack
cloudformation:UpdateStack
cloudformation:*
Region-restriction SCPs (aws:RequestedRegion) must adhere to one of the following:
Include all required regions in the allowlist.
Explicitly exempt CloudFormation from an explicit denial by adding cloudformation:* to NotAction.
IMPORTANT: Failure to adhere to these SCP requirements will prevent Quick Setup from successfully deploying in regions where the SCP has denied CloudFormation.
Region in which the organization runs
Region in which the organization runs
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:*",
"ssm:*",
"cloudformation:*",
"resource-explorer-2:*",
"ram:*",
"iam:PassRole"
],
"Resource": "*"
}
]
}Automatically identify AWS RDS instances in an Account or Organization for JIT access management
Apono’s Auto Discovery feature identifies tagged AWS RDS instances, including MySQL and PostgreSQL. Rather than integrating each instance individually, you can integrate selected databases and their resources at once during your AWS Account or Organization setup.
This capability requires network access to each discoverable database. If your databases are in different AWS networks, make sure to create an AWS connector for each network.
Follow these steps to enable Auto Discovery:
In your AWS RDS database instance, create a user for the Apono connector. As part of this step, you will also create a secret.
based on the authentication method you selected in the previous step. In the tables below, the values shown in italics are the exact text you should enter when adding these tags.
In the Apono UI, on the tab, click AWS. The Connect Integrations Group page appears.
Under Discovery, click Amazon Account or Amazon Organization.
Under Connect Sub Integration, select Database, Table, and Role to control the granularity of discovery in each discovered instance.
After connecting your AWS Account or AWS Organization to Apono, you will be redirected to the Connected tab to view your integrations. The new AWS integration, along with sub-integrations for each RDS instance, initialize during the first data fetch. The integration becomes Active once the process completes.
Now that you have completed this integration, you can that grant permission to your AWS RDS resources.
If RDS instances appear with errors on your Integrations page, follow these steps:
Check Tags: Verify all required tags are present and correctly formatted.
Connector Permissions: Ensure the Apono connector has necessary permissions to read tags and access secrets.
Network connectivity: Ensure each RDS instance is accessible by an Apono connector within the same network.
For any questions about the discovery process, please contact Apono Support.
Integrate with Apono to view existing permissions and create Access Flows to Amazon Redshift clusters
Amazon Redshift is a fast, scalable, and secure fully managed data warehouse service in the cloud, serving as a primary data store for vast datasets and analytic workloads. Amazon Web Services (AWS) enables businesses to analyze their data using standard SQL and existing business intelligence tools, promoting insightful decision-making and integration with various AWS services.
Through this integration, Apono helps you securely manage access to your Amazon Redshift instance.
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Amazon Redshift. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Now that you have completed this integration, you can that grant permission to your Amazon Redshift instance.
Refer to for information about errors that may occur.
AWS region where the secret is stored
Complete the Amazon Account or Amazon Organization integration (steps 3-10).
Apono Connector
One or more Apono connectors for AWS with network access to your AWS RDS databases
Minimum Required Version: 1.5.3
Follow these steps to update an existing connector.
AWS Permissions
Permissions to complete the following tasks in your AWS instance:
Create and manage AWS Secrets Store secrets
Tag RDS instances
auth_type
iam-auth
apono-connector-id
ID of the Apono connector in the same AWS Account or AWS Organization as the database
auth_type
user-password
apono-connector-id
ID of the Apono connector in the same AWS Account or AWS Organization as the database
apono-secret
ARN of the secret containing the database credentials
region
Port
Port value for the instance By default, Apono sets this value to 5439.
Database Name
Name of the database
Click Next. The Secret Store section expands.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection serving as a bridge between an Amazon Redshift instance and Apono Minimum Required Version: 1.3.2 Use the following steps to update an existing connector.
Secret
Value generated through AWS or Kubernetes
Apono does not store credentials. The Apono Connector uses the secret to communicate with services in your environment and separate the Apono web app from the environment for maximal security.
User
Redshift user for Apono with the CREATEUSER permission
Amazon Redshift Info
Information for the Amazon Redshift instance to be integrated:
Hostname
Port Number
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Hostname
Hostname of the Amazon Redshift instance to connect
"username": "REDSHIFT_USERNAME",
"password": "PASSWORD"CREATE USER apono_connector WITH PASSWORD 'password';
ALTER USER apono_connector WITH CREATEUSER;Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Scale AWS resource management in access flows
When granting AWS access permissions, listing individual ARNs in IAM policies can quickly cause you to exceed AWS's inline policy character limit. Apono solves this through access scopes and the Apono Query Language (AQL). These solutions use regex patterns to efficiently manage resource groups instead of listing individual ARNs.
For additional protection, Apono has implemented a 100-resource threshold as a guardrail when individual ARN specification is needed.
The following sections explain how Apono prevents you from exceeding AWS's inline policy limit:
Create strategic AWS resource groupings for access flows
Understand how Apono provides clear warnings when the AWS policy limit is exceeded
Learn how Apono maintains consistent behavior whether your team uses Portal, Teams, or Slack
For example, instead of individually specifying 200 S3 buckets in a policy (which would exceed AWS's limit), you can use resource tags to group them by environment or function.
When defining access flows that include AWS resources, your resource definition strategy directly impacts policy management.
Before selecting AWS resources for an access flow, consider the following questions:
Can all resources of an integration be selected?
Have tags been applied to logically group resources by environment, function, or team?
Can an be created to group resources across multiple AWS integrations?
Is individual resource selection truly necessary for security requirements?
To effectively manage AWS permissions while avoiding policy character limits, you can use access scopes, integrations, or bundles. When possible, we strongly recommend using access scopes or AQL.
The following table explains the strategy for each approach.
If you select too many AWS resources for an access flow, the Apono UI will display a warning message instructing you to reduce the number of selected resources.
When requesting access to many AWS resources, Apono will warn you if you have selected too many AWS resources.
You will receive different notifications about AWS resource limits depending on which platform you use to submit your access request:
Portal & Teams: Apono displays a warning before submission when you click Request, preventing requests that exceed the limit.
Slack: Apono processes your request first, then sends a message if you need to resubmit with fewer resources.
The following configurations within access flows or when bundling multiple resources will exceed AWS policy size constraints.
Specifying resources by name or ID: Selecting specific resource names or IDs one by one.
S3 buckets: as AWS does not support tagging buckets, it should be handled with region tags or through access scopes or AQL patterns where possible.
Excluding a list of resource names or ID: choosing a list of resources to exclude can similarly inflate policy size and is best handled through access scopes or AQL patterns where possible.
EC2 Manage
S3 Bucket (by "any resource" and region tags)
SNS Topic
SQS queue
Apono Connector
On-prem connection serving as a bridge between an AWS instance and Apono
Minimum Required Version: 1.7.0
Use the following steps to update an existing connector.
Access Scopes
(Strongly Recommended, All Access Flows) Use when you need dynamic, rule-based resource grouping
Access scopes and AQL let you create flexible filters that adapt to your changing infrastructure. This makes them ideal for scenarios like all production databases or EC2 instances in the eu-region.
Integrations
(Automatic Access Flow) Use when providing access to an entire AWS account or organization, or to resources that share specific tags
Integrations let you align permissions with your organization structure:
Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
Apply Any resources when all resources of the integration can be included.
This strategy is ideal for scenarios like managing cross-account DevOps access or regional support team permissions.
Bundles
(Automatic Access Flow, Self Serve Access Flow) Use when packaging related resources as a cohesive unit for user requests
Bundles let you create logical groupings of permissions that serve specific functions.
When creating a bundle explore one of the following options:
Use tags in your cloud environment to group resources, such as production, eu-region, customer-support.
Apply Any resources when all resources of the integration can be included.
This strategy is ideal for scenarios like complete development environment access or full analytics platform access.
Automatic
You have selected more than 100 AWS resources by name (Select by name) from one integration or between multiple integrations.
You have selected more than 100 AWS resources by name (Select by name) within one bundle or between multiple bundles.
Self Serve
You have selected more than 100 AWS resources within one bundle or between multiple bundles.
Integrate with AWS-managed PostgreSQL for JIT access management for RDS
PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance. AWS enables developers to create cloud-hosted PostgreSQL databases.
Through this integration, Apono helps you securely manage access to your AWS RDS for PostgreSQL instances.
You must create a user in your AWS RDS PostgreSQL instance for the Apono connector and grant that user permissions to your databases.
Follow these steps to create a user and grant it database permissions:
Create a new user with either Built-in authentication or IAM authentication.
You can use only one authentication option on the RDS instance at a time.
Built-in authentication identifies a user through a username and password.
Be sure to select a strong password for the user.
After on your RDS instance, create an AWSAuthenticationPlugin user for the Apono connector. AWSAuthenticationPlugin is an AWS-provided plugin that works seamlessly with IAM to authenticate your users.
To create the user, run the following commands from your Postgre client.
From your preferred client tool, grant rds_superuser access to the user.
(IAM authentication only) Create and attach the following IAM policy to your identity center permissions set or role.
(Built-in authentication only) with the credentials from step 1.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click AWS RDS PostgreSQL. The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Now that you have completed this integration, you can that grant permission to your RDS for PostgreSQL database.
Region
Location where the PostgreSQL database is deployed
Instance ID
ID of the PostgreSQL instance
Database Name
Name of the PostgreSQL database
SSL Mode
(Optional) Mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server
require: An SSL-encrypted connection must be used.
allow: An SSL-encrypted or unencrypted connection is used. If an SSL encrypted connection is unavailable, the unencrypted connection is used.
disable: An unencrypted connection is used.
Enable Audit
(Optional) Feature that allows Apono to ingest and aggregate session audit logs
Click Next. The Secret Store section expands.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection with network access to your AWS RDS for PostgreSQL instances Minimum Required Version: 1.5.3 Use the following steps to update an existing connector.
NOTE: When installing the Apono connector with CloudFormation, the AWS RDS database policy is automatically created.
If you do not use CloudFormation, you must create the following policy and assign it to the Apono connector role.
PostgreSQL Info
Information for the database instance to be integrated:
Instance ID
Database Name
AWS Tag
(Optional) Metadata label assigned to AWS resources Adding an AWS tag, enables Apono to discover and add resources on your behalf. When adding an AWS tag, use the following information:
Tag key: apono-secret
Value: (AWS Secret)
ALTER USER apono_connector WITH CREATEROLE;
Allows Apono connector to create, alter, and drop user roles
GRANT rds_superuser TO apono_connector;
Assigns the RDS superuser role to the Apono connector, providing comprehensive permissions for database management
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Auth Type
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.
User cleanup after access is revoked (in days)
CREATE USER apono_connector WITH PASSWORD 'secret_passwd';CREATE USER apono_connector;
GRANT rds_iam TO apono_connector;Authorization type for the MySQL service account user:
IAM Auth: IAM authentication
User / Password: Built-in authentication
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:*:*:dbuser:*/apono_connector",
"Effect": "Allow"
}
]
}ALTER USER apono_connector WITH CREATEROLE;
GRANT rds_superuser TO apono_connector;{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
]
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances"
],
"Resource": [
"arn:aws:rds:*:*:db:*"
]
}
]
}prefer: An SSL-encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used.
verify-ca: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
verify-full: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass. Additionally, the server hostname is checked against the certificate's names.
Amazon RDS for MySQL is an open-source relational database management service in the cloud. Through AWS RDS MySQL integration, you will be able to integrate with AWS RDS MySQL:
Database
Table
Role
If you already have AWS Apono connector:
Make sure the connector's minimum version is 1.5.3.
If you still don't have AWS Apono connector:
Create user and grant permissions:
You can use only one authentication option on the RDS instance at a time.
In the , go to the Integrations page and click the Add Integration button in the top-left side, or press on the Catalog blade.
In the Catalog page search for and select AWS RDS MySQL.
In Discovery step, select one or multiple AWS RDS MySQL resource types for Apono to discover.
In step, provide the connector credentials using one of the following secret store options:
(Optional) In Get more with Apono step, you can set up the following:
Create a username for the Apono connector. The username is arbitrary and can be set according to your preference.
Replace USER_NAME and PASSWORD with your desired credentials.
Grant the necessary permissions to the user.
SHOW DATABASES Allows the user to view all databases in the RDS instance.
CREATE USER Grants the ability to create new users.
UPDATE Permits updates in the MySQL system database, including user privileges.
PROCESS Allows viewing the server's process list, including all executing queries.
(MySQL 8.0 and above) Grant the user the authority to manage roles by giving them the ROLE_ADMIN privilege. Starting with MySQL 8.0, the ROLE_ADMIN privilege is required to create roles, assign permissions to roles, and grant or revoke roles to or from users. This privilege does not inherently grant any specific database access permissions.
In Integration config step, provide the following information about your AWS RDS MySQL:
Credentials rotation period (in days)
i.e.: 90
No
User cleanup after access is revoked (in days)
i.e.: 90
No
Integration Name
The integration name.
Yes
Auth Type
The authentication method for connecting to an AWS RDS instance, with options for password (username and password) or iam (IAM-based authentication).
Yes
Region
AWS region where the RDS instance is located.
Yes
Instance ID
The unique identifier of the AWS RDS instance.
Yes
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about Periodic User Cleanup & Deletion.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
aws rds describe-db-instances \
--filters "Name=engine,Values=mysql" \
--query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"aws rds modify-db-instance \
--db-instance-identifier DBInstanceIdentifier \
--apply-immediately \
--enable-iam-database-authenticationaws rds describe-db-instances \
--filters "Name=engine,Values=mysql" \
--query "*[].[Endpoint.Address,Endpoint.Port]"
mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -paws rds describe-db-instances \
--filters "Name=engine,Values=mysql" \
--query "*[].[Endpoint.Address,Endpoint.Port]"
mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -pmysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -pCREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';
GRANT GRANT OPTION ON *.* TO 'USER_NAME'@'%';
GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'USER_NAME'@'%';
GRANT GRANT OPTION ON *.* TO 'USER_NAME'@'%';GRANT ROLE_ADMIN on *.* to USER_NAME;Connect RDS MySQL.
Create a username for the Apono connector. The username is arbitrary and can be set according to your preference.
Replace USER_NAME with your desired credentials.
Grant the necessary permissions to the user.
SHOW DATABASES Allows the user to view all databases in the RDS instance.
CREATE USER Grants the ability to create new users.
UPDATE Permits updates in the MySQL system database, including user privileges.
PROCESS Allows viewing the server's process list, including all executing queries.
Add this policy to the connector role:
To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.
In the navigation pane, choose Databases.
Choose the DB instance that you want to modify.
Make sure that the DB instance is compatible with IAM authentication. Check the compatibility requirements in Region and version availability.
Choose Modify.
In the Database authentication section, choose Password and IAM database authentication to enable IAM database authentication.
Choose Password authentication or Password and Kerberos authentication to disable IAM authentication.
Choose Continue.
To apply the changes immediately, choose Immediately in the Scheduling of modifications section.
Choose Modify DB instance.
Copy the following RDS SQL details:
Endpoint: The DNS name of the DB instance.
Port: The port number on which the DB instance accepts connections.
Connect to the DB instance using your SQL client using the copied details.
Create a username for the Apono connector. The username is arbitrary and can be set according to your preference.
Replace USER_NAME with your desired credentials.
Grant the necessary permissions to the user.
SHOW DATABASES Allows the user to view all databases in the RDS instance.
CREATE USER Grants the ability to create new users.
UPDATE Permits updates in the MySQL system database, including user privileges.
PROCESS Allows viewing the server's process list, including all executing queries.
Add this policy to the connector role:
To allow a user or role to connect to your DB instance, create the following IAM policy and attach it to your identity center permissions set or role.
mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -pCREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';
GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'USER_NAME'@'%';
GRANT GRANT OPTION ON *.* TO 'USER_NAME'@'%';{ "Version": "2012-10-17", "Statement": [ { "Action": "rds-db:connect", "Resource": "arn:aws:rds-db:::dbuser:*/USER_NAME", "Effect": "Allow" } ] }aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
]
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances"
],
"Resource": [
"arn:aws:rds:*:*:db:*"
]
}
]
}'mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -pCREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';
GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'USER_NAME'@'%';
GRANT GRANT OPTION ON *.* TO 'USER_NAME'@'%';GRANT ROLE_ADMIN on *.* to USER_NAME;aws rds describe-db-instances \
--filters "Name=engine,Values=mysql" \
--query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port]"aws rds modify-db-instance \
--db-instance-identifier DBInstanceIdentifier \
--apply-immediately \
--enable-iam-database-authenticationCREATE USER 'USER_NAME'@'%' IDENTIFIED BY 'PASSWORD';GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';
GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'USER_NAME'@'%';
GRANT GRANT OPTION ON *.* TO 'USER_NAME'@'%';GRANT ROLE_ADMIN on *.* to USER_NAME;mysql -h [Endpoint.Address] -P [Endpoint.Port] -u USER_NAME -pCREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';
GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'USER_NAME'@'%';
GRANT GRANT OPTION ON *.* TO 'USER_NAME'@'%';{ "Version": "2012-10-17", "Statement": [ { "Action": "rds-db:connect", "Resource": "arn:aws:rds-db:::dbuser:*/USER_NAME", "Effect": "Allow" } ] }aws iam create-policy --policy-name RDSConnectPolicy --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
]
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances"
],
"Resource": [
"arn:aws:rds:*:*:db:*"
]
}
]
}'CREATE USER USER_NAME IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';GRANT SHOW DATABASES ON *.* TO 'USER_NAME'@'%';
GRANT CREATE USER ON *.* TO 'USER_NAME'@'%';
GRANT UPDATE ON mysql.* TO 'USER_NAME'@'%';
GRANT PROCESS ON *.* TO 'USER_NAME'@'%';
GRANT SELECT ON *.* TO 'USER_NAME'@'%';
GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'USER_NAME'@'%';
GRANT GRANT OPTION ON *.* TO 'USER_NAME'@'%';{ "Version": "2012-10-17", "Statement": [ { "Action": "rds-db:connect", "Resource": "arn:aws:rds-db:::dbuser:*/USER_NAME", "Effect": "Allow" } ] }{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
]
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances"
],
"Resource": [
"arn:aws:rds:*:*:db:*"
]
}
]
}Create an integration to manage access to a Kubernetes cluster on AWS
With Elastic Kubernetes Service (EKS) on AWS, EKS simplifies the management complexities of Kubernetes.
Through this integration, Apono helps you securely manage access to your AWS Elastic Kubernetes cluster.​
Item
Description
​
Authentication can be completed with an Identity and Access Management IAM user or an IAM role. To grant a user access to an EKS cluster, the IAM user or IAM role must be mapped with a specific user identifier, such as an email address.Apono supports this mapping with an IAM role through AWS SSO or SAML federation from any identity provider (IdP).​
Follow these steps to create a new policy:
Under Access management on the page in AWS, click Policies > Create policy. The Specify permission page appears.
Click JSON.
Replace the default policy with the following policy. Be sure to replace the placeholder.
​
Follow these steps to create the IAM role:
Under Access management on the page in AWS, click Roles > Create role. The Select trusted entity page appears.
Under Trusted entity type, select Custom trust policy.
Under Custom trust policy, replace the default policy with one of the following trust policies. Be sure to replace the placeholders.
Click Next. The Add permissions page appears.
Under Permissions policies, select the newly created policy.
Click Next. The Name, review, and create page appears.
For the Role name, enter
Now that the IAM role has been created, you must authenticate the EKS cluster with the ConfigMap or EKS API.
Read to learn more about editing the aws-auth ConfigMap.
Follow these steps to authenticate the cluster:
Log into the EKS cluster with a user account that has the cluster admin permission.
Now, you can .
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Elastic Kubernetes Service (EKS). The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.
Click Next. The Apono connector section appears.
From the dropdown menu, select a connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Secret Store section expands.
(Optional) .
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Now that you have completed this integration, you can that grant permission to your Elastic Kubernetes Service cluster.
After a user gains access to an EKS resource, the user must authenticate with the cluster. The user must assume the .
The following table shows two approaches to assume this role.
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
Click Next. The Review and create page appears.
Enter a Policy name. This name is used to identify this policy.
Click Create policy.
For the Description, enter required for k8s access managed by Apono.
Click Create role.
aws-auth ConfigMap to include the following mapRoles entry. Be sure to replace the placeholder.<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
Follow these steps to authenticate the cluster:
Change the authentication mode to EKS API.
For the IAM principal, enter arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access.
For the Username use apono:{{SessionName}}.
Choose Cluster as the access scope.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
​Connection installed on the EKS cluster that serves as a bridge between the cluster and Apono
Apono Premium
​Apono plan providing all available features and dedicated account support
Cluster Admin Access
Admin access to the cluster to integrate The cluster admin access can be the built-in cluster-admin role or equivalent permission level. Apono does not require admin permissions to the Kubernetes environment.
EKS Cluster Name
Unique name of the cluster to integrate
AWS SSO | SAML Federation
Authentication for requester Security Assertion Markup Language (SAML) federation for authentication can be provided by providers such as Okta, Onelogin, Jumpcloud, and Ping Identity.
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
<SAML_PROVIDER>
Identity provider name
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Server URL
(Optional) URL of the Kubernetes API server used to interact with the Kubernetes cluster
Certification Authority
(Optional) Certificate that ensures that the Kubernetes API server is trusted and authentic Leave this field empty if you want to connect the cluster where the connector is deployed.
EKS Cluster Name
Unique name of the cluster to integrate
AWS Role Name
(Optional) Role defined for the connector
Region
(Optional) Location where the AWS Elastic Kubernetes cluster is deployed
AWS CLI
In the AWS CLI, run the aws sts assume-role command. Be sure to replace the placeholders.
Config File
Edit ~/.aws/config to contain the following profile. Be sure to replace the placeholders.
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
<EMAIL>
User email listed in the IdP
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEqualsIgnoreCase": {
"sts:RoleSessionName": "${SAML:sub}"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
]
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:saml-provider/<SAML_PROVIDER>"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}aws sts assume-role \
--role-arn arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access \
--role-session-name <EMAIL> \
--duration-seconds 3600[profile apono-k8s-access]
role_arn = arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access
role_session_name = <EMAIL>
source_profile = default- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
username: "{{SessionNameRaw}}"Amazon S3 (Simple Storage Service) object storage integration with Apono, enables Apono granular permission provisioning
This guide has been moved. Please visit this guide instead
If your organization encrypts S3 Buckets with Customer Managed Keys (or KMS kets), users need access to the key to be able to decrypt the data when they gain JIT access to a bucket.
Apono supports this use case by granting access to both the bucket and the key when users request access. If S3 Buckets have KMS keys in their metadata, when users request access to S3 Buckets, they also gain access to the KMS key without having to create an extra request.