Minimum permission would be allowing action
ec2:Describe* on resource
As you’re able to describe instances using AWS CLI, you should already have minimum permission, so in this case the 401 error might be due to the clock of the computer where the AWS plugin is installed being not precise (tolerance is +/- 5 minutes from the exact time).
Here’s an AWS page where this circumstance is described (look at the first Note).
I’ll review BigFix 10 documentation and have this information included if still missing.