--- title: Integrating PingOne Authorize with Amazon Web Services description: Ping Identity's integration kit for Amazon Web Services (AWS) extends AWS's authorization capabilities through an external policy evaluation service. component: pingone page_id: pingone:authorization_using_pingone_authorize:p1_az_amazon_web_services_integration canonical_url: https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1_az_amazon_web_services_integration.html revdate: April 11, 2025 page_aliases: ["p1_az_amazon_api_gateway_integration.adoc", "configure_cloudwatch_log_amazon_api_gateway.adoc"] section_ids: aws_policy_limitations: Policy limitations --- # Integrating PingOne Authorize with Amazon Web Services Ping Identity's integration kit for Amazon Web Services (AWS) extends AWS's authorization capabilities through an external policy evaluation service. Integration with AWS allows centralized management of API access control and application protection in PingOne Authorize while delegating enforcement to AWS. Learn more about how this integration kit interacts with PingOne Authorize in [How API Access Management works](p1az_introduction.html#section_lvy_vgt_zsb). Install and configure the integration kit in AWS to enable management of access control rules in PingOne Authorize. The integration kit works with Amazon API Gateway or Amazon CloudFront. To configure the integration kit: * [Set up an API gateway](p1az_configuring_p1az_for_amazon_integration.html) in PingOne Authorize Choose one: * Configure the integration kit as a [Lambda authorizer](p1az_configuring_amazon_for_p1az_integration.html) that works with Amazon API Gateway. * Configure the integration kit as a [Lambda@Edge function](p1az_configuring_cloudfront_lambda_edge.html) that works with Amazon CloudFront. | | | | - | --------------------------------------------------------------------------------- | | | Version 1.4.0 of the integration kit supports integration with Amazon CloudFront. | ## Policy limitations The integration kit supports all of the [basic rules](p1az_add_api_service_operations.html#built_in_access_control_rules) for controlling access to your protected API resources. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Although you can use the **authentication policy** and **time since last authentication** basic rules to control access to sensitive resources, AWS doesn't return the full step-up [challenge response](../authentication/p1_stepup_authentication_for_apis.html#request_requires_additional_auth). When these rules produce deny decisions, AWS returns a simple deny response with an HTTP status code. | The following limitations apply to using [custom policies](p1az_adding_custom_policies_for_api_services_and_operations.html) for API services and operations with this integration kit: * PingOne Authorize only evaluates policies that target the inbound request. * The [built-in](p1_az_built_in_attributes.html) `PingOne.API Access Management.HTTP.Request.Body` attribute is not available for authorizing inbound requests. * When PingOne Authorize permits an inbound request, no request transformations are applied before AWS forwards the request to the backend API. * Headers set in policy aren't included in the AWS response to the client. * In policies that use the `auth-challenge` [statement](p1az_statement_templates.html#step_up_statement_template), only the `httpStatus` payload property affects the response. When deploying the integration kit with Amazon API Gateway, setting this property to `401` results in an `UNAUTHORIZED` response that defaults to a `401` status code. Any other value results in an `ACCESS_DENIED` response that defaults to a `403` status code. To learn how to modify the default status code, refer to [Gateway responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-gatewayResponse-definition.html) in the Amazon API Gateway documentation. * When deploying the integration kit with CloudFront, responses for deny decisions don't include response bodies.