# Permission levels When you request access to an AWS resource through P0, you select a permission level. Some permissions map directly to AWS-managed policies, while others are curated policies that P0 generates to provide least-privilege access. **AWS-managed policies** reference a standard AWS IAM policy. When requesting resource-level access, P0 scopes the policy actions to the specific resource (or sub-resource if applicable) you request. **P0 curated policies** are custom policies that P0 generates when no AWS-managed policy provides the right level of access. The following sections document the specific actions for each curated policy. ## S3 | Permission | Type | Description | | ------------------------- | -------------------- | ------------------------------- | | `AmazonS3ReadOnlyAccess` | AWS-managed (scoped) | Read and list objects | | `AmazonS3ReadWriteAccess` | P0 curated | Read, write, and delete objects | | `AmazonS3FullAccess` | AWS-managed (scoped) | All S3 actions | `AmazonS3ReadOnlyAccess` and `AmazonS3FullAccess` use the corresponding AWS-managed policy, but P0 scopes the actions to the bucket and prefix you specify in your request. All three permission levels support object-level scoping. When you specify an object prefix (for example, `data/reports`), P0 restricts access to only that path within the bucket. ### AmazonS3ReadWriteAccess P0 generates this policy because no AWS-managed policy provides read/write access without also granting bucket management permissions like changing ACLs or retention policies. | Action | Purpose | | ----------------------------- | ------------------------------------------------------------------------ | | `s3:GetObject` | Download objects | | `s3:PutObject` | Upload objects | | `s3:DeleteObject` | Delete objects | | `s3:AbortMultipartUpload` | Cancel incomplete uploads | | `s3:ListMultipartUploadParts` | List parts of incomplete uploads | | `s3:ListBucket` | List objects (scoped to your prefix when requesting object-level access) | ## EC2 | Permission | Type | Description | | ------------------------- | ----------- | --------------------------------- | | `AmazonEC2ReadOnlyAccess` | AWS-managed | Read-only access to EC2 resources | | `AmazonEC2FullAccess` | AWS-managed | Full access to EC2 resources | ## EKS | Permission | Type | Actions | | -------------------- | ---------- | --------------------- | | `EksDescribeCluster` | P0 curated | `eks:DescribeCluster` | ## RDS | Permission | Type | Actions | | ---------------------- | ---------- | ---------------- | | `AmazonRDSConnectUser` | P0 curated | `rds-db:connect` | ## SageMaker | Permission | Type | Description | | ------------------------- | ----------- | --------------------------------------- | | `AmazonSageMakerReadOnly` | AWS-managed | Read-only access to SageMaker resources | | `SageMakerAdmin` | P0 curated | Broad SageMaker administration | ### SageMakerAdmin P0 generates this policy as a curated alternative to `AmazonSageMakerFullAccess`. The policy grants the following categories of access: | Category | Actions | Scope | | ------------------ | ------------------------------------------------------------------- | -------------------------------------------------------- | | SageMaker | All SageMaker and SageMaker Geospatial actions | All resources | | Storage | All S3 and S3 Express actions | All resources | | Container registry | All ECR actions | All resources | | Code services | All CodeCommit and CodeBuild actions | All resources | | Data processing | All Glue actions | All resources | | Notifications | All SNS actions | All resources | | Monitoring | Read-only CloudWatch, CloudWatch Logs, and CloudFormation | All resources | | Compute | `ec2:Describe*`, create/delete network interfaces and VPC endpoints | All resources | | IAM | `iam:PassRole` | SageMaker-prefixed roles only | | IAM | `iam:CreateServiceLinkedRole` | SageMaker and RoboMaker service roles only | | Lambda | `lambda:InvokeFunction` | Functions matching `*SageMaker*` or `*LabelingFunction*` | | Step Functions | Describe, start, stop, and update executions | State machines matching `*sagemaker*` | | Secrets Manager | Create, describe, and read secrets | Secrets prefixed with `AmazonSageMaker-` | > **Important**: This policy grants broad access including `iam:PassRole` and full S3 permissions. Review your access policies to restrict which users can request this permission level. ## SSM | Permission | Type | Description | | ----------------------------- | ----------- | ------------------------------------------ | | `AmazonSSMFullAccess` | AWS-managed | Full access to Systems Manager | | `SessionManagerConnectAccess` | P0 curated | Start a session on a specific EC2 instance | ### SessionManagerConnectAccess P0 generates this policy to allow SSM session access scoped to a specific EC2 instance with time-limited sessions. | Action | Purpose | Scope | | ---------------------- | ----------------------------------------- | -------------------------------------------- | | `ssm:StartSession` | Start a session on the requested instance | Specific EC2 instance, with automatic expiry | | `ssm:TerminateSession` | End a session | Your own sessions only | | `ssm:ResumeSession` | Reconnect to a session | Your own sessions only | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.p0.dev/integrations/resource-integrations/aws/requesting-access/permission-levels.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.