reference deployment

Okta Advanced Server Access on AWS

Streamlines your management of Amazon EC2 access with Okta software

View deployment guide

This Partner Solution deploys Okta Advanced Server Access (Okta ASA) to the Amazon Web Services (AWS) Cloud. It's for systems administrators who deploy and manage Amazon Elastic Compute Cloud (Amazon EC2) instances. It helps secure remote access and control local accounts and permissions using Okta software.

After you deploy this Partner Solution, access to Amazon EC2 instances is authenticated and authorized through an Okta single-sign-on workflow. This workflow, which can provide contextual multifactor authentication, mitigates the risk of credential theft and misuse. It also reduces the need to wrap additional controls and management layers around secrets.

Specifically, this Partner Solution provides a mechanism for managing the lifecycle of local EC2-instance user and group accounts and their machine-level permissions. These things are sourced directly from the Okta Identity Cloud. When you use Okta ASA as your authentication mechanism to EC2 instances, you don’t rely on static credentials to log in. Instead, Okta uses a dynamic, ephemeral, one-time access token that ties directly to the user’s least-privileged access profile in the central Okta identity database.

You can access Linux EC2 instances using Secure Shell (SSH) or Windows EC2 instances using Remote Desktop Protocol (RDP). By default, this Partner Solution sets up SSH access to Linux EC2 instances.

This Partner Solution was developed by Okta in collaboration with AWS. Okta is an AWS Partner.

  •  What you'll build

  • This Partner Solution sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A virtual public cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • A Linux bastion host in an Auto Scaling group. This host has the Okta server agent installed. It shares a configuration to act as the bastion for SSH access to EC2 instances in the private subnets.
    • In the private subnets, a Linux EC2 instance (target host) in an Auto Scaling group. This target host has the Okta server agent installed and is configured to be accessible only through the Linux bastion host in the public subnet.*

    * The template that deploys the Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

    Quick Start architecture for Okta ASA on AWS
  •  How to deploy

  • To deploy this Partner Solution, follow the instructions in the deployment guide, which includes these steps.

    1. Create an Okta ASA project, and configure instance enrollment.
    2. If you don't already have an AWS account, sign up at https://aws.amazon.com, and sign in to your account.
    3. Launch the Partner Solution. The stack takes about 30 minutes to deploy. Before you create the stack, choose the AWS Region from the top toolbar. Choose one of the following options:
    4. Test the deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

    View deployment guide for details
  •  Costs and licenses

  • This Partner Solution requires a license for Okta Advanced Server Access. This product is backed by the Okta Identity Cloud for user and group management, account-lifecycle management, single sign-on, and multifactor authentication.

    To use the Partner Solution in your production environment, sign up for Okta ASA. Follow the instructions to create an Okta ASA tenant backed by a new or existing Okta tenant. You don’t need a license file to deploy the software to the AWS Cloud.

    You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.

    This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?