> ## Documentation Index
> Fetch the complete documentation index at: https://docs.monk.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Run on AWS

> Connect Monk to your AWS account

Monk needs an IAM access key to provision and manage infrastructure in your AWS account. This page walks you through creating one with the right permissions.

## What You Need

* AWS Access Key ID
* AWS Secret Access Key
* Optional: default region (e.g., `us-east-1`)

## Create Credentials

<Steps>
  <Step title="Open the IAM console">
    Log into [AWS Console → IAM → Users](https://console.aws.amazon.com/iam/home#/users).
  </Step>

  <Step title="Create a dedicated user">
    Click **Create user**. Name it something like `monk-deploy`. Do not grant console access — Monk only needs programmatic access.
  </Step>

  <Step title="Attach the Monk policy">
    On the permissions step, choose **Attach policies directly** and create a custom policy with the JSON below. Name it `MonkClusterPolicy`.
  </Step>

  <Step title="Create an access key">
    After the user is created, go to the user → **Security credentials** tab → **Create access key**. Choose "Third-party service" as the use case. Copy the **Access Key ID** and **Secret Access Key**.
  </Step>

  <Step title="Provide to Monk">
    When you deploy to AWS, Monk requests credentials through a secure form in your IDE. Paste them there. You can also tell your agent:

    ```
    ask Monk to update my AWS credentials
    ```
  </Step>
</Steps>

## Required Permissions

You can use the broad managed policies for a quick start:

* `AmazonEC2FullAccess`
* `AmazonVPCFullAccess`
* `IAMReadOnlyAccess`

For production, use the minimum custom policy below. It covers exactly what Monk needs and nothing more.

**Scope summary:** EC2 instances, images, and instance types. VPCs, subnets, routing, internet gateways. Security groups, network interfaces, elastic IPs. EBS volumes and snapshots. Load balancers and target groups (ELBv2). ACM certificates (HTTPS). DLM policies (automated backups). STS `GetCallerIdentity`. `iam:PassRole` for the DLM service role.

<Accordion title="Minimum IAM policy JSON">
  ```json theme={null}
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "MonkEC2Instances",
        "Effect": "Allow",
        "Action": [
          "ec2:DescribeInstances",
          "ec2:DescribeInstanceStatus",
          "ec2:DescribeInstanceTypes",
          "ec2:RunInstances",
          "ec2:TerminateInstances",
          "ec2:StopInstances",
          "ec2:ModifyInstanceAttribute"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2Images",
        "Effect": "Allow",
        "Action": ["ec2:DescribeImages"],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2RegionsAndZones",
        "Effect": "Allow",
        "Action": ["ec2:DescribeRegions", "ec2:DescribeAvailabilityZones"],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2VPC",
        "Effect": "Allow",
        "Action": [
          "ec2:DescribeVpcs",
          "ec2:CreateVpc",
          "ec2:CreateDefaultVpc",
          "ec2:ModifyVpcAttribute"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2Subnets",
        "Effect": "Allow",
        "Action": [
          "ec2:DescribeSubnets",
          "ec2:CreateSubnet",
          "ec2:CreateDefaultSubnet",
          "ec2:ModifySubnetAttribute"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2InternetGateways",
        "Effect": "Allow",
        "Action": [
          "ec2:DescribeInternetGateways",
          "ec2:CreateInternetGateway",
          "ec2:AttachInternetGateway"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2RouteTables",
        "Effect": "Allow",
        "Action": [
          "ec2:DescribeRouteTables",
          "ec2:CreateRouteTable",
          "ec2:CreateRoute"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2SecurityGroups",
        "Effect": "Allow",
        "Action": [
          "ec2:DescribeSecurityGroups",
          "ec2:DescribeSecurityGroupRules",
          "ec2:CreateSecurityGroup",
          "ec2:DeleteSecurityGroup",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:RevokeSecurityGroupIngress"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2NetworkInterfaces",
        "Effect": "Allow",
        "Action": ["ec2:DeleteNetworkInterface"],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2ElasticIPs",
        "Effect": "Allow",
        "Action": [
          "ec2:DescribeAddresses",
          "ec2:AllocateAddress",
          "ec2:AssociateAddress",
          "ec2:ReleaseAddress"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2Volumes",
        "Effect": "Allow",
        "Action": [
          "ec2:DescribeVolumes",
          "ec2:DescribeVolumesModifications",
          "ec2:CreateVolume",
          "ec2:DeleteVolume",
          "ec2:AttachVolume",
          "ec2:DetachVolume",
          "ec2:ModifyVolume"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2Snapshots",
        "Effect": "Allow",
        "Action": ["ec2:DescribeSnapshots", "ec2:DeleteSnapshot"],
        "Resource": "*"
      },
      {
        "Sid": "MonkEC2Tags",
        "Effect": "Allow",
        "Action": ["ec2:CreateTags"],
        "Resource": "*"
      },
      {
        "Sid": "MonkELBv2",
        "Effect": "Allow",
        "Action": [
          "elasticloadbalancing:DescribeLoadBalancers",
          "elasticloadbalancing:CreateLoadBalancer",
          "elasticloadbalancing:DeleteLoadBalancer",
          "elasticloadbalancing:DescribeListeners",
          "elasticloadbalancing:CreateListener",
          "elasticloadbalancing:DeleteListener",
          "elasticloadbalancing:DescribeTargetGroups",
          "elasticloadbalancing:CreateTargetGroup",
          "elasticloadbalancing:DeleteTargetGroup",
          "elasticloadbalancing:RegisterTargets",
          "elasticloadbalancing:DeregisterTargets",
          "elasticloadbalancing:DescribeTargetHealth",
          "elasticloadbalancing:AddTags"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkACM",
        "Effect": "Allow",
        "Action": [
          "acm:ListCertificates",
          "acm:ListTagsForCertificate",
          "acm:GetCertificate",
          "acm:ImportCertificate",
          "acm:DeleteCertificate",
          "acm:DescribeCertificate"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkDLM",
        "Effect": "Allow",
        "Action": [
          "dlm:GetLifecyclePolicies",
          "dlm:GetLifecyclePolicy",
          "dlm:CreateLifecyclePolicy",
          "dlm:UpdateLifecyclePolicy",
          "dlm:DeleteLifecyclePolicy"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkSTS",
        "Effect": "Allow",
        "Action": ["sts:GetCallerIdentity"],
        "Resource": "*"
      },
      {
        "Sid": "MonkIAMPassRole",
        "Effect": "Allow",
        "Action": ["iam:PassRole"],
        "Resource": "arn:aws:iam::*:role/service-role/AWSDataLifecycleManagerDefaultRole"
      },
      {
        "Sid": "MonkIAMSimulate",
        "Effect": "Allow",
        "Action": ["iam:SimulateCustomPolicy", "iam:SimulatePrincipalPolicy"],
        "Resource": "*"
      },
      {
        "Sid": "MonkKMS",
        "Effect": "Allow",
        "Action": [
          "kms:ListKeys",
          "kms:ListAliases",
          "kms:DescribeKey",
          "kms:CreateKey",
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:GenerateDataKey",
          "kms:ScheduleKeyDeletion",
          "kms:CreateAlias",
          "kms:UpdateAlias",
          "kms:EnableKey",
          "kms:DisableKey",
          "kms:CancelKeyDeletion"
        ],
        "Resource": "*"
      },
      {
        "Sid": "MonkCloudWatch",
        "Effect": "Allow",
        "Action": ["cloudwatch:GetMetricData"],
        "Resource": "*"
      },
      {
        "Sid": "MonkPricing",
        "Effect": "Allow",
        "Action": ["pricing:GetProducts", "ce:GetCostAndUsage"],
        "Resource": "*"
      }
    ]
  }
  ```
</Accordion>

<Accordion title="CLI setup (alternative to console)">
  ```bash theme={null}
  # Create the IAM user
  aws iam create-user --user-name monk-user

  # Create the policy (save the JSON above as monk-policy.json)
  aws iam create-policy \
    --policy-name MonkClusterPolicy \
    --policy-document file://monk-policy.json

  # Attach the policy (replace ACCOUNT_ID)
  aws iam attach-user-policy \
    --user-name monk-user \
    --policy-arn arn:aws:iam::ACCOUNT_ID:policy/MonkClusterPolicy

  # Create access keys
  aws iam create-access-key --user-name monk-user
  ```
</Accordion>

## How Credentials Are Stored

Credentials are encrypted at rest in your IDE's secret storage and on your Monk cluster using your cloud provider's KMS — so your infrastructure can manage itself autonomously. They are never sent to Monk servers and never exposed to the LLM. See [Security](/features/security) for full details.

## Troubleshooting

**Access keys disabled** — check the user in the IAM console and confirm the key is active.

**Missing permissions** — if Monk reports permission errors, compare the attached policy against the minimum policy above.

**Region mismatch** — if you specified a default region, make sure it matches an available AWS region.

Ask your agent for help:

```
ask Monk why my AWS credentials are not working
```

<Card title="Deploy your first app" icon="rocket" href="/getting-started/first-deployment" color="#3B82F6">
  Credentials ready — now deploy
</Card>
