# AWS Filtering

We'll go through all the available access-types for AWS request filtering.

### Filtering on tags

Policies and permission sets can be filtered based on their tags in AWS. To do this, use the `tag` access-type. The key is the tag key, and the pattern matches on the tag value.

#### Rule structure:

```
resource:
  type: integration
  service: aws
  filters:
    tag:
      effect: keep|remove|removeAll
      key: <tag key>
      pattern: <regex pattern>
```

#### Allow requesting only policies and permission sets with the tag "environment" set to "dev" :

```
resource:
  type: integration
  service: aws
  filters:
    tag:
      effect: keep
      key: environment
      pattern: ^dev$.
```

### Filtering on IAM groups

To filter on IAM group requests, we can use the `group` access-type. There is a single available key, `name`, which refers to the name of the IAM group.

#### Rule structure:

```
resource:
  type: integration
  service: aws
  filters:
    group:
      effect: keep|remove|removeAll
      key: name
      pattern: <regex pattern>
```

#### Allow requesting any IAM groups except for "Admin" :

```
resource:
  type: integration
  service: aws
  filters:
    group:
      effect: keep
      key: name
      pattern: ^Admin$.
```

### Filtering on permission sets

To filter on Identity Center permission set requests, we can use the `permission-set` access-type. There are two available keys, `name` (the name of the permission set) and `arn` (the ARN of the permission set).

#### ' Rule structure:

```
resource:
  type: integration
  service: aws
  filters:
    permission-set:
      effect: keep|remove|removeAll
      key: name | arn
      pattern: <regex pattern>
```

#### Allow requesting only permission sets with "project-1" in the name:

```
resource:
  type: integration
  service: aws
  filters:
    permission-set:
      effect: keep
      key: name
      pattern: project-1
```

### Filtering on policies

To filter on IAM policy requests, we can use the `policy` access-type. There is a single available key, `arn`, which refers to the ARN of the IAM policy.

#### Rule structure:

```
resource:
  type: integration
  service: aws
  filters:
    policy:
      effect: keep|remove|removeAll
      key: arn
      pattern: <regex pattern>
```

#### Allow requesting only AmazonS3 predefined policies

```
resource:
  type: integration
  service: aws
  filters:
    policy:
      effect: keep
      key: arn
      pattern: ^arn:aws:iam::aws:policy/AmazonS3
```

### Filtering on resources

To filter on permission requests, we can use the `resource` access-type. There are 3 available keys:

* `name`: This is the name of the resource.
* `service`: This is the AWS service that the resource belongs to: for example, `s3`, or `sagemaker`. It will found in the resource ARN, after `arn:aws:`. For example, if the ARN is `arn:aws:iam::391052057035:role/AmazonEKSNodeRole` the service is `iam`.
* `arn`: This is the ARN of the resource.

#### Rule structure:

```
resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep|remove|removeAll
      key: name|service|arn
      pattern: <regex pattern>
```

#### Allow requesting only S3 resources

```
resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: service
      pattern: ^s3$
```

#### Allow requesting any resource except for IAM resources

```
resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: remove
      key: service
      pattern: ^iam$
```

#### Allow requesting any resource containing "project-1" in the name

```
resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: name
      pattern: project-1
```

#### Allow requesting only S3 buckets with names starting with "dev"

```
resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: arn
      pattern: ^arn:aws:s3:::dev
```

#### Allow requesting any resource except for the S3 bucket named "top-secret-bucket"

```
resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: arn
      pattern: ^arn:aws:s3:::top-secret-bucket$
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/access-management/just-in-time-access/request-routing/aws-filtering.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.