Simplifying AWS Access: Auto creation of Border0 services based on EC2 tags

If you recently created a new AWS environment, you likely made yourself the following promise: I’m going to automate the creation and management of all resources in this account, using your favorite Infrastructure as code (IAC) tool, such as Terraform, Pulumi, or AWS’ cloudFormation.

Talking to cloud practitioners world wide, this is certainly the trend and wherever possible the preferred way. If you’re using Terraform to manage your infrastructure then you’re already able to use the Border0 terraform provider to make sure new resources are automatically added to Border0.

But what if you’re not using Terraform, perhaps you're all in on CloudFormation, or are only half way your automation journey and still have some manually created resources. Or perhaps you have auto scaling groups that on-demand create new EC2 instances or remove them.

Ideally, those resources are also automatically added to your access management solution, like Border0. Today we’re announcing a solution for exactly this use-case! Checkout the demo below to see it in action.

Introducing a Streamlined Discovery to Creation Process

It all starts with the Border0 connector's existing capability to auto-discover resources across AWS services, including EC2, ECS, EKS, and RDS clusters, Docker containers, and Kubernetes services. This discovery feature enables administrators to find resources quickly and integrate them into Border0 with minimal effort, making them readily available to their teams.

Supported Auto Discovery plugins

The discovery plugins will allow you to quickly and easily discover what resources your connector has access to. Once discovered, administrators with just two clicks add the resource to their Border0 account, and make it available to their team. Super easy!

List of discovered EC2 instances

Automating the Socket Creation

So the logical next question we received from our users was, “instead of manually creating these services (we call them Sockets), can Border0 create the service for me automatically, based on a set of predefined rules?”

We’re pleased to share that this functionality is now a reality!

Creating Border0 services based on EC2 tags

Using the auto creation feature you can now define rules that allow you to control Socket creation all based on EC2 instance tags.

To use this feature, all you need is an auto creation rule, this will allow you to define your intended outcome.  By leveraging EC2 instance tags, users can define auto-creation rules that define the conditions under which Border0 Sockets (services) are created. This process involves specifying the resource type (EC2, ECS, RDS), access method (such as SSM or EC2 Instance Connect), and what Border0 access policies to attach to the socket. The criteria for applying these rules are determined by matching tags on EC2 instances.

Creating an auto creation rule

In this example screenshot above, we’ve created an auto creation rule that applies to all EC2 instances the connectors discover and have a tag of border0_enabled = true. When we discover an EC2 instance that matches these criteria, we’ll automatically create an SSH Socket, attach the defined policies and, in this case, we’ll instruct the connector to use SSM to connect to the EC2 server.

As an administrator you can create many of these rules, allowing you to configure your setup for your specific needs and environment.

The last step is to attach your rules to your connectors, and that’s it: your EC2 instances will now automatically be discovered and added to your Border0 environment, all without human intervention!

Attaching the auto create rules to your Connector

Wrap up

In this blog we saw how the integration of discovery and auto-creation functionalities within Border0 significantly simplifies access management in AWS environments. This is especially powerful in environments where resources such as EC2 instances are ephemeral.

With auto creation rules, Border0 administrators can now easily define rules  that automate the creation of Border0 Socket based on AWS resource tags and use these same tags and rules to attach access policies. The additional seamless integration with AWS access protocols such as EC2 instance connect and AWS SSM ensures access management is now effortless and streamlined, even for your dynamic infrastructure environments.

But don’t just take my word for it, we invite you to give it a try using our free community edition and see for yourself how easy it is to get going with Border0. Discover your resources and access your infrastructure using a modern day privileged access management tool, built for today's cloud-native environments.

Also, check out the demo video below, showcasing the auto-create feature.

Ready to level up your security?