P0 App Documentation
Sign up for FreeSandbox
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
      • πŸ“¦AWS
        • Requesting Access
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Integrate P0 with Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • πŸ”ŒSIEM Integrations
      • Splunk HEC Setup
  • P0 Management
    • 🎩Role-Based Access Control
Powered by GitBook
On this page
  • Filtering on tags
  • Filtering on IAM groups
  • Filtering on permission sets
  • Filtering on policies
  • Filtering on resources
  1. ORCHESTRATION
  2. Just-in-time access
  3. Request Routing

AWS Filtering

We'll go through all the available access-types for AWS request filtering.

Filtering on tags

Policies and permission sets can be filtered based on their tags in AWS. To do this, use the tag access-type. The key is the tag key, and the pattern matches on the tag value.

Rule structure:

resource:
  type: integration
  service: aws
  filters:
    tag:
      effect: keep|remove|removeAll
      key: <tag key>
      pattern: <regex pattern>

Allow requesting only policies and permission sets with the tag "environment" set to "dev" :

resource:
  type: integration
  service: aws
  filters:
    tag:
      effect: keep
      key: environment
      pattern: ^dev$.

Filtering on IAM groups

To filter on IAM group requests, we can use the group access-type. There is a single available key, name, which refers to the name of the IAM group.

Rule structure:

resource:
  type: integration
  service: aws
  filters:
    group:
      effect: keep|remove|removeAll
      key: name
      pattern: <regex pattern>

Allow requesting any IAM groups except for "Admin" :

resource:
  type: integration
  service: aws
  filters:
    group:
      effect: keep
      key: name
      pattern: ^Admin$.

Filtering on permission sets

To filter on Identity Center permission set requests, we can use the permission-set access-type. There are two available keys, name (the name of the permission set) and arn (the ARN of the permission set).

' Rule structure:

resource:
  type: integration
  service: aws
  filters:
    permission-set:
      effect: keep|remove|removeAll
      key: name | arn
      pattern: <regex pattern>

Allow requesting only permission sets with "project-1" in the name:

resource:
  type: integration
  service: aws
  filters:
    permission-set:
      effect: keep
      key: name
      pattern: project-1

Filtering on policies

To filter on IAM policy requests, we can use the policy access-type. There is a single available key, arn, which refers to the ARN of the IAM policy.

Rule structure:

resource:
  type: integration
  service: aws
  filters:
    policy:
      effect: keep|remove|removeAll
      key: arn
      pattern: <regex pattern>

Allow requesting only AmazonS3 predefined policies

resource:
  type: integration
  service: aws
  filters:
    policy:
      effect: keep
      key: arn
      pattern: ^arn:aws:iam::aws:policy/AmazonS3

Filtering on resources

To filter on permission requests, we can use the resource access-type. There are 3 available keys:

  • name: This is the name of the resource.

  • service: This is the AWS service that the resource belongs to: for example, s3, or sagemaker. It will found in the resource ARN, after arn:aws:. For example, if the ARN is arn:aws:iam::391052057035:role/AmazonEKSNodeRole the service is iam.

  • arn: This is the ARN of the resource.

Rule structure:

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep|remove|removeAll
      key: name|service|arn
      pattern: <regex pattern>

Allow requesting only S3 resources

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: service
      pattern: ^s3$

Allow requesting any resource except for IAM resources

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: remove
      key: service
      pattern: ^iam$

Allow requesting any resource containing "project-1" in the name

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: name
      pattern: project-1

Allow requesting only S3 buckets with names starting with "dev"

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: arn
      pattern: ^arn:aws:s3:::dev

Allow requesting any resource except for the S3 bucket named "top-secret-bucket"

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: arn
      pattern: ^arn:aws:s3:::top-secret-bucket$
PreviousGoogle Cloud FilteringNextCreating an Environment

Last updated 1 year ago

⏰
πŸ”€