AWS IAM access key setup

A step-by-step walkthrough for producing the credentials AgentSOC needs to act on your AWS account — blocking attacker IPs at network ACLs, isolating EC2 instances with a deny-all security group, and powering EC2 instances on and off.

Screenshots: image placeholders below point at docs/images/aws-*.png. Capture each screenshot and drop it in at that path — the captions describe exactly what to show.

How the connection works

AgentSOC authenticates to AWS with an IAM access key belonging to a dedicated IAM user. The user is granted only the EC2 and networking permissions the integration's actions need. Three values go into the credential form:

ValueWhat it is
Access Key IDThe public identifier of the IAM access key
Secret Access KeyThe matching secret — shown only once, at creation
RegionDefault AWS Region for API calls (e.g. us-east-1)

By the end of this guide you will have all three and a validated credential in AgentSOC.

Step 1 — Open the IAM console

Sign in to the AWS Management Console with an account that can create IAM users and policies, then open IAM.

Step 1 — AWS IAM console

Step 2 — Create an IAM policy

The integration needs a narrow set of EC2 permissions. In IAM → Policies → Create policy, switch to the JSON tab and paste:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AgentSOCEc2Containment",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:CreateNetworkAclEntry",
        "ec2:DeleteNetworkAclEntry",
        "ec2:CreateSecurityGroup",
        "ec2:DeleteSecurityGroup",
        "ec2:ModifyInstanceAttribute",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupEgress"
      ],
      "Resource": "*"
    }
  ]
}

Name it e.g. agentsoc-ec2-containment.

Resource: "*" keeps the guide simple. For least-privilege, scope the statement to the specific account, region, or resource ARNs your workloads use.

Step 2 — Create policy, JSON editor

Step 3 — Create an IAM user

  1. Go to IAM → Users → Create user.
  2. Name it e.g. agentsoc-soar.
  3. Do not enable console access — this user is for programmatic API access only.

Step 3 — Create IAM user

Step 4 — Attach the policy

On the Set permissions step, choose Attach policies directly and select the agentsoc-ec2-containment policy from Step 2. Finish creating the user.

Step 4 — Attach policy to user

Step 5 — Create an access key

  1. Open the new user and go to the Security credentials tab.
  2. Under Access keys, choose Create access key.
  3. Select the Application running outside AWS use case.
  4. Copy the Access key ID and Secret access key.

The Secret access key is shown only once. Copy it now — if you lose it, you must create a new key. Store it like a password and never commit it to source control.

Step 5 — Create access key

Step 6 — Choose your Region

Pick the AWS Region where the EC2 instances you want AgentSOC to manage run — e.g. us-east-1, eu-west-1. This becomes the Region value in the credential form.

Step 7 — Add the credential in AgentSOC and validate

  1. In AgentSOC, open AgentSOAR → Settings → Credentials (/agentsoar/settings/credentials).
  2. Add an AWS credential and enter:
    • Access Key ID — from Step 5.
    • Secret Access Key — from Step 5.
    • Region — from Step 6.
  3. Save. AgentSOC validates the key with an sts:GetCallerIdentity call.
  4. Once it shows Healthy, the AWS action capabilities are ready to use.

Step 7 — AgentSOC Add AWS credential form

Troubleshooting

ErrorLikely cause and fix
InvalidClientTokenId / SignatureDoesNotMatchThe Access Key ID or Secret Access Key is wrong or was mistyped. Re-copy both from Step 5, or create a fresh access key.
AccessDenied on validationThe IAM user has no permissions, or sts:GetCallerIdentity is blocked by a permission boundary or SCP. GetCallerIdentity needs no explicit permission — check for a restrictive SCP.
AccessDenied when running an actionThe policy from Step 2 isn't attached, or it's missing an action. Confirm the policy is attached to the user.
UnauthorizedOperation for a specific regionThe instances are in a different Region than the one configured. Add a credential for each Region you operate in.

Reference: AWS — Manage access keys for IAM users