AWS Integration API

Overview

The P0 AWS Integration API allows you to programmatically manage installable components for integrating Amazon Web Services (AWS) within P0. Each component follows a consistent lifecycle—staging, verification, and configuration—and is typically identified by its AWS account ID.

This API is especially useful for automating cloud access, enabling just-in-time (JIT) permissions, and managing integrations across multiple AWS accounts at scale.

Typical use cases include:

• Set up secure, multi-account AWS access for users via P0.

• Automatically provision roles and permissions in AWS environments.

• Integrate AWS accounts with P0's monitoring or access tools.

Key Concepts

• Integration Root Object: Represents the top-level configuration for an AWS integration within your organization.

• Components: Installable parts of the integration (e.g., IAM roles, logging, monitoring). Each component is scoped to an AWS account (via its 12-digit ID).

• States:

  • stage: Initial configuration before verification.

  • configure: Successfully verified and missing additional configuration options.

  • installed: Ready to be used.

• Base Component: Created automatically by P0. It includes the GCP service account used by P0 to interact with AWS. It will be automatically created by P0 as a side effect when the first component is created with the POST method. The base component contains the GCP service account assigned to the integration by P0.

Integration Lifecycle

1. Create the root integration

Before adding components, you must initialize the integration:

POST /o/{orgId}/integrations/aws/config

This sets up the foundation for all further AWS integrations within your organization.

2. Stage a component

Choose a component (e.g., access, logging, etc.) and stage it by specifying the AWS account ID:

PUT /o/{orgId}/integrations/aws/config/{component}/{id}

• {component}: Type of component to install.

• {id}: an AWS account ID (12 digits).

⚠️ The base component is automatically created when you stage the first component.

Installation Components

• Base: Core platform layer for authentication, tenant isolation, and routing.

• IAM Write: Handles just-in-time access provisioning when requests are approved.

• IAM Assessment: Continuously evaluates user permissions against least privilege principles.

• Function Caller: Executes user-defined functions or workflows during request processing.

• Audit Logging: Provides a tamper-evident trail for compliance and security investigations.

• Resource Inventory: Indexes all manageable resources across integrations in real time.

3. Retrieve setup instructions

To configure AWS correctly, retrieve the staged component metadata:

GET /o/{orgId}/integrations/aws/config/{component}/{id}

The response includes a metadata field with the exact parameters (e.g., IAM role ARN, trust policy) needed for setup in AWS.

4. Verify AWS configuration

Once the AWS setup is complete, verify it with:

POST /o/{orgId}/integrations/aws/config/{component}/{id}/verify

• P0 will validate the setup by reaching out to AWS.

• On success, the component enters the configure state.

5. Review configuration

You can confirm the integration status:

GET /o/{orgId}/integrations/aws/config/{component}/{id}

• The response item field shows the current state and configurable fields.

6. Finalize configuration

You may change the integration configuration by passing the desired item field:

POST /o/{orgId}/integrations/aws/config/{component}/{id}/configure

• The configure endpoint MUST be called after verify when a new AWS account is installed.

• The configure endpoint may also be called to change the configuration of an existing AWS account without reinstalling it. In this case, a successful response indicates that P0 has both configured and verified the new configuration.

Base Installation

Configures the foundational connection between P0 and Amazon Web Services. Each item in the configuration represents an AWS account, identified by a 12-digit numeric account ID. This component is automatically created when the first integration is added. It provisions the service account that P0 uses to securely interact with your AWS environment.

IAM Assessment Component

Enables P0 to evaluate IAM roles, policies, and permissions within your AWS accounts. Each item represents an AWS account, identified by the 12-digit account ID. This component supports governance, policy posture analysis, and inventory visibility features on the P0 platform.

IAM Management

Allows P0 to manage IAM permissions in your AWS environment. Each item corresponds to an AWS account (12-digit account ID). This component is used for features like Just-in-Time access, where P0 can programmatically assign or revoke IAM policies based on user activity or approval workflows.

Function Caller

Allows P0 to invoke AWS Lambda functions on your behalf. Unlike other components, each item in this configuration represents a specific Lambda ARN. This is useful for custom integrations such as automated notifications, policy enforcement, or triggering cloud-native workflows.

Access Logs

Connects P0 to your AWS CloudTrail logs for audit and monitoring purposes. Each configuration item corresponds to an AWS account and allows P0 to read access logs. This enables audit trails and visibility into user actions across your cloud environment.

Resource Inventory

Provides P0 with visibility into AWS resources (e.g., S3 buckets, EC2 instances) for access control and automation. Each item in the configuration is tied to an AWS account. This component enables resource-based access governance within the P0 platform.

Schemas