Ctrlk
Sign up for FreeKnowledge Base
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Permission levels

Permission levels available when requesting just-in-time access to AWS resources through P0, including P0 curated policies and scoped AWS-managed policies.

When you request access to an AWS resource through P0, you select a permission level. Some permissions map directly to AWS-managed policies, while others are curated policies that P0 generates to provide least-privilege access.

AWS-managed policies reference a standard AWS IAM policy. When requesting resource-level access, P0 scopes the policy actions to the specific resource (or sub-resource if applicable) you request.

P0 curated policies are custom policies that P0 generates when no AWS-managed policy provides the right level of access. The following sections document the specific actions for each curated policy.

S3

Permission
Type
Description

AmazonS3ReadOnlyAccess

AWS-managed (scoped)

Read and list objects

AmazonS3ReadWriteAccess

P0 curated

Read, write, and delete objects

AmazonS3FullAccess

AWS-managed (scoped)

All S3 actions

AmazonS3ReadOnlyAccess and AmazonS3FullAccess use the corresponding AWS-managed policy, but P0 scopes the actions to the bucket and prefix you specify in your request.

All three permission levels support object-level scoping. When you specify an object prefix (for example, data/reports), P0 restricts access to only that path within the bucket.

AmazonS3ReadWriteAccess

P0 generates this policy because no AWS-managed policy provides read/write access without also granting bucket management permissions like changing ACLs or retention policies.

Action
Purpose

s3:GetObject

Download objects

s3:PutObject

Upload objects

s3:DeleteObject

Delete objects

s3:AbortMultipartUpload

Cancel incomplete uploads

s3:ListMultipartUploadParts

List parts of incomplete uploads

s3:ListBucket

List objects (scoped to your prefix when requesting object-level access)

EC2

Permission
Type
Description

AmazonEC2ReadOnlyAccess

AWS-managed

Read-only access to EC2 resources

AmazonEC2FullAccess

AWS-managed

Full access to EC2 resources

EKS

Permission
Type
Actions

EksDescribeCluster

P0 curated

eks:DescribeCluster

RDS

Permission
Type
Actions

AmazonRDSConnectUser

P0 curated

rds-db:connect

SageMaker

Permission
Type
Description

AmazonSageMakerReadOnly

AWS-managed

Read-only access to SageMaker resources

SageMakerAdmin

P0 curated

Broad SageMaker administration

SageMakerAdmin

P0 generates this policy as a curated alternative to AmazonSageMakerFullAccess. The policy grants the following categories of access:

Category
Actions
Scope

SageMaker

All SageMaker and SageMaker Geospatial actions

All resources

Storage

All S3 and S3 Express actions

All resources

Container registry

All ECR actions

All resources

Code services

All CodeCommit and CodeBuild actions

All resources

Data processing

All Glue actions

All resources

Notifications

All SNS actions

All resources

Monitoring

Read-only CloudWatch, CloudWatch Logs, and CloudFormation

All resources

Compute

ec2:Describe*, create/delete network interfaces and VPC endpoints

All resources

IAM

iam:PassRole

SageMaker-prefixed roles only

IAM

iam:CreateServiceLinkedRole

SageMaker and RoboMaker service roles only

Lambda

lambda:InvokeFunction

Functions matching *SageMaker* or *LabelingFunction*

Step Functions

Describe, start, stop, and update executions

State machines matching *sagemaker*

Secrets Manager

Create, describe, and read secrets

Secrets prefixed with AmazonSageMaker-

Important: This policy grants broad access including iam:PassRole and full S3 permissions. Review your access policies to restrict which users can request this permission level.

SSM

Permission
Type
Description

AmazonSSMFullAccess

AWS-managed

Full access to Systems Manager

SessionManagerConnectAccess

P0 curated

Start a session on a specific EC2 instance

SessionManagerConnectAccess

P0 generates this policy to allow SSM session access scoped to a specific EC2 instance with time-limited sessions.

Action
Purpose
Scope

ssm:StartSession

Start a session on the requested instance

Specific EC2 instance, with automatic expiry

ssm:TerminateSession

End a session

Your own sessions only

ssm:ResumeSession

Reconnect to a session

Your own sessions only

PreviousRequesting AWS accessNextAWS Integration API

Last updated