Connect AWS

Create an IAM user with the required permissions and connect your AWS account to VikingCloud.

This guide shows you how to create an IAM user with the permissions VikingCloud needs to scan your AWS account. Choose either the Console (GUI) method or the CLI method below.

Required Permissions

VikingCloud needs the following AWS permissions:

Permission Group	Actions	Purpose
Resource Discovery	`ec2:Describe`, `iam:Get`, `iam:List`, `s3:GetBucket`, `s3:ListBucket`, `rds:Describe`, `lambda:List`, `lambda:Get`, `eks:Describe`, `eks:List`	Enumerate and inventory cloud resources
Container Scanning	`ecr:GetAuthorizationToken`, `ecr:BatchGetImage`, `ecr:BatchCheckLayerAvailability`, `ecr:DescribeRepositories`, `ecr:DescribeImages`, `ecr:ListImages`	Pull container images for CVE scanning
VM Scanning	`ebs:ListSnapshotBlocks`, `ebs:GetSnapshotBlock`, `ec2:CreateSnapshot`, `ec2:CreateTags`, `ec2:DeleteSnapshot`	Snapshot-based agentless VM scanning

Snapshot creation and deletion are scoped by the tag Owner=VikingCloud so VikingCloud can only manage resources it creates.

Method 1: AWS Console (GUI)

Step 1: Create the IAM Policy

Sign in to the AWS Management Console
Navigate to IAM > Policies > Create policy
Click the JSON tab
Paste the following policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ResourceDiscovery",
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "iam:Get*",
        "iam:List*",
        "s3:GetBucket*",
        "s3:GetObject*",
        "s3:ListBucket*",
        "rds:Describe*",
        "lambda:List*",
        "lambda:Get*",
        "eks:Describe*",
        "eks:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "EBSDirectAPI",
      "Effect": "Allow",
      "Action": [
        "ebs:ListSnapshotBlocks",
        "ebs:GetSnapshotBlock"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ECRRead",
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability",
        "ecr:DescribeRepositories",
        "ecr:DescribeImages",
        "ecr:ListImages"
      ],
      "Resource": "*"
    },
    {
      "Sid": "SnapshotCreation",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:CreateTags"
      ],
      "Resource": "arn:aws:ec2:*:*:snapshot/*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Owner": "VikingCloud"
        }
      }
    },
    {
      "Sid": "SnapshotSource",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateSnapshot"
      ],
      "Resource": "arn:aws:ec2:*:*:volume/*"
    },
    {
      "Sid": "SnapshotDeletion",
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteSnapshot"
      ],
      "Resource": "arn:aws:ec2:*:*:snapshot/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Owner": "VikingCloud"
        }
      }
    }
  ]
}

Click Next
Name the policy VikingCloud-Platform-Policy
Click Create policy

Step 2: Create the IAM User

Navigate to IAM > Users > Create user
Enter the username: vikingcloud-platform-user
Click Next
Select Attach policies directly
Search for VikingCloud-Platform-Policy and check the box
Click Next, then Create user

Step 3: Create an Access Key

Click on the user vikingcloud-platform-user
Go to the Security credentials tab
Under Access keys, click Create access key
Select Third-party service as the use case
Click Create access key
Copy the Access Key ID and Secret Access Key — you will need these in the next step

Step 4: Enter Credentials in VikingCloud

In VikingCloud, go to Settings > Connections
Click Add Connection and select AWS
Enter the following:

Field	Value
Access Key ID	The Access Key ID from Step 3
Secret Access Key	The Secret Access Key from Step 3
Region	Your primary AWS region (e.g., `us-east-1`)

Click Save

Method 2: AWS CLI

Prerequisites

AWS CLI v2 installed and configured with admin credentials

Step 1: Create the Policy and User

# Save the policy document
cat > vikingcloud-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {"Sid": "ResourceDiscovery", "Effect": "Allow", "Action": ["ec2:Describe*", "iam:Get*", "iam:List*", "s3:GetBucket*", "s3:ListBucket*", "rds:Describe*", "lambda:List*", "lambda:Get*", "eks:Describe*", "eks:List*"], "Resource": "*"},
    {"Sid": "EBSDirectAPI", "Effect": "Allow", "Action": ["ebs:ListSnapshotBlocks", "ebs:GetSnapshotBlock"], "Resource": "*"},
    {"Sid": "ECRRead", "Effect": "Allow", "Action": ["ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:DescribeRepositories", "ecr:DescribeImages", "ecr:ListImages"], "Resource": "*"},
    {"Sid": "SnapshotCreation", "Effect": "Allow", "Action": ["ec2:CreateSnapshot", "ec2:CreateTags"], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": {"StringEquals": {"aws:RequestTag/Owner": "VikingCloud"}}},
    {"Sid": "SnapshotSource", "Effect": "Allow", "Action": ["ec2:CreateSnapshot"], "Resource": "arn:aws:ec2:*:*:volume/*"},
    {"Sid": "SnapshotDeletion", "Effect": "Allow", "Action": ["ec2:DeleteSnapshot"], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": {"StringEquals": {"aws:ResourceTag/Owner": "VikingCloud"}}}
  ]
}
EOF

# Create the policy
aws iam create-policy \
  --policy-name VikingCloud-Platform-Policy \
  --policy-document file://vikingcloud-policy.json

# Create the user
aws iam create-user --user-name vikingcloud-platform-user

# Attach the policy
aws iam attach-user-policy \
  --user-name vikingcloud-platform-user \
  --policy-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):policy/VikingCloud-Platform-Policy

# Create access key
aws iam create-access-key --user-name vikingcloud-platform-user

Step 2: Enter Credentials in VikingCloud

Use the AccessKeyId and SecretAccessKey from the output of the last command. Enter them in VikingCloud under Settings > Connections > Add Connection > AWS.

Verification

To verify the credentials have the correct permissions:

aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):user/vikingcloud-platform-user \
  --action-names ec2:DescribeInstances ebs:ListSnapshotBlocks ecr:GetAuthorizationToken

All actions should return allowed.

Troubleshooting

UnauthorizedOperation Error

Check that the policy is attached correctly:

aws iam list-attached-user-policies --user-name vikingcloud-platform-user

Scan Discovers No Resources

Verify the region you entered in VikingCloud matches the region where your resources are deployed. VikingCloud scans all regions, but requires a valid primary region for API authentication.

Security Best Practices

Rotate access keys every 90 days
Enable CloudTrail to audit VikingCloud API calls
Use a dedicated IAM user — do not reuse existing credentials
Never grant AdministratorAccess — VikingCloud only needs the permissions listed above