AWS Integration API
Manage installable components of the P0 Amazon Web Services integration.
This API may change in a non-backward-compatible way. Please inform P0 Security support if you are planning to use it in production in order to receive notifications about changes.
Overview
The P0 AWS Integration API allows you to programmatically manage installable components for integrating Amazon Web Services (AWS) within P0. Each component follows a consistent lifecycleβstaging, verification, and configurationβand is typically identified by its AWS account ID.
This API is especially useful for automating cloud access, enabling just-in-time (JIT) permissions, and managing integrations across multiple AWS accounts at scale.
Typical use cases include:
Set up secure, multi-account AWS access for users via P0.
Automatically provision roles and permissions in AWS environments.
Integrate AWS accounts with P0's monitoring or access tools.
Key Concepts
Integration Root Object: Represents the top-level configuration for an AWS integration within your organization.
Components: Installable parts of the integration (e.g., IAM roles, logging, monitoring). Each component is scoped to an AWS account (via its 12-digit ID).
States:
stage
: Initial configuration before verification.configure
: Successfully verified and missing additional configuration options.installed
: Ready to be used.
Base Component: Created automatically by P0. It includes the GCP service account used by P0 to interact with AWS. It will be automatically created by P0 as a side effect when the first component is created with the POST method. The base component contains the GCP service account assigned to the integration by P0.
Integration Lifecycle
1. Create the root integration
Before adding components, you must initialize the integration:
POST /o/{orgId}/integrations/aws/config
This sets up the foundation for all further AWS integrations within your organization.
2. Stage a component
Choose a component (e.g., access
, logging
, etc.) and stage it by specifying the AWS account ID:
PUT /o/{orgId}/integrations/aws/config/{component}/{id}
{component}
: Type of component to install.{id}
: an AWS account ID (12 digits).
β οΈ The base
component is automatically created when you stage the first component.
Installation Components
Base: Core platform layer for authentication, tenant isolation, and routing.
IAM Write: Handles just-in-time access provisioning when requests are approved.
IAM Assessment: Continuously evaluates user permissions against least privilege principles.
Function Caller: Executes user-defined functions or workflows during request processing.
Audit Logging: Provides a tamper-evident trail for compliance and security investigations.
Resource Inventory: Indexes all manageable resources across integrations in real time.
3. Retrieve setup instructions
To configure AWS correctly, retrieve the staged component metadata:
GET /o/{orgId}/integrations/aws/config/{component}/{id}
The response includes a metadata
field with the exact parameters (e.g., IAM role ARN, trust policy) needed for setup in AWS.
4. Verify AWS configuration
Once the AWS setup is complete, verify it with:
POST /o/{orgId}/integrations/aws/config/{component}/{id}/verify
P0 will validate the setup by reaching out to AWS.
On success, the component enters the
configure
state.
5. Review configuration
You can confirm the integration status:
GET /o/{orgId}/integrations/aws/config/{component}/{id}
The response
item
field shows the current state and configurable fields.
6. Finalize configuration
You may change the integration configuration by passing the desired item
field:
POST /o/{orgId}/integrations/aws/config/{component}/{id}/configure
The
configure
endpoint MUST be called afterverify
when a new AWS account is installed.The
configure
endpoint may also be called to change the configuration of an existing AWS account without reinstalling it. In this case, a successful response indicates that P0 has both configured and verified the new configuration.
Base Installation
Configures the foundational connection between P0 and Amazon Web Services. Each item in the configuration represents an AWS account, identified by a 12-digit numeric account ID. This component is automatically created when the first integration is added. It provisions the service account that P0 uses to securely interact with your AWS environment.
Current configuration values for every available Amazon Web Services component.
P0 organization ID
GET /o/{orgId}/integrations/aws/config HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
Successful response
{
"base": {
"ANY_ADDITIONAL_PROPERTY": {
"label": "text",
"state": "configure",
"serviceAccountEmail": "text",
"serviceAccountId": "text"
}
},
"iam-assessment": {
"ANY_ADDITIONAL_PROPERTY": {
"label": "text",
"state": "configure",
"accessAnalyzerArn": "text"
}
},
"iam-write": {
"ANY_ADDITIONAL_PROPERTY": {
"label": "text",
"state": "configure",
"login": {
"type": "iam",
"identity": {
"type": "email"
}
}
}
},
"function-caller": {
"ANY_ADDITIONAL_PROPERTY": {
"label": "text",
"state": "configure"
}
},
"access-logs": {
"ANY_ADDITIONAL_PROPERTY": {
"label": "text",
"state": "configure",
"cloudLakeArn": "text"
}
},
"inventory": {
"ANY_ADDITIONAL_PROPERTY": {
"label": "text",
"state": "configure"
}
}
}
Initialize installation of an AWS account in P0. Creates placeholders for every available Amazon Web Services component. Start with this method when installing an Amazon Web Services account integration for the first time.
P0 organization ID
POST /o/{orgId}/integrations/aws/config HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
{
"ok": true
}
Removes all items in all components of the Amazon Web Services integration from P0. Any configuration present in Amazon Web Services that grants access to P0 has to be removed separately.
P0 organization ID
DELETE /o/{orgId}/integrations/aws/config HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
Removed all items in all components.
No content
Current configuration values for base component.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Base installation
GET /o/{orgId}/integrations/aws/config/base/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
base component
{
"ok": true,
"item": {
"label": "text",
"state": "configure",
"serviceAccountEmail": "text",
"serviceAccountId": "text"
},
"metadata": {}
}
IAM Assessment Component
Enables P0 to evaluate IAM roles, policies, and permissions within your AWS accounts. Each item represents an AWS account, identified by the 12-digit account ID. This component supports governance, policy posture analysis, and inventory visibility features on the P0 platform.
Current configuration values for iam-assessment component.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for IAM assessment
GET /o/{orgId}/integrations/aws/config/iam-assessment/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
iam-assessment component
{
"ok": true,
"item": {
"label": "text",
"state": "configure",
"accessAnalyzerArn": "text"
},
"metadata": {
"roleName": "text",
"inlinePolicy": "text",
"inlinePolicyName": "text",
"trustPolicy": "text",
"serviceAccountId": "text"
}
}
Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for IAM assessment
PUT /o/{orgId}/integrations/aws/config/iam-assessment/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
{
"ok": true
}
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for IAM assessment
DELETE /o/{orgId}/integrations/aws/config/iam-assessment/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
Item successfully removed
No content
Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for IAM assessment
The state must be "configure"
ARN of this account's IAM Access Analyzer
POST /o/{orgId}/integrations/aws/config/iam-assessment/{id}/configure HTTP/1.1
Host:
Authorization: Bearer APIKey
Content-Type: application/json
Accept: */*
Content-Length: 48
{
"state": "configure",
"accessAnalyzerArn": "text"
}
{
"ok": true
}
Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for IAM assessment
The state must be "stage"
POST /o/{orgId}/integrations/aws/config/iam-assessment/{id}/verify HTTP/1.1
Host:
Authorization: Bearer APIKey
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"state": "stage"
}
{
"ok": true
}
IAM Management
Allows P0 to manage IAM permissions in your AWS environment. Each item corresponds to an AWS account (12-digit account ID). This component is used for features like Just-in-Time access, where P0 can programmatically assign or revoke IAM policies based on user activity or approval workflows.
Current configuration values for iam-write component.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for IAM management
GET /o/{orgId}/integrations/aws/config/iam-write/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
iam-write component
{
"ok": true,
"item": {
"label": "text",
"state": "configure",
"login": {
"type": "iam",
"identity": {
"type": "email"
}
}
},
"metadata": {
"roleName": "text",
"inlinePolicy": "text",
"inlinePolicyName": "text",
"trustPolicy": "text",
"serviceAccountId": "text"
}
}
Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for IAM management
PUT /o/{orgId}/integrations/aws/config/iam-write/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
{
"ok": true
}
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for IAM management
DELETE /o/{orgId}/integrations/aws/config/iam-write/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
Item successfully removed
No content
Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for IAM management
The state must be "configure"
POST /o/{orgId}/integrations/aws/config/iam-write/{id}/configure HTTP/1.1
Host:
Authorization: Bearer APIKey
Content-Type: application/json
Accept: */*
Content-Length: 72
{
"state": "configure",
"login": {
"type": "iam",
"identity": {
"type": "email"
}
}
}
{
"ok": true
}
Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for IAM management
The state must be "stage"
POST /o/{orgId}/integrations/aws/config/iam-write/{id}/verify HTTP/1.1
Host:
Authorization: Bearer APIKey
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"state": "stage"
}
{
"ok": true
}
Function Caller
Allows P0 to invoke AWS Lambda functions on your behalf. Unlike other components, each item in this configuration represents a specific Lambda ARN. This is useful for custom integrations such as automated notifications, policy enforcement, or triggering cloud-native workflows.
Current configuration values for function-caller component.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Function caller
GET /o/{orgId}/integrations/aws/config/function-caller/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
function-caller component
{
"ok": true,
"item": {
"label": "text",
"state": "configure"
},
"metadata": {
"roleName": "text",
"inlinePolicy": "text",
"inlinePolicyName": "text",
"trustPolicy": "text",
"serviceAccountId": "text"
}
}
Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Function caller
PUT /o/{orgId}/integrations/aws/config/function-caller/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
{
"ok": true
}
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Function caller
DELETE /o/{orgId}/integrations/aws/config/function-caller/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
Item successfully removed
No content
Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Function caller
The state must be "configure"
POST /o/{orgId}/integrations/aws/config/function-caller/{id}/configure HTTP/1.1
Host:
Authorization: Bearer APIKey
Content-Type: application/json
Accept: */*
Content-Length: 21
{
"state": "configure"
}
{
"ok": true
}
Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Function caller
The state must be "stage"
POST /o/{orgId}/integrations/aws/config/function-caller/{id}/verify HTTP/1.1
Host:
Authorization: Bearer APIKey
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"state": "stage"
}
{
"ok": true
}
Access Logs
Connects P0 to your AWS CloudTrail logs for audit and monitoring purposes. Each configuration item corresponds to an AWS account and allows P0 to read access logs. This enables audit trails and visibility into user actions across your cloud environment.
Current configuration values for access-logs component.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Access Logging
GET /o/{orgId}/integrations/aws/config/access-logs/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
access-logs component
{
"ok": true,
"item": {
"label": "text",
"state": "configure",
"cloudLakeArn": "text"
},
"metadata": {}
}
Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Access Logging
PUT /o/{orgId}/integrations/aws/config/access-logs/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
{
"ok": true
}
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Access Logging
DELETE /o/{orgId}/integrations/aws/config/access-logs/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
Item successfully removed
No content
Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Access Logging
The state must be "configure"
What is the ARN of your CloudLake Data Store?
POST /o/{orgId}/integrations/aws/config/access-logs/{id}/configure HTTP/1.1
Host:
Authorization: Bearer APIKey
Content-Type: application/json
Accept: */*
Content-Length: 43
{
"state": "configure",
"cloudLakeArn": "text"
}
{
"ok": true
}
Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Access Logging
The state must be "stage"
POST /o/{orgId}/integrations/aws/config/access-logs/{id}/verify HTTP/1.1
Host:
Authorization: Bearer APIKey
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"state": "stage"
}
{
"ok": true
}
Resource Inventory
Provides P0 with visibility into AWS resources (e.g., S3 buckets, EC2 instances) for access control and automation. Each item in the configuration is tied to an AWS account. This component enables resource-based access governance within the P0 platform.
Current configuration values for inventory component.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Resource inventory
GET /o/{orgId}/integrations/aws/config/inventory/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
inventory component
{
"ok": true,
"item": {
"label": "text",
"state": "configure"
},
"metadata": {}
}
Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Resource inventory
PUT /o/{orgId}/integrations/aws/config/inventory/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
{
"ok": true
}
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Resource inventory
DELETE /o/{orgId}/integrations/aws/config/inventory/{id} HTTP/1.1
Host:
Authorization: Bearer APIKey
Accept: */*
Item successfully removed
No content
Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Resource inventory
The state must be "configure"
POST /o/{orgId}/integrations/aws/config/inventory/{id}/configure HTTP/1.1
Host:
Authorization: Bearer APIKey
Content-Type: application/json
Accept: */*
Content-Length: 21
{
"state": "configure"
}
{
"ok": true
}
Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.
P0 organization ID
The ID of an item that is configured in the Amazon Web Services resource for Resource inventory
The state must be "stage"
POST /o/{orgId}/integrations/aws/config/inventory/{id}/verify HTTP/1.1
Host:
Authorization: Bearer APIKey
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"state": "stage"
}
{
"ok": true
}
Schemas
Last updated