AWS Connector

The AWS connector provides visibility into your Amazon Web Services infrastructure with 9 live tools and comprehensive ETL ingestion of cloud resources into the knowledge graph.

Authentication

The AWS connector uses standard IAM credentials. Provide an access key ID, secret access key, and target region.

{
  "name": "Production AWS",
  "source_type": "aws",
  "config": {
    "access_key_id": "AKIAIOSFODNN7EXAMPLE",
    "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    "region": "us-east-1"
  }
}

Variable	Required	Description
access_key_id / AWS_ACCESS_KEY_ID	Yes	IAM user access key ID
secret_access_key / AWS_SECRET_ACCESS_KEY	Yes	IAM user secret access key
region / AWS_REGION	Yes	AWS region (e.g., us-east-1)
session_token	No	Temporary session token for STS / SSO credentials

TIP

For production deployments, use an IAM user or role with the minimum permissions required. See the IAM Policy section below for a ready-to-use policy document.

Temporary Credentials (STS)

If you use AWS SSO, IAM Identity Center, or assume-role workflows, provide a session token:

{
  "config": {
    "access_key_id": "ASIA...",
    "secret_access_key": "...",
    "session_token": "FwoGZX...",
    "region": "us-east-1"
  }
}

WARNING

Session tokens expire. You will need to update the source configuration when credentials rotate. For long-lived access, use a dedicated IAM user.

Multi-Region

To ingest data from multiple AWS regions, create one source per region or specify a list:

{
  "config": {
    "access_key_id": "AKIA...",
    "secret_access_key": "...",
    "regions": ["us-east-1", "us-west-2", "eu-west-1"]
  }
}

Live Tools (9)

Tool	Description	Arguments
aws_list_ec2_instances	List EC2 instances with status, type, and tags	filters?, instance_ids?
aws_describe_ec2_instance	Get detailed information about a specific EC2 instance	instance_id
aws_list_s3_buckets	List all S3 buckets with creation dates and regions	prefix?
aws_list_s3_objects	List objects in an S3 bucket	bucket, prefix?, max_keys?
aws_list_lambda_functions	List Lambda functions with runtime, memory, and timeout	region?
aws_describe_lambda	Get detailed info about a specific Lambda function	function_name
aws_list_iam_users	List IAM users with creation dates and group memberships	path_prefix?
aws_list_iam_roles	List IAM roles with attached policies	path_prefix?
aws_cli	Execute a generic AWS CLI command	command, args?

Example: Agent Using AWS Tools

User: "Are any EC2 instances in us-east-1 running without tags?"

Agent: Let me check your EC2 instances.
→ Calls aws_list_ec2_instances()
→ Filters results for instances with empty or missing tags
→ Reports: "Found 3 instances without tags: i-0abc123, i-0def456, i-0ghi789.
  All are t3.medium instances in the default VPC."

User: "Show me details on the i-0abc123 instance"

Agent: I'll pull the details for that instance.
→ Calls aws_describe_ec2_instance(instance_id: "i-0abc123")
→ Returns instance type, launch time, security groups, VPC, subnet, IAM role

ETL Ingestion

When you trigger a sync, the AWS connector ingests the following resources into the knowledge graph.

Nodes Created

Node Label	Properties	AWS Service
EC2Instance	instance_id, instance_type, state, launch_time, vpc_id, subnet_id, public_ip, tags	EC2
S3Bucket	name, region, creation_date, versioning, encryption	S3
LambdaFunction	function_name, runtime, handler, memory_size, timeout, last_modified	Lambda
IAMUser	user_name, arn, create_date, last_login, mfa_enabled	IAM
IAMRole	role_name, arn, path, create_date, description	IAM
IAMPolicy	policy_name, arn, attachment_count, is_aws_managed	IAM
SecurityGroup	group_id, group_name, description, vpc_id	EC2/VPC
VPC	vpc_id, cidr_block, state, is_default, tags	VPC
Subnet	subnet_id, cidr_block, availability_zone, vpc_id, public	VPC

Relationships Created

Relationship	From	To
RUNS_IN	EC2Instance	Subnet
BELONGS_TO	Subnet	VPC
SECURED_BY	EC2Instance	SecurityGroup
ASSUMES	LambdaFunction	IAMRole
HAS_POLICY	IAMRole	IAMPolicy
MEMBER_OF	IAMUser	IAMRole
CONNECTS_TO	SecurityGroup	SecurityGroup
STORES_IN	LambdaFunction	S3Bucket
TRIGGERED_BY	LambdaFunction	S3Bucket

Graph Queries

-- Find all EC2 instances in a specific VPC with their security groups
MATCH (i:EC2Instance)-[:RUNS_IN]->(s:Subnet)-[:BELONGS_TO]->(v:VPC),
      (i)-[:SECURED_BY]->(sg:SecurityGroup)
WHERE v.vpc_id = "vpc-0abc123"
RETURN i.instance_id, i.instance_type, sg.group_name

-- Find Lambda functions with overly permissive IAM roles
MATCH (f:LambdaFunction)-[:ASSUMES]->(r:IAMRole)-[:HAS_POLICY]->(p:IAMPolicy)
WHERE p.policy_name CONTAINS "FullAccess"
RETURN f.function_name, r.role_name, p.policy_name

-- Map IAM users to the roles they can assume
MATCH (u:IAMUser)-[:MEMBER_OF]->(r:IAMRole)-[:HAS_POLICY]->(p:IAMPolicy)
RETURN u.user_name, r.role_name, collect(p.policy_name) AS policies

IAM Policy

Use this minimum-privilege IAM policy for the Agentcy AWS connector:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AgentcyReadOnly",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetBucketVersioning",
        "s3:GetEncryptionConfiguration",
        "ec2:DescribeInstances",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "lambda:ListFunctions",
        "lambda:GetFunction",
        "iam:ListUsers",
        "iam:ListRoles",
        "iam:ListAttachedRolePolicies",
        "iam:ListPolicies",
        "iam:ListGroupsForUser"
      ],
      "Resource": "*"
    }
  ]
}

TIP

This policy is read-only. If you want the agent to perform write operations (e.g., tagging resources), add the corresponding write permissions.

Configuration Reference

{
  "name": "Production AWS",
  "source_type": "aws",
  "config": {
    "access_key_id": "AKIA...",
    "secret_access_key": "...",
    "region": "us-east-1",
    "regions": ["us-east-1", "us-west-2"],
    "session_token": null,
    "sync_s3": true,
    "sync_ec2": true,
    "sync_lambda": true,
    "sync_iam": true,
    "sync_vpc": true,
    "tag_filters": {
      "Environment": ["production", "staging"]
    }
  }
}

Field	Type	Default	Description
access_key_id	string	required	AWS access key ID
secret_access_key	string	required	AWS secret access key
region	string	us-east-1	Primary AWS region
regions	string[]	[region]	List of regions to ingest from
session_token	string	--	Temporary session token (STS)
sync_s3	bool	true	Include S3 buckets in ingestion
sync_ec2	bool	true	Include EC2 instances in ingestion
sync_lambda	bool	true	Include Lambda functions in ingestion
sync_iam	bool	true	Include IAM users, roles, and policies in ingestion
sync_vpc	bool	true	Include VPCs, subnets, and security groups
tag_filters	object	--	Only ingest resources matching these tags

Troubleshooting

Error	Cause	Fix
InvalidClientTokenId	Access key ID is invalid	Verify the access key in IAM console
SignatureDoesNotMatch	Secret key is incorrect	Regenerate the access key pair
AccessDenied	IAM policy lacks required permissions	Attach the policy above to the IAM user/role
ExpiredToken	Session token has expired	Refresh temporary credentials
RegionDisabledException	AWS region is not enabled for your account	Enable the region in account settings or remove it from the config

Verifying Access

Test your credentials from the command line:

aws sts get-caller-identity \
  --region us-east-1

aws ec2 describe-instances \
  --region us-east-1 \
  --query 'Reservations[].Instances[].[InstanceId,State.Name]'