AWS Server Discovery

This is an Early Access feature. To enable it, contact Okta Support.

AWS Server Discovery automates the process of discovering, managing, and removing Amazon Web Services (AWS) cloud servers from an Advanced Server Access project. This functionality provides the following benefits:

  • Helps you identify newly provisioned AWS servers that aren’t yet protected by Advanced Server Access
  • Syncs your AWS inventory in near real-time so can always locate available servers

Server Discovery

AWS Server Discovery requires a team to connect one or more AWS accounts to an Advanced Server Accessproject. A daily server discovery job then runs for each cloud account and synchronizes the list of servers with AWS. These jobs run at the time the cloud account was originally connected. For example, if a cloud account was connected at 12:30, the job would run every day at the same time. If multiple cloud accounts are connected, multiple jobs would run at different times for each account.

If an unknown EC2 instance is found, a new server is added to the connected Advanced Server Access project. After the server is discovered, admins must still install the Advanced Server Access server agent. During this installation, admins can use an enrollment token to add the server to a different project.

While a team can add multiple AWS accounts to a single project, a single AWS account can't be shared between multiple projects. After being connected to a project, the AWS account can't be associated with any other Advanced Server Access teams or projects.

Servers can’t belong to multiple projects; if a server is already enrolled in a project, the server discovery job skips adding the server to the current project. Additionally, if Advanced Server Access can’t locate a previously discovered server, it’s removed from the available project inventory.

An Amazon Resource Name (ARN) is required for Server Discovery and Cloud Auto-enrollment to work correctly.

To get started, see Connect an AWS account.

Real-time sync

Real-time sync allows Advanced Server Access to subscribe to compute instance events generated by AWS. These events commonly occur when a compute instance is launched or terminated. Normally, server discovery happens daily, but real-time sync can add or remove as soon as Advanced Server Access receives a notification.

It may take up to ten minutes before server changes are synchronized with Advanced Server Access.

IMDSv1 support

The Advanced Server Access server agent gathers information from the IMDSv1 endpoint when installed on an AWS EC2 instance. This information is used to facilitate user connections through the Advanced Server Access client and allows Advanced Server Access to map servers discovered with the AWS Server Discovery feature to servers enrolled with the server agent.

Some teams may prefer to not use the IMDSv1 endpoint. These teams can instead manually define the same information by deploying server agent configuration files to each EC2 instance. For details, see Configure and use the Advanced Server Access server agent. Within the configuration file, modify the following options:

  • AccessAddress: Set to the external IP address for the EC2 instance.
  • CanonicalName: Set to the internal hostname for the EC2 instance.

This change allows teams to work around the IMDSv1 requirement, while still protecting their AWS EC2 instances with Advanced Server Access. IMDSv2 support will be added at a future date.

To avoid the creation of duplicate servers, Okta recommends not using the AWS Server Discovery feature if also using this workaround.