P0 App Documentation
Sign up for FreeSandbox
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
      • πŸ“¦AWS
        • Requesting Access
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Integrate P0 with Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • πŸ”ŒSIEM Integrations
      • Splunk HEC Setup
  • P0 Management
    • 🎩Role-Based Access Control
Powered by GitBook
On this page
  • Before you begin
  • Setting up AWS IAM management
  • Configuring P0 with AWS
  • Setting up AWS resource inventory
  1. Integrations
  2. Resource integrations

AWS

Last updated 3 days ago

Installing P0 IAM management on AWS takes about 10 minutes.

Before you begin

  • Choose at least one account on which to install P0.

  • Make sure you have the ability to create roles, add trust relationships, and create and assign role polices. You can do this if you have the attached to your user.

Setting up AWS IAM management

For fine-grained Kubernetes access in EKS use the .

  1. Navigate to "Integrations" on , then select "AWS". Choose the "IAM management" component:

  1. Click the "Add account" button to begin the installation

  1. Enter an AWS numeric account ID, then click "Next".

  1. The next page will display commands you can run using the AWS CLI to provision P0. You can also run these commands using AWS Cloud Shell.

  1. Copy and run these commands or use the Terraform configuration to deploy the changes. Click "Next" to verify the installation. If verification is successful you will be taken to the integration configuration page.

Configuring P0 with AWS

On the configuration page, you define how users are provisioned in AWS:

If users are defined in the account's IAM service, choose "As AWS IAM users".

If the user's names equal their email addresses choose "User name is user email".

If users are defined in the account's IAM service, but their user names do not equal their email, you'll need to add a tag to each user you want to allow access via P0. For example, with a tag named "Email":

If users are provisioned via Identity Center (for example, if you provision via SSO), choose "Via AWS Identity Center".

A few requirements apply:

  • P0 must be installed on the account where the Identity Center instance resides

  • Users must be provisioned with user names equal to user email addresses

To finish the configuration select the "Parent AWS account" in which the Identity Center instance resides and click "Next".

If you use an IAM identity provider to sign in users to your AWS account choose "Via a federated identity provider". This is a legacy sign in method. AWS recommends using Identity Center.

Currently only Okta SAML federation is supported via an AWS Account Federation.

Saving the configuration by clicking "Next" automatically applies the following changes to your AWS Account Federation app:

  • Adds a custom attribute managedByP0 to your Okta app's user profile. This allows P0 to clean up dynamically assigned users from your AWS SSO Okta app.

Setting up AWS resource inventory

Installing P0 resource inventory on AWS takes about 10 minutes.

An installed AWS IAM management integration is required

  1. Click "Add account"

  1. Choose one of the AWS accounts already installed for IAM management:

  1. Run the AWS CLI commands to configure Resource Explorer

  1. Click "Next" to validate your setup. You will land on the resource inventory configuration page. Clicking "Next" again takes you back to the Resource inventory overview page.

And that's it. You're all set to start granting just-in-time, least-privileged access to AWS with P0.

An installed is required. Your AWS Account Federation Okta app must be in the same Okta organization as the one installed as the directory integration.

Enables the flag. This allows users to assume AWS roles assigned by P0 directly to their Okta user.

The resource inventory component extends the IAM management integration and allows requesting access in AWS.

Navigate to "Integrations" on , then select "AWS". Choose the "Resource inventory" component:

πŸ”‘
πŸ“¦
Okta directory integration
Join all roles
p0.app
IAMFullAccess managed policy
P0 Kubernetes integration
p0.app
fine-grained resource-level