What you’ll need
- AWS account with permission to create an IAM user (or IAM role for cross-account access).
- Three minutes.
Set it up
Create an IAM user in AWS
In the AWS Console, go to IAM → Users → Add users.
- Name:
axiom-layer-readonly - Access type: Programmatic access
ReadOnlyAccess (or use the trimmed policy below if you want least privilege).Save the access key
On the final step, copy the Access key ID and Secret access key. The secret is only shown once.
Paste into Layer
In Layer, go to Integrations, find AWS, and click Connect. Paste the Access Key ID, Secret Access Key, and your default region (e.g.
us-east-1). Click Connect.Least-privilege policy
If you don’t want to grantReadOnlyAccess, attach this trimmed policy instead:
What gets synced
| Object | Fields | Refresh cadence |
|---|---|---|
| Account identity | account ID, region | Daily |
| IAM users | username | Daily |
| S3 buckets | bucket name | Daily |
Compliance evidence
AWS data generates evidence records for the following SOC 2 controls:| Evidence | Controls |
|---|---|
| IAM user inventory | CC6.1, CC6.2, CC6.3 |
| S3 bucket inventory | CC6.6, CC6.7 |
Troubleshooting
AccessDenied on first sync
AccessDenied on first sync
Verify the IAM user has the permissions listed in the least-privilege policy above. If you’re using a more restrictive policy, confirm that
sts:GetCallerIdentity, iam:ListUsers, and s3:ListAllMyBuckets are all allowed.I want to use cross-account roles instead of an access key
I want to use cross-account roles instead of an access key
Cross-account role support is on the roadmap. Email support@axiomancer.io to be notified when it ships.