AWS Integration API
Manage installable components of the P0 Amazon Web Services integration.
This API may change in a non-backward-compatible way. Please inform P0 Security support if you are planning to use it in production in order to receive notifications about changes.
Overview
The P0 AWS Integration API allows you to programmatically manage installable components for integrating Amazon Web Services (AWS) within P0. Each component follows a consistent lifecycleβstaging, verification, and configurationβand is typically identified by its AWS account ID.
This API is especially useful for automating cloud access, enabling just-in-time (JIT) permissions, and managing integrations across multiple AWS accounts at scale.
Typical use cases include:
Set up secure, multi-account AWS access for users via P0.
Automatically provision roles and permissions in AWS environments.
Integrate AWS accounts with P0's monitoring or access tools.
Key Concepts
Integration Root Object: Represents the top-level configuration for an AWS integration within your organization.
Components: Installable parts of the integration (e.g., IAM roles, logging, monitoring). Each component is scoped to an AWS account (via its 12-digit ID).
States:
stage: Initial configuration before verification.configure: Successfully verified and missing additional configuration options.installed: Ready to be used.
Base Component: Created automatically by P0. It includes the GCP service account used by P0 to interact with AWS. It will be automatically created by P0 as a side effect when the first component is created with the POST method. The base component contains the GCP service account assigned to the integration by P0.
Integration Lifecycle
1. Create the root integration
Before adding components, you must initialize the integration:
POST /o/{orgId}/integrations/aws/configThis sets up the foundation for all further AWS integrations within your organization.
2. Stage a component
Choose a component (e.g., access, logging, etc.) and stage it by specifying the AWS account ID:
PUT /o/{orgId}/integrations/aws/config/{component}/{id}{component}: Type of component to install.{id}: an AWS account ID (12 digits).
β οΈ The base component is automatically created when you stage the first component.
Installation Components
Base: Core platform layer for authentication, tenant isolation, and routing.
IAM Write: Handles just-in-time access provisioning when requests are approved.
IAM Assessment: Continuously evaluates user permissions against least privilege principles.
Function Caller: Executes user-defined functions or workflows during request processing.
Audit Logging: Provides a tamper-evident trail for compliance and security investigations.
Resource Inventory: Indexes all manageable resources across integrations in real time.
3. Retrieve setup instructions
To configure AWS correctly, retrieve the staged component metadata:
GET /o/{orgId}/integrations/aws/config/{component}/{id}The response includes a metadata field with the exact parameters (e.g., IAM role ARN, trust policy) needed for setup in AWS.
4. Verify AWS configuration
Once the AWS setup is complete, verify it with:
POST /o/{orgId}/integrations/aws/config/{component}/{id}/verifyP0 will validate the setup by reaching out to AWS.
On success, the component enters the
configurestate.
5. Review configuration
You can confirm the integration status:
GET /o/{orgId}/integrations/aws/config/{component}/{id}The response
itemfield shows the current state and configurable fields.
6. Finalize configuration
You may change the integration configuration by passing the desired item field:
POST /o/{orgId}/integrations/aws/config/{component}/{id}/configureThe
configureendpoint MUST be called afterverifywhen a new AWS account is installed.The
configureendpoint may also be called to change the configuration of an existing AWS account without reinstalling it. In this case, a successful response indicates that P0 has both configured and verified the new configuration.
Base Installation
Configures the foundational connection between P0 and Amazon Web Services. Each item in the configuration represents an AWS account, identified by a 12-digit numeric account ID. This component is automatically created when the first integration is added. It provisions the service account that P0 uses to securely interact with your AWS environment.
IAM Assessment Component
Enables P0 to evaluate IAM roles, policies, and permissions within your AWS accounts. Each item represents an AWS account, identified by the 12-digit account ID. This component supports governance, policy posture analysis, and inventory visibility features on the P0 platform.
IAM Management
Allows P0 to manage IAM permissions in your AWS environment. Each item corresponds to an AWS account (12-digit account ID). This component is used for features like Just-in-Time access, where P0 can programmatically assign or revoke IAM policies based on user activity or approval workflows.
Function Caller
Allows P0 to invoke AWS Lambda functions on your behalf. Unlike other components, each item in this configuration represents a specific Lambda ARN. This is useful for custom integrations such as automated notifications, policy enforcement, or triggering cloud-native workflows.
Access Logs
Connects P0 to your AWS CloudTrail logs for audit and monitoring purposes. Each configuration item corresponds to an AWS account and allows P0 to read access logs. This enables audit trails and visibility into user actions across your cloud environment.
Resource Inventory
Provides P0 with visibility into AWS resources (e.g., S3 buckets, EC2 instances) for access control and automation. Each item in the configuration is tied to an AWS account. This component enables resource-based access governance within the P0 platform.
Schemas
Last updated