Ctrlk
Sign up for FreeKnowledge Base
For the complete documentation index, see llms.txt. This page is also available as Markdown.

AWS Integration API

Manage installable components of the P0 Amazon Web Services integration.

This API may change in a non-backward-compatible way. Please inform P0 Security support if you are planning to use it in production in order to receive notifications about changes.

Overview

The P0 AWS Integration API allows you to programmatically manage installable components for integrating Amazon Web Services (AWS) within P0. Each component follows a consistent lifecycle—staging, verification, and configuration—and is typically identified by its AWS account ID.

This API is especially useful for automating cloud access, enabling just-in-time (JIT) permissions, and managing integrations across multiple AWS accounts at scale.

Typical use cases include:

  • Set up secure, multi-account AWS access for users via P0.

  • Automatically provision roles and permissions in AWS environments.

  • Integrate AWS accounts with P0's monitoring or access tools.

The P0 Terraform provider is recommended for configuring integrations programatically.

Check the provider documentation here!

Key Concepts

  • Integration Root Object: Represents the top-level configuration for an AWS integration within your organization.

  • Components: Installable parts of the integration (e.g., IAM roles, logging, monitoring). Each component is scoped to an AWS account (via its 12-digit ID).

  • States:

    • stage: Initial configuration before verification.

    • configure: Successfully verified and missing additional configuration options.

    • installed: Ready to be used.

  • Base Component: Created automatically by P0. It includes the GCP service account used by P0 to interact with AWS. It will be automatically created by P0 as a side effect when the first component is created with the POST method. The base component contains the GCP service account assigned to the integration by P0.

Integration Lifecycle

1. Create the root integration

Before adding components, you must initialize the integration:

This sets up the foundation for all further AWS integrations within your organization.

2. Stage a component

Choose a component (e.g., access, logging, etc.) and stage it by specifying the AWS account ID:

  • {component}: Type of component to install.

  • {id}: an AWS account ID (12 digits).

⚠️ The base component is automatically created when you stage the first component.

Installation Components

  • Base: Core platform layer for authentication, tenant isolation, and routing.

  • IAM Write: Handles just-in-time access provisioning when requests are approved.

  • IAM assessment: Continuously evaluates user permissions against least privilege principles.

  • Function Caller: Executes user-defined functions or workflows during request processing.

  • Audit Logging: Provides a tamper-evident trail for compliance and security investigations.

  • Resource Inventory: Indexes all manageable resources across integrations in real time.

3. Retrieve setup instructions

To configure AWS correctly, retrieve the staged component metadata:

The response includes a metadata field with the exact parameters (e.g., IAM role ARN, trust policy) needed for setup in AWS.

4. Verify AWS configuration

Once the AWS setup is complete, verify it with:

  • P0 will validate the setup by reaching out to AWS.

  • On success, the component enters the configure state.

5. Review configuration

You can confirm the integration status:

  • The response item field shows the current state and configurable fields.

6. Finalize configuration

You may change the integration configuration by passing the desired item field:

  • The configure endpoint MUST be called after verify when a new AWS account is installed.

  • The configure endpoint may also be called to change the configuration of an existing AWS account without reinstalling it. In this case, a successful response indicates that P0 has both configured and verified the new configuration.

Base Installation

Configures the foundational connection between P0 and Amazon Web Services. Each item in the configuration represents an AWS account, identified by a 12-digit numeric account ID. This component is automatically created when the first integration is added. It provisions the service account that P0 uses to securely interact with your AWS environment.

Read configuration for all components

get

Current configuration values for every available Amazon Web Services component.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

Responses
get
/o/{orgId}/integrations/aws/config
200

Successful response

Create initial configuration

post

Initialize installation of an AWS account in P0. Creates placeholders for every available Amazon Web Services component. Start with this method when installing an Amazon Web Services account integration for the first time.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

Responses
post
/o/{orgId}/integrations/aws/config

Remove all items in all components

delete

Removes all items in all components of the Amazon Web Services integration from P0. Any configuration present in Amazon Web Services that grants access to P0 has to be removed separately.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

Responses
204

Removed all items in all components.

No content
delete
/o/{orgId}/integrations/aws/config
204

Removed all items in all components.

No content

Read install configuration of an Amazon Web Services account

get

Current configuration values for base component.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Base installation

Responses
get
/o/{orgId}/integrations/aws/config/base/{id}
200

base component

IAM assessment Component

Enables P0 to evaluate IAM roles, policies, and permissions within your AWS accounts. Each item represents an AWS account, identified by the 12-digit account ID. This component supports governance, policy posture analysis, and inventory visibility features on the P0 platform.

Read install configuration of an IAM assessment component

get

Current configuration values for iam-assessment component.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for IAM assessment

Responses
get
/o/{orgId}/integrations/aws/config/iam-assessment/{id}
200

iam-assessment component

Initialize installation of an IAM assessment component

put

Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for IAM assessment

Responses
put
/o/{orgId}/integrations/aws/config/iam-assessment/{id}

Remove installation of an IAM assessment component

delete
Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for IAM assessment

Responses
204

Item successfully removed

No content
delete
/o/{orgId}/integrations/aws/config/iam-assessment/{id}
204

Item successfully removed

No content

Configure an IAM assessment component

post

Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for IAM assessment

Body
statestring · enumRequired

The state must be "configure"

Possible values:
accessAnalyzerArnstringOptional

ARN of this account's IAM Access Analyzer

Responses
post
/o/{orgId}/integrations/aws/config/iam-assessment/{id}/configure

Verify the configuration of an IAM assessment component

post

Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for IAM assessment

Body
statestring · enumRequired

The state must be "stage"

Possible values:
Responses
post
/o/{orgId}/integrations/aws/config/iam-assessment/{id}/verify

IAM Management

Allows P0 to manage IAM permissions in your AWS environment. Each item corresponds to an AWS account (12-digit account ID). This component is used for features like Just-in-Time access, where P0 can programmatically assign or revoke IAM policies based on user activity or approval workflows.

Read install configuration of an IAM management component

get

Current configuration values for iam-write component.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for IAM management

Responses
get
/o/{orgId}/integrations/aws/config/iam-write/{id}
200

iam-write component

Initialize installation of an IAM management component

put

Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for IAM management

Responses
put
/o/{orgId}/integrations/aws/config/iam-write/{id}

Remove installation of an IAM management component

delete
Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for IAM management

Responses
204

Item successfully removed

No content
delete
/o/{orgId}/integrations/aws/config/iam-write/{id}
204

Item successfully removed

No content

Configure an IAM management component

post

Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for IAM management

Body
statestring · enumRequired

The state must be "configure"

Possible values:
loginone ofRequired
or
or
Responses
post
/o/{orgId}/integrations/aws/config/iam-write/{id}/configure

Verify the configuration of an IAM management component

post

Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for IAM management

Body
statestring · enumRequired

The state must be "stage"

Possible values:
Responses
post
/o/{orgId}/integrations/aws/config/iam-write/{id}/verify

Function Caller

Allows P0 to invoke AWS Lambda functions on your behalf. Unlike other components, each item in this configuration represents a specific Lambda ARN. This is useful for custom integrations such as automated notifications, policy enforcement, or triggering cloud-native workflows.

Read install configuration a function caller component

get

Current configuration values for function-caller component.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Function caller

Responses
get
/o/{orgId}/integrations/aws/config/function-caller/{id}
200

function-caller component

Initialize installation of a function caller component

put

Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Function caller

Responses
put
/o/{orgId}/integrations/aws/config/function-caller/{id}

Remove installation of a function caller component

delete
Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Function caller

Responses
204

Item successfully removed

No content
delete
/o/{orgId}/integrations/aws/config/function-caller/{id}
204

Item successfully removed

No content

Configure a function caller component

post

Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Function caller

Body
statestring · enumRequired

The state must be "configure"

Possible values:
Responses
post
/o/{orgId}/integrations/aws/config/function-caller/{id}/configure

Verify the configuration of a function caller component

post

Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Function caller

Body
statestring · enumRequired

The state must be "stage"

Possible values:
Responses
post
/o/{orgId}/integrations/aws/config/function-caller/{id}/verify

Access Logs

Connects P0 to your AWS CloudTrail logs for audit and monitoring purposes. Each configuration item corresponds to an AWS account and allows P0 to read access logs. This enables audit trails and visibility into user actions across your cloud environment.

Read install configuration of an access logging component

get

Current configuration values for access-logs component.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Access Logging

Responses
get
/o/{orgId}/integrations/aws/config/access-logs/{id}
200

access-logs component

Initialize installation of an access logging component

put

Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Access Logging

Responses
put
/o/{orgId}/integrations/aws/config/access-logs/{id}

Remove installation of an access logging component

delete
Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Access Logging

Responses
204

Item successfully removed

No content
delete
/o/{orgId}/integrations/aws/config/access-logs/{id}
204

Item successfully removed

No content

Configure an access logging component

post

Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Access Logging

Body
statestring · enumRequired

The state must be "configure"

Possible values:
cloudLakeArnstringOptional

What is the ARN of your CloudLake Data Store?

Responses
post
/o/{orgId}/integrations/aws/config/access-logs/{id}/configure

Verify the configuration of an access logging component

post

Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Access Logging

Body
statestring · enumRequired

The state must be "stage"

Possible values:
Responses
post
/o/{orgId}/integrations/aws/config/access-logs/{id}/verify

Resource Inventory

Provides P0 with visibility into AWS resources (e.g., S3 buckets, EC2 instances) for access control and automation. Each item in the configuration is tied to an AWS account. This component enables resource-based access governance within the P0 platform.

Read install configuration of a resource inventory component

get

Current configuration values for inventory component.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Resource inventory

Responses
get
/o/{orgId}/integrations/aws/config/inventory/{id}
200

inventory component

Initialize installation of a resource inventory component

put

Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Resource inventory

Responses
put
/o/{orgId}/integrations/aws/config/inventory/{id}

Remove installation of a resource inventory component

delete
Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Resource inventory

Responses
204

Item successfully removed

No content
delete
/o/{orgId}/integrations/aws/config/inventory/{id}
204

Item successfully removed

No content

Configure a resource inventory component

post

Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Resource inventory

Body
statestring · enumRequired

The state must be "configure"

Possible values:
Responses
post
/o/{orgId}/integrations/aws/config/inventory/{id}/configure

Verify the configuration of a resource inventory component

post

Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.

Authorizations
AuthorizationstringRequired

Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0.

Path parameters
orgIdstringRequired

P0 organization ID

idstringRequired

The ID of an item that is configured in the Amazon Web Services resource for Resource inventory

Body
statestring · enumRequired

The state must be "stage"

Possible values:
Responses
post
/o/{orgId}/integrations/aws/config/inventory/{id}/verify

Schemas

PreviousPermission levelsNextFunction invocation

Last updated