# Requesting AWS access

## Requesting from Slack or through p0.app

Open up the p0 modal using `/p0 request` in Slack or with [the Request Access feature ](https://docs.p0.dev/integrations/resource-integrations/aws/pages/kn3Mg03ByLowqw155BWv#via-the-p0.app)in p0.app and select "Amazon Web Services" as the resource.

<figure><img src="/files/OsnHwVcVLGjYbYaRMm23" alt="" width="290"><figcaption></figcaption></figure>

You'll see an "Access type" field with 2 options, "Attach user policy", and "Add user to group".

<figure><img src="/files/oYukdoo59cUXQLdS5VjF" alt="" width="289"><figcaption></figcaption></figure>

* **"Attach user policy":** request a user policy to be attached to your AWS user. The policy can either be a customer-managed or AWS-managed policy.
* **"Add user to group":** request your AWS user to be added to a user group.

<figure><img src="/files/jb5nmEAqT1lnnorHJJWG" alt="" width="375"><figcaption></figcaption></figure>

P0 auto-completes as you start typing out the policy or group. Once you select the policy / group you need, you can optionally add a reason for p0 to supply to the approver(s), then submit the request. If an existing policy / group isn't shown in the auto-complete results, it may be [filtered out by access policies](/access-management/just-in-time-access/request-routing.md#resource).

### Fine-grained resource-level access

If you installed the [Resource inventory](/integrations/resource-integrations/aws.md#setting-up-aws-resource-inventory) integration you will be able to choose the "Resource in AWS" access type. You can specify the exact resource and a policy. P0 will generate a new policy that contains the actions from the selected policy filtered to the selected resource.

For example, request access to a specific S3 bucket called `p0-sensitive-data`:

<figure><img src="/files/efCHUAx9vTvmHR3vTWfp" alt="" width="432"><figcaption></figcaption></figure>

When requesting access to an AWS resource, each service offers multiple permission levels ranging from read-only to full access. For some services, P0 provides curated policies that grant least-privilege access when no suitable AWS-managed policy exists. For details on the specific permissions granted for each policy, see [AWS permission levels](/integrations/resource-integrations/aws/requesting-access/permission-levels.md).

### What happens next

Once you make the request, you should get a Slack message from the p0 bot showing your request. There will also be a message to the approvers in the Slack channel designated by your org admin, requesting access.

1. If your request is approved, when you get a message that it has been approved, that means you should already have access provisioned, as that happens all at the same time.
2. **If you are on-call (on a PagerDuty schedule), and your org admin has enabled PagerDuty routing, your access may be automatically approved for 1 hour.**
3. After your request is approved, there will be a “relinquish” button for you to let go of your permissions early if you finish what you wanted to do before the expiration date (so you can let go of unneeded permissions).
4. If you wait for the access to expire, you will get a message that it has expired once it does.
5. If your request is denied, you'll get a message letting you know.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/integrations/resource-integrations/aws/requesting-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.