# AWS Integration API

{% hint style="warning" %}
This API may change in a non-backward-compatible way. Please inform P0 Security support if you are planning to use it in production in order to receive notifications about changes.
{% endhint %}

## Overview

The **P0 AWS Integration API** allows you to programmatically manage installable components for integrating Amazon Web Services (AWS) within P0. Each component follows a consistent lifecycle—staging, verification, and configuration—and is typically identified by its AWS account ID.

This API is especially useful for automating cloud access, enabling just-in-time (JIT) permissions, and managing integrations across multiple AWS accounts at scale.

#### **Typical use cases include:**

* Set up secure, multi-account AWS access for users via P0.
* Automatically provision roles and permissions in AWS environments.
* Integrate AWS accounts with P0's monitoring or access tools.

{% hint style="info" %}
The P0 Terraform provider is recommended for configuring integrations programatically.

[Check the provider documentation here](https://registry.terraform.io/providers/p0-security/p0/latest/docs)!
{% endhint %}

## Key Concepts

* **Integration Root Object**: Represents the top-level configuration for an AWS integration within your organization.
* **Components**: Installable parts of the integration (e.g., IAM roles, logging, monitoring). Each component is scoped to an AWS account (via its 12-digit ID).
* **States**:
  * `stage`: Initial configuration before verification.
  * `configure`: Successfully verified and missing additional configuration options.
  * `installed`: Ready to be used.
* **Base Component**: Created automatically by P0. It includes the GCP service account used by P0 to interact with AWS. It will be automatically created by P0 as a side effect when the first component is created with the POST method. The base component contains the GCP service account assigned to the integration by P0.

## Integration Lifecycle

### 1. Create the root integration

Before adding components, you must initialize the integration:

```http
POST /o/{orgId}/integrations/aws/config
```

This sets up the foundation for all further AWS integrations within your organization.

### 2. Stage a component

Choose a component (e.g., `access`, `logging`, etc.) and stage it by specifying the AWS account ID:

```http
PUT /o/{orgId}/integrations/aws/config/{component}/{id}
```

* `{component}`: Type of component to install.
* `{id}`: an AWS account ID (12 digits).

⚠️ The `base` component is **automatically created** when you stage the first component.

#### Installation Components

* **Base:** Core platform layer for authentication, tenant isolation, and routing.
* **IAM Write:** Handles just-in-time access provisioning when requests are approved.
* **IAM assessment:** Continuously evaluates user permissions against least privilege principles.
* **Function Caller:** Executes user-defined functions or workflows during request processing.
* **Audit Logging:** Provides a tamper-evident trail for compliance and security investigations.
* **Resource Inventory:** Indexes all manageable resources across integrations in real time.

### 3. **Retrieve setup instructions**

To configure AWS correctly, retrieve the staged component metadata:

```http
GET /o/{orgId}/integrations/aws/config/{component}/{id}
```

The response includes a `metadata` field with the exact parameters (e.g., IAM role ARN, trust policy) needed for setup in AWS.

### 4. Verify AWS configuration

Once the AWS setup is complete, verify it with:

```
POST /o/{orgId}/integrations/aws/config/{component}/{id}/verify
```

* P0 will validate the setup by reaching out to AWS.
* On success, the component enters the `configure` state.

### 5. Review configuration

You can confirm the integration status:

```
GET /o/{orgId}/integrations/aws/config/{component}/{id}
```

* The response `item` field shows the current state and configurable fields.

### 6. Finalize configuration

You may change the integration configuration by passing the desired `item` field:

```
POST /o/{orgId}/integrations/aws/config/{component}/{id}/configure
```

* The `configure` endpoint MUST be called after `verify` when a new AWS account is installed.
* The `configure` endpoint may also be called to change the configuration of an existing AWS account without reinstalling it. In this case, a successful response indicates that P0 has both configured and verified the new configuration.

***

## Base Installation

Configures the foundational connection between P0 and Amazon Web Services. Each item in the configuration represents an AWS account, identified by a 12-digit numeric account ID. This component is automatically created when the first integration is added. It provisions the service account that P0 uses to securely interact with your AWS environment.

## Read configuration for all components

> Current configuration values for every available Amazon Web Services component.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Global (no component)","description":"Manage global configuration parameters of the P0 Amazon Web Services integration."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"schemas":{"aws":{"type":"object","description":"Amazon Web Services integration configuration","properties":{"base":{"$ref":"#/components/schemas/base"},"iam-assessment":{"$ref":"#/components/schemas/iam-assessment"},"iam-write":{"$ref":"#/components/schemas/iam-write"},"function-caller":{"$ref":"#/components/schemas/function-caller"},"access-logs":{"$ref":"#/components/schemas/access-logs"},"inventory":{"$ref":"#/components/schemas/inventory"}}},"base":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/base-item"}},"base-item":{"type":"object","description":"Component configuration of a specific Base installation item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"serviceAccountEmail":{"$ref":"#/components/schemas/serviceAccountEmail"},"serviceAccountId":{"$ref":"#/components/schemas/serviceAccountId"}}},"serviceAccountEmail":{"type":"string","description":"P0 service account human-readable identifier"},"serviceAccountId":{"type":"string","description":"P0 service account machine identifier"},"iam-assessment":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/iam-assessment-item"}},"iam-assessment-item":{"type":"object","description":"Component configuration of a specific IAM assessment item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"accessAnalyzerArn":{"$ref":"#/components/schemas/accessAnalyzerArn"}}},"accessAnalyzerArn":{"type":"string","description":"ARN of this account's IAM Access Analyzer"},"iam-write":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/iam-write-item"}},"iam-write-item":{"type":"object","description":"Component configuration of a specific IAM management item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"login":{"$ref":"#/components/schemas/login"}}},"login":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"As AWS IAM users","enum":["iam"]},"identity":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"User name is user email","enum":["email"]}}},{"type":"object","properties":{"type":{"type":"string","description":"User email in a tag","enum":["tag"]},"tagName":{"type":"string","description":"Tag name"}}}]}}},{"type":"object","properties":{"type":{"type":"string","description":"P0 must be installed in the account that contains the Identity Center instance.","enum":["idc"]},"parent":{"type":"string","description":"Account with Identity Center instance"}}},{"type":"object","properties":{"type":{"type":"string","description":"Via a federated identity provider","enum":["federated"]},"provider":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Okta","enum":["okta"]},"appId":{"type":"string","description":"Application ID of your AWS federation application, in Okta."},"identityProvider":{"type":"string","description":"Identity of your identity provider integration, in AWS."},"method":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"SAML","enum":["saml"]},"accountCount":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Single account","enum":["single"]}}},{"type":"object","properties":{"type":{"type":"string","description":"Choose if you have multiple \"Connected Accounts IDs\" on the Provisioning / Integration tab in your Federation app","enum":["multi"]},"parent":{"type":"string","description":"Parent AWS Account"}}}]}}}]}}}]}}}]},"function-caller":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/function-caller-item"}},"function-caller-item":{"type":"object","description":"Component configuration of a specific Function caller item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}},"access-logs":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/access-logs-item"}},"access-logs-item":{"type":"object","description":"Component configuration of a specific Access Logging item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"cloudLakeArn":{"$ref":"#/components/schemas/cloudLakeArn"}}},"cloudLakeArn":{"type":"string","description":"What is the ARN of your CloudLake Data Store?"},"inventory":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/inventory-item"}},"inventory-item":{"type":"object","description":"Component configuration of a specific Resource inventory item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}}}},"paths":{"/o/{orgId}/integrations/aws/config":{"get":{"tags":["Global (no component)"],"summary":"Read configuration for all components","description":"Current configuration values for every available Amazon Web Services component.","parameters":[],"responses":{"200":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/aws"}}}}}}}}}
```

## Create initial configuration

> Initialize installation of an AWS account in P0. Creates placeholders for every available Amazon Web Services component. Start with this method when installing an Amazon Web Services account integration for the first time.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Global (no component)","description":"Manage global configuration parameters of the P0 Amazon Web Services integration."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config":{"post":{"tags":["Global (no component)"],"summary":"Create initial configuration","description":"Initialize installation of an AWS account in P0. Creates placeholders for every available Amazon Web Services component. Start with this method when installing an Amazon Web Services account integration for the first time.","parameters":[],"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## Remove all items in all components

> Removes all items in all components of the Amazon Web Services integration from P0. Any configuration present in Amazon Web Services that grants access to P0 has to be removed separately.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Global (no component)","description":"Manage global configuration parameters of the P0 Amazon Web Services integration."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}}},"paths":{"/o/{orgId}/integrations/aws/config":{"delete":{"tags":["Global (no component)"],"summary":"Remove all items in all components","description":"Removes all items in all components of the Amazon Web Services integration from P0. Any configuration present in Amazon Web Services that grants access to P0 has to be removed separately.","responses":{"204":{"description":"Removed all items in all components."}}}}}}
```

## Read install configuration of an Amazon Web Services account

> Current configuration values for base component.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Base installation component","description":"Configures P0 integration with Amazon Web Services for Base installation component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"base":{"description":"base component","content":{"application/json":{"schema":{"$ref":"#/components/schemas/base-item-with-metadata"}}}}},"schemas":{"base-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/base-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked."}}},"base-item":{"type":"object","description":"Component configuration of a specific Base installation item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"serviceAccountEmail":{"$ref":"#/components/schemas/serviceAccountEmail"},"serviceAccountId":{"$ref":"#/components/schemas/serviceAccountId"}}},"serviceAccountEmail":{"type":"string","description":"P0 service account human-readable identifier"},"serviceAccountId":{"type":"string","description":"P0 service account machine identifier"}}},"paths":{"/o/{orgId}/integrations/aws/config/base/{id}":{"get":{"tags":["Base installation component"],"summary":"Read install configuration of an Amazon Web Services account","description":"Current configuration values for base component.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Base installation","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"200":{"$ref":"#/components/responses/base"}}}}}}
```

***

## IAM assessment Component

Enables P0 to evaluate IAM roles, policies, and permissions within your AWS accounts. Each item represents an AWS account, identified by the 12-digit account ID. This component supports governance, policy posture analysis, and inventory visibility features on the P0 platform.

## Read install configuration of an IAM assessment component

> Current configuration values for iam-assessment component.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"IAM assessment component","description":"Configures P0 integration with Amazon Web Services for IAM assessment component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"iam-assessment":{"description":"iam-assessment component","content":{"application/json":{"schema":{"$ref":"#/components/schemas/iam-assessment-item-with-metadata"}}}}},"schemas":{"iam-assessment-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/iam-assessment-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked.","properties":{"roleName":{"type":"string","description":"The name of the AWS IAM role to create for the P0 Amazon Web Services integration"},"inlinePolicy":{"type":"string","description":"The inline IAM policy to attach to the IAM role"},"inlinePolicyName":{"type":"string","description":"The name of the inline IAM policy"},"trustPolicy":{"type":"string","description":"The trust policy to attach to the IAM role for the P0 Amazon Web Services integration"},"serviceAccountId":{"type":"string","description":"The ID of the GCP service account that P0 uses to access your AWS account. This ID is already part of the trust policy."}}}}},"iam-assessment-item":{"type":"object","description":"Component configuration of a specific IAM assessment item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"accessAnalyzerArn":{"$ref":"#/components/schemas/accessAnalyzerArn"}}},"accessAnalyzerArn":{"type":"string","description":"ARN of this account's IAM Access Analyzer"}}},"paths":{"/o/{orgId}/integrations/aws/config/iam-assessment/{id}":{"get":{"tags":["IAM assessment component"],"summary":"Read install configuration of an IAM assessment component","description":"Current configuration values for iam-assessment component.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for IAM assessment","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"200":{"$ref":"#/components/responses/iam-assessment"}}}}}}
```

## Initialize installation of an IAM assessment component

> Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"IAM assessment component","description":"Configures P0 integration with Amazon Web Services for IAM assessment component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/iam-assessment/{id}":{"put":{"tags":["IAM assessment component"],"summary":"Initialize installation of an IAM assessment component","description":"Execute this first to start the install of an account. Assembles an initial item in \"stage\" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for IAM assessment","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## DELETE /o/{orgId}/integrations/aws/config/iam-assessment/{id}

> Remove installation of an IAM assessment component

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"IAM assessment component","description":"Configures P0 integration with Amazon Web Services for IAM assessment component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}}},"paths":{"/o/{orgId}/integrations/aws/config/iam-assessment/{id}":{"delete":{"tags":["IAM assessment component"],"summary":"Remove installation of an IAM assessment component","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for IAM assessment","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"204":{"description":"Item successfully removed"}}}}}}
```

## Configure an IAM assessment component

> Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"IAM assessment component","description":"Configures P0 integration with Amazon Web Services for IAM assessment component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"schemas":{"accessAnalyzerArn":{"type":"string","description":"ARN of this account's IAM Access Analyzer"},"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/o/{orgId}/integrations/aws/config/iam-assessment/{id}/configure":{"post":{"tags":["IAM assessment component"],"summary":"Configure an IAM assessment component","description":"Transitions from \"configure\" to \"installed\" state, or reconfigures an item already in \"installed\" state. Verifies that Amazon Web Services is configured correctly.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for IAM assessment","required":true,"schema":{"type":"string"},"in":"path"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["state","login"],"properties":{"state":{"description":"The state must be \"configure\"","type":"string","enum":["configure"]},"accessAnalyzerArn":{"$ref":"#/components/schemas/accessAnalyzerArn"}}}}}},"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## Verify the configuration of an IAM assessment component

> Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"IAM assessment component","description":"Configures P0 integration with Amazon Web Services for IAM assessment component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/iam-assessment/{id}/verify":{"post":{"tags":["IAM assessment component"],"summary":"Verify the configuration of an IAM assessment component","description":"Transitions the item from \"stage\" to \"configure\" state. Verification reads the target system and checks that the configuration is correctly applied.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for IAM assessment","required":true,"schema":{"type":"string"},"in":"path"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["state"],"properties":{"state":{"description":"The state must be \"stage\"","type":"string","enum":["stage"]}}}}}},"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

***

## IAM Management

Allows P0 to manage IAM permissions in your AWS environment. Each item corresponds to an AWS account (12-digit account ID). This component is used for features like Just-in-Time access, where P0 can programmatically assign or revoke IAM policies based on user activity or approval workflows.

## Read install configuration of an IAM management component

> Current configuration values for iam-write component.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"IAM management component","description":"Configures P0 integration with Amazon Web Services for IAM management component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"iam-write":{"description":"iam-write component","content":{"application/json":{"schema":{"$ref":"#/components/schemas/iam-write-item-with-metadata"}}}}},"schemas":{"iam-write-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/iam-write-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked.","properties":{"roleName":{"type":"string","description":"The name of the AWS IAM role to create for the P0 Amazon Web Services integration"},"inlinePolicy":{"type":"string","description":"The inline IAM policy to attach to the IAM role"},"inlinePolicyName":{"type":"string","description":"The name of the inline IAM policy"},"trustPolicy":{"type":"string","description":"The trust policy to attach to the IAM role for the P0 Amazon Web Services integration"},"serviceAccountId":{"type":"string","description":"The ID of the GCP service account that P0 uses to access your AWS account. This ID is already part of the trust policy."}}}}},"iam-write-item":{"type":"object","description":"Component configuration of a specific IAM management item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"login":{"$ref":"#/components/schemas/login"}}},"login":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"As AWS IAM users","enum":["iam"]},"identity":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"User name is user email","enum":["email"]}}},{"type":"object","properties":{"type":{"type":"string","description":"User email in a tag","enum":["tag"]},"tagName":{"type":"string","description":"Tag name"}}}]}}},{"type":"object","properties":{"type":{"type":"string","description":"P0 must be installed in the account that contains the Identity Center instance.","enum":["idc"]},"parent":{"type":"string","description":"Account with Identity Center instance"}}},{"type":"object","properties":{"type":{"type":"string","description":"Via a federated identity provider","enum":["federated"]},"provider":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Okta","enum":["okta"]},"appId":{"type":"string","description":"Application ID of your AWS federation application, in Okta."},"identityProvider":{"type":"string","description":"Identity of your identity provider integration, in AWS."},"method":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"SAML","enum":["saml"]},"accountCount":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Single account","enum":["single"]}}},{"type":"object","properties":{"type":{"type":"string","description":"Choose if you have multiple \"Connected Accounts IDs\" on the Provisioning / Integration tab in your Federation app","enum":["multi"]},"parent":{"type":"string","description":"Parent AWS Account"}}}]}}}]}}}]}}}]}}},"paths":{"/o/{orgId}/integrations/aws/config/iam-write/{id}":{"get":{"tags":["IAM management component"],"summary":"Read install configuration of an IAM management component","description":"Current configuration values for iam-write component.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for IAM management","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"200":{"$ref":"#/components/responses/iam-write"}}}}}}
```

## Initialize installation of an IAM management component

> Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"IAM management component","description":"Configures P0 integration with Amazon Web Services for IAM management component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/iam-write/{id}":{"put":{"tags":["IAM management component"],"summary":"Initialize installation of an IAM management component","description":"Execute this first to start the install of an account. Assembles an initial item in \"stage\" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for IAM management","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## DELETE /o/{orgId}/integrations/aws/config/iam-write/{id}

> Remove installation of an IAM management component

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"IAM management component","description":"Configures P0 integration with Amazon Web Services for IAM management component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}}},"paths":{"/o/{orgId}/integrations/aws/config/iam-write/{id}":{"delete":{"tags":["IAM management component"],"summary":"Remove installation of an IAM management component","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for IAM management","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"204":{"description":"Item successfully removed"}}}}}}
```

## Configure an IAM management component

> Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"IAM management component","description":"Configures P0 integration with Amazon Web Services for IAM management component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"schemas":{"login":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"As AWS IAM users","enum":["iam"]},"identity":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"User name is user email","enum":["email"]}}},{"type":"object","properties":{"type":{"type":"string","description":"User email in a tag","enum":["tag"]},"tagName":{"type":"string","description":"Tag name"}}}]}}},{"type":"object","properties":{"type":{"type":"string","description":"P0 must be installed in the account that contains the Identity Center instance.","enum":["idc"]},"parent":{"type":"string","description":"Account with Identity Center instance"}}},{"type":"object","properties":{"type":{"type":"string","description":"Via a federated identity provider","enum":["federated"]},"provider":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Okta","enum":["okta"]},"appId":{"type":"string","description":"Application ID of your AWS federation application, in Okta."},"identityProvider":{"type":"string","description":"Identity of your identity provider integration, in AWS."},"method":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"SAML","enum":["saml"]},"accountCount":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Single account","enum":["single"]}}},{"type":"object","properties":{"type":{"type":"string","description":"Choose if you have multiple \"Connected Accounts IDs\" on the Provisioning / Integration tab in your Federation app","enum":["multi"]},"parent":{"type":"string","description":"Parent AWS Account"}}}]}}}]}}}]}}}]},"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/o/{orgId}/integrations/aws/config/iam-write/{id}/configure":{"post":{"tags":["IAM management component"],"summary":"Configure an IAM management component","description":"Transitions from \"configure\" to \"installed\" state, or reconfigures an item already in \"installed\" state. Verifies that Amazon Web Services is configured correctly.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for IAM management","required":true,"schema":{"type":"string"},"in":"path"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["state","login"],"properties":{"state":{"description":"The state must be \"configure\"","type":"string","enum":["configure"]},"login":{"$ref":"#/components/schemas/login"}}}}}},"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## Verify the configuration of an IAM management component

> Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"IAM management component","description":"Configures P0 integration with Amazon Web Services for IAM management component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/iam-write/{id}/verify":{"post":{"tags":["IAM management component"],"summary":"Verify the configuration of an IAM management component","description":"Transitions the item from \"stage\" to \"configure\" state. Verification reads the target system and checks that the configuration is correctly applied.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for IAM management","required":true,"schema":{"type":"string"},"in":"path"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["state"],"properties":{"state":{"description":"The state must be \"stage\"","type":"string","enum":["stage"]}}}}}},"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

***

## Function Caller

Allows P0 to invoke AWS Lambda functions on your behalf. Unlike other components, each item in this configuration represents a specific Lambda ARN. This is useful for custom integrations such as automated notifications, policy enforcement, or triggering cloud-native workflows.

## Read install configuration a function caller component

> Current configuration values for function-caller component.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Function caller component","description":"Configures P0 integration with Amazon Web Services for Function caller component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"function-caller":{"description":"function-caller component","content":{"application/json":{"schema":{"$ref":"#/components/schemas/function-caller-item-with-metadata"}}}}},"schemas":{"function-caller-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/function-caller-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked.","properties":{"roleName":{"type":"string","description":"The name of the AWS IAM role to create for the P0 Amazon Web Services integration"},"inlinePolicy":{"type":"string","description":"The inline IAM policy to attach to the IAM role"},"inlinePolicyName":{"type":"string","description":"The name of the inline IAM policy"},"trustPolicy":{"type":"string","description":"The trust policy to attach to the IAM role for the P0 Amazon Web Services integration"},"serviceAccountId":{"type":"string","description":"The ID of the GCP service account that P0 uses to access your AWS account. This ID is already part of the trust policy."}}}}},"function-caller-item":{"type":"object","description":"Component configuration of a specific Function caller item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/function-caller/{id}":{"get":{"tags":["Function caller component"],"summary":"Read install configuration a function caller component","description":"Current configuration values for function-caller component.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Function caller","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"200":{"$ref":"#/components/responses/function-caller"}}}}}}
```

## Initialize installation of a function caller component

> Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Function caller component","description":"Configures P0 integration with Amazon Web Services for Function caller component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/function-caller/{id}":{"put":{"tags":["Function caller component"],"summary":"Initialize installation of a function caller component","description":"Execute this first to start the install of an account. Assembles an initial item in \"stage\" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Function caller","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## DELETE /o/{orgId}/integrations/aws/config/function-caller/{id}

> Remove installation of a function caller component

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Function caller component","description":"Configures P0 integration with Amazon Web Services for Function caller component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}}},"paths":{"/o/{orgId}/integrations/aws/config/function-caller/{id}":{"delete":{"tags":["Function caller component"],"summary":"Remove installation of a function caller component","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Function caller","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"204":{"description":"Item successfully removed"}}}}}}
```

## Configure a function caller component

> Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Function caller component","description":"Configures P0 integration with Amazon Web Services for Function caller component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/function-caller/{id}/configure":{"post":{"tags":["Function caller component"],"summary":"Configure a function caller component","description":"Transitions from \"configure\" to \"installed\" state, or reconfigures an item already in \"installed\" state. Verifies that Amazon Web Services is configured correctly.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Function caller","required":true,"schema":{"type":"string"},"in":"path"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["state","login"],"properties":{"state":{"description":"The state must be \"configure\"","type":"string","enum":["configure"]}}}}}},"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## Verify the configuration of a function caller component

> Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Function caller component","description":"Configures P0 integration with Amazon Web Services for Function caller component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/function-caller/{id}/verify":{"post":{"tags":["Function caller component"],"summary":"Verify the configuration of a function caller component","description":"Transitions the item from \"stage\" to \"configure\" state. Verification reads the target system and checks that the configuration is correctly applied.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Function caller","required":true,"schema":{"type":"string"},"in":"path"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["state"],"properties":{"state":{"description":"The state must be \"stage\"","type":"string","enum":["stage"]}}}}}},"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

***

## Access Logs

Connects P0 to your AWS CloudTrail logs for audit and monitoring purposes. Each configuration item corresponds to an AWS account and allows P0 to read access logs. This enables audit trails and visibility into user actions across your cloud environment.

## Read install configuration of an access logging component

> Current configuration values for access-logs component.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Access Logging component","description":"Configures P0 integration with Amazon Web Services for Access Logging component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"access-logs":{"description":"access-logs component","content":{"application/json":{"schema":{"$ref":"#/components/schemas/access-logs-item-with-metadata"}}}}},"schemas":{"access-logs-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/access-logs-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked."}}},"access-logs-item":{"type":"object","description":"Component configuration of a specific Access Logging item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"cloudLakeArn":{"$ref":"#/components/schemas/cloudLakeArn"}}},"cloudLakeArn":{"type":"string","description":"What is the ARN of your CloudLake Data Store?"}}},"paths":{"/o/{orgId}/integrations/aws/config/access-logs/{id}":{"get":{"tags":["Access Logging component"],"summary":"Read install configuration of an access logging component","description":"Current configuration values for access-logs component.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Access Logging","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"200":{"$ref":"#/components/responses/access-logs"}}}}}}
```

## Initialize installation of an access logging component

> Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Access Logging component","description":"Configures P0 integration with Amazon Web Services for Access Logging component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/access-logs/{id}":{"put":{"tags":["Access Logging component"],"summary":"Initialize installation of an access logging component","description":"Execute this first to start the install of an account. Assembles an initial item in \"stage\" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Access Logging","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## DELETE /o/{orgId}/integrations/aws/config/access-logs/{id}

> Remove installation of an access logging component

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Access Logging component","description":"Configures P0 integration with Amazon Web Services for Access Logging component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}}},"paths":{"/o/{orgId}/integrations/aws/config/access-logs/{id}":{"delete":{"tags":["Access Logging component"],"summary":"Remove installation of an access logging component","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Access Logging","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"204":{"description":"Item successfully removed"}}}}}}
```

## Configure an access logging component

> Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Access Logging component","description":"Configures P0 integration with Amazon Web Services for Access Logging component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"schemas":{"cloudLakeArn":{"type":"string","description":"What is the ARN of your CloudLake Data Store?"},"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/o/{orgId}/integrations/aws/config/access-logs/{id}/configure":{"post":{"tags":["Access Logging component"],"summary":"Configure an access logging component","description":"Transitions from \"configure\" to \"installed\" state, or reconfigures an item already in \"installed\" state. Verifies that Amazon Web Services is configured correctly.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Access Logging","required":true,"schema":{"type":"string"},"in":"path"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["state","login"],"properties":{"state":{"description":"The state must be \"configure\"","type":"string","enum":["configure"]},"cloudLakeArn":{"$ref":"#/components/schemas/cloudLakeArn"}}}}}},"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## Verify the configuration of an access logging component

> Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Access Logging component","description":"Configures P0 integration with Amazon Web Services for Access Logging component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/access-logs/{id}/verify":{"post":{"tags":["Access Logging component"],"summary":"Verify the configuration of an access logging component","description":"Transitions the item from \"stage\" to \"configure\" state. Verification reads the target system and checks that the configuration is correctly applied.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Access Logging","required":true,"schema":{"type":"string"},"in":"path"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["state"],"properties":{"state":{"description":"The state must be \"stage\"","type":"string","enum":["stage"]}}}}}},"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

***

## Resource Inventory

Provides P0 with visibility into AWS resources (e.g., S3 buckets, EC2 instances) for access control and automation. Each item in the configuration is tied to an AWS account. This component enables resource-based access governance within the P0 platform.

## Read install configuration of a resource inventory component

> Current configuration values for inventory component.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Resource inventory component","description":"Configures P0 integration with Amazon Web Services for Resource inventory component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"inventory":{"description":"inventory component","content":{"application/json":{"schema":{"$ref":"#/components/schemas/inventory-item-with-metadata"}}}}},"schemas":{"inventory-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/inventory-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked."}}},"inventory-item":{"type":"object","description":"Component configuration of a specific Resource inventory item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/inventory/{id}":{"get":{"tags":["Resource inventory component"],"summary":"Read install configuration of a resource inventory component","description":"Current configuration values for inventory component.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Resource inventory","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"200":{"$ref":"#/components/responses/inventory"}}}}}}
```

## Initialize installation of a resource inventory component

> Execute this first to start the install of an account. Assembles an initial item in "stage" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Resource inventory component","description":"Configures P0 integration with Amazon Web Services for Resource inventory component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/inventory/{id}":{"put":{"tags":["Resource inventory component"],"summary":"Initialize installation of a resource inventory component","description":"Execute this first to start the install of an account. Assembles an initial item in \"stage\" state including generated metadata that is input for configuring the integration in Amazon Web Services. To inspect the contents of the assembled item, including metadata, use the GET method.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Resource inventory","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## DELETE /o/{orgId}/integrations/aws/config/inventory/{id}

> Remove installation of a resource inventory component

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Resource inventory component","description":"Configures P0 integration with Amazon Web Services for Resource inventory component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}}},"paths":{"/o/{orgId}/integrations/aws/config/inventory/{id}":{"delete":{"tags":["Resource inventory component"],"summary":"Remove installation of a resource inventory component","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Resource inventory","required":true,"schema":{"type":"string"},"in":"path"}],"responses":{"204":{"description":"Item successfully removed"}}}}}}
```

## Configure a resource inventory component

> Transitions from "configure" to "installed" state, or reconfigures an item already in "installed" state. Verifies that Amazon Web Services is configured correctly.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Resource inventory component","description":"Configures P0 integration with Amazon Web Services for Resource inventory component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/inventory/{id}/configure":{"post":{"tags":["Resource inventory component"],"summary":"Configure a resource inventory component","description":"Transitions from \"configure\" to \"installed\" state, or reconfigures an item already in \"installed\" state. Verifies that Amazon Web Services is configured correctly.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Resource inventory","required":true,"schema":{"type":"string"},"in":"path"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["state","login"],"properties":{"state":{"description":"The state must be \"configure\"","type":"string","enum":["configure"]}}}}}},"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## Verify the configuration of a resource inventory component

> Transitions the item from "stage" to "configure" state. Verification reads the target system and checks that the configuration is correctly applied.

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"tags":[{"name":"Resource inventory component","description":"Configures P0 integration with Amazon Web Services for Resource inventory component.\nEach item in the configuration is an account within Amazon Web Services.\nThe {id} in the path refers to the ID of the item, the 12-digit numeric account ID."}],"security":[{"bearer":[]}],"components":{"securitySchemes":{"bearer":{"type":"http","scheme":"bearer","bearerFormat":"APIKey","description":"Pass your API key in the Authorization header. Only owners can create API keys and configure integrations in P0."}},"responses":{"SuccessResponse":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Success"}}}},"ErrorResponse":{"description":"Error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}},"Error":{"type":"object","properties":{"ok":{"type":"boolean","enum":[false]}}}}},"paths":{"/o/{orgId}/integrations/aws/config/inventory/{id}/verify":{"post":{"tags":["Resource inventory component"],"summary":"Verify the configuration of a resource inventory component","description":"Transitions the item from \"stage\" to \"configure\" state. Verification reads the target system and checks that the configuration is correctly applied.","parameters":[{"name":"id","description":"The ID of an item that is configured in the Amazon Web Services resource for Resource inventory","required":true,"schema":{"type":"string"},"in":"path"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["state"],"properties":{"state":{"description":"The state must be \"stage\"","type":"string","enum":["stage"]}}}}}},"responses":{"200":{"$ref":"#/components/responses/SuccessResponse"},"400":{"$ref":"#/components/responses/ErrorResponse"}}}}}}
```

## Schemas

## The Success object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"Success":{"type":"object","properties":{"ok":{"type":"boolean","enum":[true]}}}}}}
```

## The base-item-with-metadata object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"base-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/base-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked."}}},"base-item":{"type":"object","description":"Component configuration of a specific Base installation item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"serviceAccountEmail":{"$ref":"#/components/schemas/serviceAccountEmail"},"serviceAccountId":{"$ref":"#/components/schemas/serviceAccountId"}}},"serviceAccountEmail":{"type":"string","description":"P0 service account human-readable identifier"},"serviceAccountId":{"type":"string","description":"P0 service account machine identifier"}}}}
```

## The iam-write-item-with-metadata object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"iam-write-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/iam-write-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked.","properties":{"roleName":{"type":"string","description":"The name of the AWS IAM role to create for the P0 Amazon Web Services integration"},"inlinePolicy":{"type":"string","description":"The inline IAM policy to attach to the IAM role"},"inlinePolicyName":{"type":"string","description":"The name of the inline IAM policy"},"trustPolicy":{"type":"string","description":"The trust policy to attach to the IAM role for the P0 Amazon Web Services integration"},"serviceAccountId":{"type":"string","description":"The ID of the GCP service account that P0 uses to access your AWS account. This ID is already part of the trust policy."}}}}},"iam-write-item":{"type":"object","description":"Component configuration of a specific IAM management item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"login":{"$ref":"#/components/schemas/login"}}},"login":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"As AWS IAM users","enum":["iam"]},"identity":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"User name is user email","enum":["email"]}}},{"type":"object","properties":{"type":{"type":"string","description":"User email in a tag","enum":["tag"]},"tagName":{"type":"string","description":"Tag name"}}}]}}},{"type":"object","properties":{"type":{"type":"string","description":"P0 must be installed in the account that contains the Identity Center instance.","enum":["idc"]},"parent":{"type":"string","description":"Account with Identity Center instance"}}},{"type":"object","properties":{"type":{"type":"string","description":"Via a federated identity provider","enum":["federated"]},"provider":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Okta","enum":["okta"]},"appId":{"type":"string","description":"Application ID of your AWS federation application, in Okta."},"identityProvider":{"type":"string","description":"Identity of your identity provider integration, in AWS."},"method":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"SAML","enum":["saml"]},"accountCount":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Single account","enum":["single"]}}},{"type":"object","properties":{"type":{"type":"string","description":"Choose if you have multiple \"Connected Accounts IDs\" on the Provisioning / Integration tab in your Federation app","enum":["multi"]},"parent":{"type":"string","description":"Parent AWS Account"}}}]}}}]}}}]}}}]}}}}
```

## The iam-assessment-item-with-metadata object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"iam-assessment-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/iam-assessment-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked.","properties":{"roleName":{"type":"string","description":"The name of the AWS IAM role to create for the P0 Amazon Web Services integration"},"inlinePolicy":{"type":"string","description":"The inline IAM policy to attach to the IAM role"},"inlinePolicyName":{"type":"string","description":"The name of the inline IAM policy"},"trustPolicy":{"type":"string","description":"The trust policy to attach to the IAM role for the P0 Amazon Web Services integration"},"serviceAccountId":{"type":"string","description":"The ID of the GCP service account that P0 uses to access your AWS account. This ID is already part of the trust policy."}}}}},"iam-assessment-item":{"type":"object","description":"Component configuration of a specific IAM assessment item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"accessAnalyzerArn":{"$ref":"#/components/schemas/accessAnalyzerArn"}}},"accessAnalyzerArn":{"type":"string","description":"ARN of this account's IAM Access Analyzer"}}}}
```

## The function-caller-item-with-metadata object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"function-caller-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/function-caller-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked.","properties":{"roleName":{"type":"string","description":"The name of the AWS IAM role to create for the P0 Amazon Web Services integration"},"inlinePolicy":{"type":"string","description":"The inline IAM policy to attach to the IAM role"},"inlinePolicyName":{"type":"string","description":"The name of the inline IAM policy"},"trustPolicy":{"type":"string","description":"The trust policy to attach to the IAM role for the P0 Amazon Web Services integration"},"serviceAccountId":{"type":"string","description":"The ID of the GCP service account that P0 uses to access your AWS account. This ID is already part of the trust policy."}}}}},"function-caller-item":{"type":"object","description":"Component configuration of a specific Function caller item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}}}}}
```

## The inventory-item-with-metadata object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"inventory-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/inventory-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked."}}},"inventory-item":{"type":"object","description":"Component configuration of a specific Resource inventory item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}}}}}
```

## The access-logs-item-with-metadata object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"access-logs-item-with-metadata":{"type":"object","description":"Component configuration of a specific Amazon Web Services account.","properties":{"ok":{"type":"boolean","enum":[true]},"item":{"$ref":"#/components/schemas/access-logs-item"},"metadata":{"type":"object","description":"Metadata of the item. Use contents to prepare Amazon Web Services before invoking the POST /verify method. This field is only populated after the PUT method was invoked."}}},"access-logs-item":{"type":"object","description":"Component configuration of a specific Access Logging item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"cloudLakeArn":{"$ref":"#/components/schemas/cloudLakeArn"}}},"cloudLakeArn":{"type":"string","description":"What is the ARN of your CloudLake Data Store?"}}}}
```

## The serviceAccountEmail object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"serviceAccountEmail":{"type":"string","description":"P0 service account human-readable identifier"}}}}
```

## The serviceAccountId object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"serviceAccountId":{"type":"string","description":"P0 service account machine identifier"}}}}
```

## The base-item object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"base-item":{"type":"object","description":"Component configuration of a specific Base installation item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"serviceAccountEmail":{"$ref":"#/components/schemas/serviceAccountEmail"},"serviceAccountId":{"$ref":"#/components/schemas/serviceAccountId"}}},"serviceAccountEmail":{"type":"string","description":"P0 service account human-readable identifier"},"serviceAccountId":{"type":"string","description":"P0 service account machine identifier"}}}}
```

## The base object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"base":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/base-item"}},"base-item":{"type":"object","description":"Component configuration of a specific Base installation item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"serviceAccountEmail":{"$ref":"#/components/schemas/serviceAccountEmail"},"serviceAccountId":{"$ref":"#/components/schemas/serviceAccountId"}}},"serviceAccountEmail":{"type":"string","description":"P0 service account human-readable identifier"},"serviceAccountId":{"type":"string","description":"P0 service account machine identifier"}}}}
```

## The accessAnalyzerArn object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"accessAnalyzerArn":{"type":"string","description":"ARN of this account's IAM Access Analyzer"}}}}
```

## The iam-assessment object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"iam-assessment":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/iam-assessment-item"}},"iam-assessment-item":{"type":"object","description":"Component configuration of a specific IAM assessment item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"accessAnalyzerArn":{"$ref":"#/components/schemas/accessAnalyzerArn"}}},"accessAnalyzerArn":{"type":"string","description":"ARN of this account's IAM Access Analyzer"}}}}
```

## The iam-assessment-item object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"iam-assessment-item":{"type":"object","description":"Component configuration of a specific IAM assessment item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"accessAnalyzerArn":{"$ref":"#/components/schemas/accessAnalyzerArn"}}},"accessAnalyzerArn":{"type":"string","description":"ARN of this account's IAM Access Analyzer"}}}}
```

## The login object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"login":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"As AWS IAM users","enum":["iam"]},"identity":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"User name is user email","enum":["email"]}}},{"type":"object","properties":{"type":{"type":"string","description":"User email in a tag","enum":["tag"]},"tagName":{"type":"string","description":"Tag name"}}}]}}},{"type":"object","properties":{"type":{"type":"string","description":"P0 must be installed in the account that contains the Identity Center instance.","enum":["idc"]},"parent":{"type":"string","description":"Account with Identity Center instance"}}},{"type":"object","properties":{"type":{"type":"string","description":"Via a federated identity provider","enum":["federated"]},"provider":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Okta","enum":["okta"]},"appId":{"type":"string","description":"Application ID of your AWS federation application, in Okta."},"identityProvider":{"type":"string","description":"Identity of your identity provider integration, in AWS."},"method":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"SAML","enum":["saml"]},"accountCount":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Single account","enum":["single"]}}},{"type":"object","properties":{"type":{"type":"string","description":"Choose if you have multiple \"Connected Accounts IDs\" on the Provisioning / Integration tab in your Federation app","enum":["multi"]},"parent":{"type":"string","description":"Parent AWS Account"}}}]}}}]}}}]}}}]}}}}
```

## The iam-write object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"iam-write":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/iam-write-item"}},"iam-write-item":{"type":"object","description":"Component configuration of a specific IAM management item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"login":{"$ref":"#/components/schemas/login"}}},"login":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"As AWS IAM users","enum":["iam"]},"identity":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"User name is user email","enum":["email"]}}},{"type":"object","properties":{"type":{"type":"string","description":"User email in a tag","enum":["tag"]},"tagName":{"type":"string","description":"Tag name"}}}]}}},{"type":"object","properties":{"type":{"type":"string","description":"P0 must be installed in the account that contains the Identity Center instance.","enum":["idc"]},"parent":{"type":"string","description":"Account with Identity Center instance"}}},{"type":"object","properties":{"type":{"type":"string","description":"Via a federated identity provider","enum":["federated"]},"provider":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Okta","enum":["okta"]},"appId":{"type":"string","description":"Application ID of your AWS federation application, in Okta."},"identityProvider":{"type":"string","description":"Identity of your identity provider integration, in AWS."},"method":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"SAML","enum":["saml"]},"accountCount":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Single account","enum":["single"]}}},{"type":"object","properties":{"type":{"type":"string","description":"Choose if you have multiple \"Connected Accounts IDs\" on the Provisioning / Integration tab in your Federation app","enum":["multi"]},"parent":{"type":"string","description":"Parent AWS Account"}}}]}}}]}}}]}}}]}}}}
```

## The iam-write-item object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"iam-write-item":{"type":"object","description":"Component configuration of a specific IAM management item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"login":{"$ref":"#/components/schemas/login"}}},"login":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"As AWS IAM users","enum":["iam"]},"identity":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"User name is user email","enum":["email"]}}},{"type":"object","properties":{"type":{"type":"string","description":"User email in a tag","enum":["tag"]},"tagName":{"type":"string","description":"Tag name"}}}]}}},{"type":"object","properties":{"type":{"type":"string","description":"P0 must be installed in the account that contains the Identity Center instance.","enum":["idc"]},"parent":{"type":"string","description":"Account with Identity Center instance"}}},{"type":"object","properties":{"type":{"type":"string","description":"Via a federated identity provider","enum":["federated"]},"provider":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Okta","enum":["okta"]},"appId":{"type":"string","description":"Application ID of your AWS federation application, in Okta."},"identityProvider":{"type":"string","description":"Identity of your identity provider integration, in AWS."},"method":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"SAML","enum":["saml"]},"accountCount":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Single account","enum":["single"]}}},{"type":"object","properties":{"type":{"type":"string","description":"Choose if you have multiple \"Connected Accounts IDs\" on the Provisioning / Integration tab in your Federation app","enum":["multi"]},"parent":{"type":"string","description":"Parent AWS Account"}}}]}}}]}}}]}}}]}}}}
```

## The function-caller object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"function-caller":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/function-caller-item"}},"function-caller-item":{"type":"object","description":"Component configuration of a specific Function caller item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}}}}}
```

## The function-caller-item object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"function-caller-item":{"type":"object","description":"Component configuration of a specific Function caller item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}}}}}
```

## The cloudLakeArn object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"cloudLakeArn":{"type":"string","description":"What is the ARN of your CloudLake Data Store?"}}}}
```

## The access-logs object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"access-logs":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/access-logs-item"}},"access-logs-item":{"type":"object","description":"Component configuration of a specific Access Logging item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"cloudLakeArn":{"$ref":"#/components/schemas/cloudLakeArn"}}},"cloudLakeArn":{"type":"string","description":"What is the ARN of your CloudLake Data Store?"}}}}
```

## The access-logs-item object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"access-logs-item":{"type":"object","description":"Component configuration of a specific Access Logging item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"cloudLakeArn":{"$ref":"#/components/schemas/cloudLakeArn"}}},"cloudLakeArn":{"type":"string","description":"What is the ARN of your CloudLake Data Store?"}}}}
```

## The inventory object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"inventory":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/inventory-item"}},"inventory-item":{"type":"object","description":"Component configuration of a specific Resource inventory item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}}}}}
```

## The inventory-item object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"inventory-item":{"type":"object","description":"Component configuration of a specific Resource inventory item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}}}}}
```

## The aws object

```json
{"openapi":"3.0.4","info":{"title":"Amazon Web Services Integration API","version":"3.0.4"},"components":{"schemas":{"aws":{"type":"object","description":"Amazon Web Services integration configuration","properties":{"base":{"$ref":"#/components/schemas/base"},"iam-assessment":{"$ref":"#/components/schemas/iam-assessment"},"iam-write":{"$ref":"#/components/schemas/iam-write"},"function-caller":{"$ref":"#/components/schemas/function-caller"},"access-logs":{"$ref":"#/components/schemas/access-logs"},"inventory":{"$ref":"#/components/schemas/inventory"}}},"base":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/base-item"}},"base-item":{"type":"object","description":"Component configuration of a specific Base installation item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"serviceAccountEmail":{"$ref":"#/components/schemas/serviceAccountEmail"},"serviceAccountId":{"$ref":"#/components/schemas/serviceAccountId"}}},"serviceAccountEmail":{"type":"string","description":"P0 service account human-readable identifier"},"serviceAccountId":{"type":"string","description":"P0 service account machine identifier"},"iam-assessment":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/iam-assessment-item"}},"iam-assessment-item":{"type":"object","description":"Component configuration of a specific IAM assessment item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"accessAnalyzerArn":{"$ref":"#/components/schemas/accessAnalyzerArn"}}},"accessAnalyzerArn":{"type":"string","description":"ARN of this account's IAM Access Analyzer"},"iam-write":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/iam-write-item"}},"iam-write-item":{"type":"object","description":"Component configuration of a specific IAM management item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"login":{"$ref":"#/components/schemas/login"}}},"login":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"As AWS IAM users","enum":["iam"]},"identity":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"User name is user email","enum":["email"]}}},{"type":"object","properties":{"type":{"type":"string","description":"User email in a tag","enum":["tag"]},"tagName":{"type":"string","description":"Tag name"}}}]}}},{"type":"object","properties":{"type":{"type":"string","description":"P0 must be installed in the account that contains the Identity Center instance.","enum":["idc"]},"parent":{"type":"string","description":"Account with Identity Center instance"}}},{"type":"object","properties":{"type":{"type":"string","description":"Via a federated identity provider","enum":["federated"]},"provider":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Okta","enum":["okta"]},"appId":{"type":"string","description":"Application ID of your AWS federation application, in Okta."},"identityProvider":{"type":"string","description":"Identity of your identity provider integration, in AWS."},"method":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"SAML","enum":["saml"]},"accountCount":{"oneOf":[{"type":"object","properties":{"type":{"type":"string","description":"Single account","enum":["single"]}}},{"type":"object","properties":{"type":{"type":"string","description":"Choose if you have multiple \"Connected Accounts IDs\" on the Provisioning / Integration tab in your Federation app","enum":["multi"]},"parent":{"type":"string","description":"Parent AWS Account"}}}]}}}]}}}]}}}]},"function-caller":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/function-caller-item"}},"function-caller-item":{"type":"object","description":"Component configuration of a specific Function caller item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}},"access-logs":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/access-logs-item"}},"access-logs-item":{"type":"object","description":"Component configuration of a specific Access Logging item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]},"cloudLakeArn":{"$ref":"#/components/schemas/cloudLakeArn"}}},"cloudLakeArn":{"type":"string","description":"What is the ARN of your CloudLake Data Store?"},"inventory":{"type":"object","description":"All items of this component. Map of item identifier to the item configuration.","additionalProperties":{"$ref":"#/components/schemas/inventory-item"}},"inventory-item":{"type":"object","description":"Component configuration of a specific Resource inventory item.","properties":{"label":{"type":"string","description":"Friendly name of the item. (Optional)"},"state":{"type":"string","description":"The state of the item.","enum":["configure","error","installed","stage"]}}}}}}
```