AWS Cloud9 is no longer available to new customers. Existing customers of AWS Cloud9 can continue to use the service as normal. [Learn more](https://aws.amazon.com/blogs/devops/how-to-migrate-from-aws-cloud9-to-aws-ide-toolkits-or-aws-cloudshell/)

# Working with environments in AWS Cloud9
<a name="environments"></a>

A *development environment* is a place in AWS Cloud9 where you store your project's files and where you run the tools to develop your applications.

AWS Cloud9 provides two types of development environments: *EC2 environments* and *SSH environments*. To understand the key similarities and differences between these development environments, see [EC2 environments compared with SSH environments in AWS Cloud9](ec2-env-versus-ssh-env.md).

Learn how to work with an environment in AWS Cloud9 by reading one or more of these topics.

**Topics**
+ [Creating an environment](create-environment.md)
+ [Accessing no-ingress EC2 instances with Systems Manager](ec2-ssm.md)
+ [Opening an environment](open-environment.md)
+ [Call AWS services from an Environment](credentials.md)
+ [Changing Environment Settings](change-environment.md)
+ [Working with Shared Environments](share-environment.md)
+ [Moving an environment Amazon EBS volumes](move-environment.md)
+ [Deleting an Environment](delete-environment.md)

# Creating an environment in AWS Cloud9
<a name="create-environment"></a>

To create an AWS Cloud9 development environment, follow one of the provided procedures based on how you plan to use AWS Cloud9.


****  

|  | 
| --- |
|  If you're not sure what to choose, we recommend [Creating an EC2 Environment](create-environment-main.md). For a quick setup, create an EC2 environment. AWS Cloud9 automatically creates and sets up a new Amazon EC2 instance in your AWS account. AWS Cloud9 also automatically connects that new instance to the environment for you. To understand the key similarities and differences between the development environments, see [EC2 environments compared with SSH environments in AWS Cloud9](ec2-env-versus-ssh-env.md).  | 


****  

|  **Source code provider**  |  **Development environment host provider**  |  **Relevant procedure**  | 
| --- | --- | --- | 
|  You  |  AWS Cloud9  |  [Create an EC2 environment](create-environment-main.md)  | 
|  You  |  You  |  [Create an SSH environment](create-environment-ssh.md)  | 
|   [Amazon Lightsail](https://aws.amazon.com/lightsail) or you  |  You (using Lightsail)  |   [Working with Amazon Lightsail instances in the AWS Cloud9 IDE](lightsail-instances.md)   | 
|  You (using [AWS CodePipeline](https://aws.amazon.com/codepipeline))  |  AWS Cloud9 or you  |  Create an [EC2](create-environment-main.md) or [SSH](create-environment-ssh.md) environment, and [Working with AWS CodePipeline in the AWS Cloud9 IDE](codepipeline-repos.md)   | 
|  You (using [AWS CodeCommit](https://aws.amazon.com/codecommit))  |  AWS Cloud9 or you  |   [AWS CodeCommit tutorial for AWS Cloud9](sample-codecommit.md)   | 
|  You (using [GitHub](https://github.com/))  |  AWS Cloud9 or you  |  Create an [EC2](create-environment-main.md) or [SSH](create-environment-ssh.md) environment, and use the [Git panel interface](source-control-gitpanel.md)   | 

**Topics**
+ [

# Creating an EC2 Environment
](create-environment-main.md)
+ [

# Creating an SSH Environment
](create-environment-ssh.md)

# Creating an EC2 Environment
<a name="create-environment-main"></a>

In this procedure, AWS Cloud9 creates an EC2 environment and a new Amazon EC2 instance, and connects the environment to this instance. AWS Cloud9 manages the lifecycle of this instance, including starting, stopping, and restarting the instance as needed. If you ever delete this environment, AWS Cloud9 automatically terminates this instance.

You can create an AWS Cloud9 EC2 development environment in the [AWS Cloud9 console](#create-environment-console) or with [code](#create-environment-code).

**Note**  
Completing this procedure might result in charges to your AWS account. This includes possible charges for Amazon EC2. For more information, see [Amazon EC2 Pricing](https://aws.amazon.com/ec2/pricing/). 

**Warning**  
A compatibility issue exists with AWS Cloud9 and the AWS Control Tower proactive control [CT.EC2.PR.8](https://docs.aws.amazon.com/controltower/latest/userguide/ec2-rules.html#ct-ec2-pr-8-description). If this control is enabled, you cannot create an EC2 environment in AWS Cloud9. For more information on this issue, see [Troubleshooting AWS Cloud9](https://docs.aws.amazon.com/cloud9/latest/user-guide/troubleshooting.html#control-tower-rule).

## Prerequisites
<a name="create-env-ec2-prereq"></a>

Complete the steps in [Setting up AWS Cloud9](setting-up.md) so that you can sign in to the AWS Cloud9 console and create environments.

## Create an EC2 environment with the console
<a name="create-environment-console"></a>

1. Sign in to the AWS Cloud9 console:
   + If you're the only one that using your AWS account or you're an IAM user in a single AWS account, go to [https://console.aws.amazon.com/cloud9/](https://console.aws.amazon.com/cloud9/).
   + If your organization uses AWS IAM Identity Center, ask your AWS account administrator for sign-in instructions.
   + If you're a student in a classroom, ask your instructor for sign-in instructions.

1. After you sign in to the AWS Cloud9 console, in the top navigation bar choose an AWS Region to create the environment in. For a list of available AWS Regions, see [AWS Cloud9](https://docs.aws.amazon.com/general/latest/gr/rande.html#cloud9_region) in the *AWS General Reference*.  
![\[AWS Region selector in the AWS Cloud9 console\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/consolas_region_new_UX.png)

1. Choose the large **Create environment** button in one of the locations shown.

   If you don't already have AWS Cloud9 environments, the button is shown on a welcome page.  
![\[Welcome page in the AWS Cloud9 console\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/create_welcome_env_new_UX.png)

   If you already have AWS Cloud9 environments, the button is shown as follows.  
![\[Create environment button in the AWS Cloud9 console\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/console_create_env_new_UX.png)

1. On the **Create environment** page, for **Name**, enter a name for your environment.

1. To add a description to your environment, enter it in the **Description** field.

1. For **Environment type**, choose **New EC2 instance** to create an Amazon EC2 environment:
   + **New EC2 instance** – Launches a new Amazon EC2 instance that AWS Cloud9 can connect to directly over SSH. You can use the Systems Manager to interact with new Amazon EC2 instances, for more information, see [Accessing no-ingress EC2 instances with AWS Systems Manager](ec2-ssm.md). 
   + ** Existing compute ** – Launches an existing Amazon EC2 instance that requires SSH login details for which the Amazon EC2 instance must have an inbound security group rule.
     + If you select the **Existing compute** option, a service role is automatically created.  You can view the name of the service role in a note at the bottom of the setup screen. 
**Note**  
Automatic shutdown will not be available for AWS Cloud9 environments created using an Amazon EC2 instance using existing compute.
**Warning**  
Creating an Amazon EC2 instance for your environment might result in possible charges to your AWS account for Amazon EC2. There's no additional cost to use Systems Manager to manage connections to your EC2 instance.

1. For **Instance type**, choose an instance type with the amount of RAM and vCPUs that you think you need for the kinds of tasks that you want to do.
**Warning**  
Choosing instance types with more RAM and vCPUs might result in additional charges to your AWS account for Amazon EC2. For information on which instance type is suitable for your workload, see the [Amazon EC2 Instance Type](https://aws.amazon.com/ec2/instance-types/) page.

1. For **Platform**, choose the type of Amazon EC2 instance that you want: **Amazon Linux 2023**, **Amazon Linux 2** or **Ubuntu 22.04 LTS**. AWS Cloud9 creates the instance and then connects the environment to it.
**Important**  
We recommend that you choose the **Amazon Linux 2023** option for your EC2 environment. In addition to providing a secure, stable, and high-performance runtime environment, Amazon Linux 2023 AMI includes long-term support through 2024.  
For more information, see the [AL2023 page](https://aws.amazon.com/linux/amazon-linux-2023/).

1. Choose a time period for **Timeout**. This option determines how long AWS Cloud9 is inactive before auto-hibernating. When all web browser instances that are connected to the IDE for the environment are closed, AWS Cloud9 waits the amount of time specified and then shuts down the Amazon EC2 instance for the environment. 
**Warning**  
Choosing a longer time period might result in more charges to your AWS account.

1. On the **Network settings** panel, choose how your environment is accessed from the two following options:
   + **AWS Systems Manager (SSM)** – This method accesses the environment using SSM without opening inbound ports.
   + **Secure Shell (SSH)** – This method accesses the environment using SSH and requires open inbound ports.

1. <a name="create-environment-vpc-step"></a>Choose **VPC Settings** to display the Amazon Virtual Private Cloud and Subnet for your environment. AWS Cloud9 uses Amazon Virtual Private Cloud (Amazon VPC) to communicate with the newly created Amazon EC2 instance. For this tutorial, we recommend that you don't change the preselected default settings. With the default settings, AWS Cloud9 attempts to use the default VPC with its single subnet in the same AWS account and Region as the new environment. Depending on how Amazon VPC is set up, follow one of the following set of instructions.  
****    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/create-environment-main.html)
**Important**  
If you selected **Existing compute** as your environment type, you can launch your instance into a public or private subnet.  
**Public subnet**: Attach an internet gateway to the subnet to allow the instance SSM agent to communicate with Systems Manager.
**Private subnet**: Create a NAT gateway to enable the instance to communicate with the internet and other AWS services.
Currently, you can't use [AWS managed temporary credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials) to allow the EC2 environment to access an AWS service on behalf of an AWS entity, such as an IAM user.  
 For more information about configuring subnets, see [VPC settings for AWS Cloud9 Development Environments](vpc-settings.md).  
****    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/create-environment-main.html)

   For more information about these choices, see [VPC settings for AWS Cloud9 Development Environments](vpc-settings.md).

1. Add up to 50 tags by supplying a **Key** and **Value** for each tag. Do so by selecting **Add new tag**. The tags are attached to the AWS Cloud9 environment as resource tags, and are propagated to the following underlying resources: the CloudFormation stack, the Amazon EC2 instance, and Amazon EC2 security groups. To learn more about tags, see [Control Access Using AWS Resource Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *[IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/)* and [advanced information](tags.md) in this guide.
**Warning**  
If you update these tags after you create them, the changes aren't propagated to the underlying resources. For more information, see [Propagating tag updates to underlying resources](tags.md#tags-propagate) in the advanced information about [tags](tags.md).

1. Choose **Create** to create your environment, and then you're redirected to the home page. If the account is successfully created, a green flash bar appears at the top of the AWS Cloud9 console. You can select the new environment and choose **Open in Cloud9** to launch the IDE.  
![\[AWS Cloud9 IDE selector in the AWS Cloud9 console\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/cloud9-ide-open.png)

   If the account fails to create, a red flash bar appears at the top of the AWS Cloud9 console. Your account might fail to create because of a problem with your web browser, your AWS access permissions, the instance, or the associated network. You can find information about possible fixes in the [AWS Cloud9 Troubleshooting section.](troubleshooting.md#troubleshooting-env-loading)
**Note**  
AWS Cloud9 supports both IMDSv1 and IMDSv2. We recommend adopting IMDSv2 as it provides an enhanced level of security compared to IMDSv1. For more information on the benefits of IMDSv2, see [AWS Security Blog](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/). For information on how to transition to IMDSv2 from IMDSv1, see [Transition to using Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html) in the *Amazon EC2 User Guide for Linux Instances*.
**Note**  
If your environment is using a proxy to access the internet, you must provide proxy details to AWS Cloud9 so it can install dependencies. For more information, see [Failed to install dependencies](troubleshooting.md#proxy-failed-dependencies).

## Creating an environment with code
<a name="create-environment-code"></a>

To use code to create an EC2 environment in AWS Cloud9, call the AWS Cloud9 create EC2 environment operation, as follows.


****  

|  |  | 
| --- |--- |
|  AWS CLI  |   [create-environment-ec2](https://docs.aws.amazon.com/cli/latest/reference/cloud9/create-environment-ec2.html)   | 
|  AWS SDK for C\$1\$1  |   [CreateEnvironmentEC2Request](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_create_environment_e_c2_request.html), [CreateEnvironmentEC2Result](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_create_environment_e_c2_result.html)   | 
|  AWS SDK for Go  |   [CreateEnvironmentEC2](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.CreateEnvironmentEC2), [CreateEnvironmentEC2Request](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.CreateEnvironmentEC2Request), [CreateEnvironmentEC2WithContext](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.CreateEnvironmentEC2WithContext)   | 
|  AWS SDK for Java  |   CreateEnvironmentEC2Request, CreateEnvironmentEC2Result   | 
|  AWS SDK for JavaScript  |   [createEnvironmentEC2](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Cloud9.html#createEnvironmentEC2-property)   | 
|  AWS SDK for .NET  |   [CreateEnvironmentEC2Request](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TCreateEnvironmentEC2Request.html), [CreateEnvironmentEC2Response](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TCreateEnvironmentEC2Response.html)   | 
|  AWS SDK for PHP  |   [createEnvironmentEC2](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cloud9-2017-09-23.html#createenvironmentec2)   | 
|  AWS SDK for Python (Boto)  |   [create\$1environment\$1ec2](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cloud9.html#Cloud9.Client.create_environment_ec2)   | 
|  AWS SDK for Ruby  |   [create\$1environment\$1ec2](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Cloud9/Client.html#create_environment_ec2-instance_method)   | 
|  AWS Tools for Windows PowerShell  |   [New-C9EnvironmentEC2](https://docs.aws.amazon.com/powershell/latest/reference/items/New-C9EnvironmentEC2.html)   | 
|  AWS Cloud9 API  |   [CreateEnvironmentEC2](https://docs.aws.amazon.com/cloud9/latest/APIReference/API_CreateEnvironmentEC2.html)   | 

**Note**  
If your environment is using a proxy to access the internet, you must provide proxy details to AWS Cloud9 so it can install dependencies. For more information, see [Failed to install dependencies](troubleshooting.md#proxy-failed-dependencies).

# Creating an SSH Environment
<a name="create-environment-ssh"></a>

You create an AWS Cloud9 SSH development environment with the AWS Cloud9 console. You can't create an SSH environment using the CLI.

## Prerequisites
<a name="prerequisites"></a>
+ Make sure that you completed the steps in [Setting up AWS Cloud9](setting-up.md) first. That way, you can sign in to the AWS Cloud9 console and create environments.
+ Identify an existing cloud compute instance (for example, an Amazon EC2 instance in your AWS account) or your own server that you want AWS Cloud9 to connect to the environment.
+ Make sure that the existing instance or your own server meets all of the [SSH host requirements](ssh-settings.md#ssh-settings-requirements). This includes having specific versions of Python, Node.js, and other components installed, setting specific permissions on the directory that you want AWS Cloud9 to start from after login, and setting up any associated Amazon Virtual Private Cloud.

## Create the SSH Environment
<a name="create-the-envsshtitle"></a>

1. Make sure that you completed the preceding prerequisites.

1. Connect to your existing instance or your own server by using an SSH client, if you aren't already connected to it. This ensures that you can add the necessary public SSH key value to the instance or server. This is described later in this procedure.
**Note**  
To connect to an existing AWS Cloud compute instance, see one or more of the following resources:  
For Amazon EC2, see [Connect to Your Linux Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-to-linux-instance.html) in the *Amazon EC2 User Guide*.
For Amazon Lightsail, see [Connect to your Linux/Unix-based Lightsail instance](https://lightsail.aws.amazon.com/ls/docs/how-to/article/lightsail-how-to-connect-to-your-instance-virtual-private-server) in the *Amazon Lightsail Documentation*.
For AWS Elastic Beanstalk, see [Listing and Connecting to Server Instances](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.ec2connect.html) in the *AWS Elastic Beanstalk Developer Guide*.
For AWS OpsWorks, see [Using SSH to Log In to a Linux Instance](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-ssh.html) in the *AWS OpsWorks User Guide*.
For other AWS services, see the documentation for that specific service.
To connect to your own server, use SSH. SSH is already installed on the macOS and Linux operating systems. To connect to your server by using SSH on Windows, you must install [PuTTY](https://www.putty.org/).

1. Sign in to the AWS Cloud9 console, at [https://console.aws.amazon.com/cloud9/](https://console.aws.amazon.com/cloud9/).

1. After you sign in to the AWS Cloud9 console, in the top navigation bar choose an AWS Region to create the environment in. For a list of available AWS Regions, see [AWS Cloud9](https://docs.aws.amazon.com/general/latest/gr/rande.html#cloud9_region) in the *AWS General Reference*.  
![\[Region selector in the AWS Cloud9 console\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/consolas_region_new_UX.png)

1. If this is the first time that you're creating a development environment, a welcome page is displayed. In the **New AWS Cloud9 environment** panel, choose **Create environment**.

   If you've previously created development environments, you can also expand the pane on the left of the screen. Choose **Your environments**, and then choose **Create environment**.

   In the **welcome** page:  
![\[Choose the Create environment button if the welcome page is displayed\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/create_welcome_env_new_UX.png)

   Or in the **Your environments** page:  
![\[Choose the Create environment button if the welcome page isn't displayed\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/console_create_env_new_UX.png)

1. On the **Create environment** page, enter a name for your environment.

1. For **Description**, enter something about your environment. For this tutorial, use `This environment is for the AWS Cloud9 tutorial.`

1. For **Environment type**, choose **Existing Compute** from the following options:
   + **New EC2 instance** – Launches an Amazon EC2 instance that AWS Cloud9 can connect to directly over SSH or SSM.
   + ** Existing compute ** – Launches an existing Amazon EC2 instance that requires SSH login details as well as port 22 to be open. AWS Cloud9 connects to the instance through [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html).
     + If you select the **Existing compute** option, a service role is automatically created. You can view the service role name in the **Service role and instance profile for Systems Manager access** section further down the interface. For more information, see [Accessing no-ingress EC2 instances with AWS Systems Manager](ec2-ssm.md). 
**Warning**  
Creating an EC2 instance for your environment might result in possible charges to your AWS account for Amazon EC2. There's no additional cost to use Systems Manager to manage connections to your EC2 instance.
**Warning**  
AWS Cloud9 uses SSH public key to connect securely to your server. To establish the secure connection, add our public key to your `~/.ssh/authorized_keys` file and provide your login credentials in the following steps. Choose **Copy key to clipboard** to copy the SSH key, or **View public SSH key to display it.**

1. On the **Existing compute** panel, for **User**, enter the login name that you used to connect to the instance or server earlier in this procedure. For example, for an AWS Cloud compute instance, it might be `ec2-user`, `ubuntu`, or `root`. 
**Note**  
We recommend that the login name is associated with administrative permissions or an administrator user on the instance or server. More specifically, we recommend that this login name owns the Node.js installation on the instance or server. To check this, from the terminal of your instance or server, run the command ** `ls -l $(which node)` ** (or ** `ls -l $(nvm which node)` ** if you're using `nvm`). This command displays the owner name of the Node.js installation. It also displays the installation's permissions, group name, and location.

1. For **Host**, enter the public IP address (preferred) or the hostname of the instance or server.

1. For **Port**, enter the port that you want AWS Cloud9 to use to try to connect to the instance or server. Alternatively, keep the default port.

1. Choose **Additional details - optional** to display the environment path, path to node.js binary and SSH jump host information.

1. For **Environment path**, enter the path to the directory on the instance or server that you want AWS Cloud9 to start from. You identified this earlier in the prerequisites to this procedure. If you leave this blank, AWS Cloud9 uses the directory that your instance or server typically starts with after login. This is usually a home or default directory.

1. For **Path to Node.js binary path**, enter the path information to specify the path to the Node.js binary on the instance or server. To get the path, you can run the command **`which node`** (or ** `nvm which node` ** if you're using `nvm`) on your instance or server. For example, the path might be `/usr/bin/node`. If you leave this blank, AWS Cloud9 attempts to guess where the Node.js binary is when it tries to connect.

1. For **SSH jump host**, enter information about the jump host that the instance or server uses. Use the format `USER_NAME@HOSTNAME:PORT_NUMBER` (for example, `ec2-user@ip-192-0-2-0:22`).

   The jump host must meet the following requirements:
   + It must be reachable over the public internet using SSH.
   + It must allow inbound access by any IP address over the specified port.
   + The public SSH key value that was copied into the `~/.ssh/authorized_keys` file on the existing instance or server must also be copied into the `~/.ssh/authorized_keys` file on the jump host.
   + Netcat must be installed.

1. Add up to 50 tags by supplying a **Key** and a **Value** for each tag. Do so by selecting **Add new tag**. The tags are attached to the AWS Cloud9 environment as resource tags, and are propagated to the following underlying resources: the CloudFormation stack, the Amazon EC2 instance, and Amazon EC2 security groups. To learn more about tags, see [Control Access Using AWS Resource Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *[IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/)* and the [advanced information](tags.md) about tags in this guide.
**Warning**  
If you update these tags after you create them, the changes aren't propagated to the underlying resources. For more information, see [Propagating tag updates to underlying resources](tags.md#tags-propagate) in the advanced information about [tags](tags.md).

1. Choose **Create** to create your environment, and you're then redirected to the home page. When the account is created successfully, a green flash bar appears at the top of the AWS Cloud9 console. You can select the new environment and choose **Open in Cloud9** to launch the IDE.   
![\[AWS Cloud9 IDE selector in the AWS Cloud9 console\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/cloud9-ide-open.png)

   If the account fails to create, a red flash bar appears at the top of the AWS Cloud9 console. Your account might fail to create due to a problem with your web browser, your AWS access permissions, the instance, or the associated network. You can find information about possible fixes to issues that might cause the account to fail in the [AWS Cloud9 Troubleshooting section.](troubleshooting.md#troubleshooting-env-loading)

**Note**  
If your environment is using a proxy to access the internet, you must provide proxy details to AWS Cloud9 so it can install dependencies. For more information, see [Failed to install dependencies](troubleshooting.md#proxy-failed-dependencies).

# Accessing no-ingress EC2 instances with AWS Systems Manager
<a name="ec2-ssm"></a>

A "no-ingress EC2 instance" that's created for an EC2 environment enables AWS Cloud9 to connect to its Amazon EC2 instance without the need to open any inbound ports on that instance. You can select the no-ingress option when creating an EC2 environment using the console, the command line interface, or a [CloudFormation stack](#cfn-role-and-permissions). For more information about how to create an environment using the console or command line interface, see [Step 1: Create an environment](tutorials-basic.md#tutorial-create-environment).

**Important**  
There are no additional charges for using Systems Manager Session Manager to manage connections to your EC2 instance.

When selecting an environment type in the **Create environment** page of the console, you can choose a new EC2 instance that requires inbound connectivity or a new no-ingress EC2 instance that doesn't require the following:
+ **[New EC2 instance](create-environment-main.md#create-environment-console)** – With this setup, the security group for the instance has a rule to allow incoming networking traffic. Incoming network traffic is restricted to [ IP addresses approved for AWS Cloud9 connections](ip-ranges.md). An open inbound port enables AWS Cloud9 to connect over SSH to its instance. If you use AWS Systems Manager Session Manager, you can access your Amazon EC2 instance through SSM without opening inbound ports (no ingress). This method is only applicable for new Amazon EC2 instances. For more information, see [Benefits of using Systems Manager for EC2 environments](#ssm-benefits).
+ **[Existing compute](create-environment-main.md#create-environment-console)** – With this setup, an existing Amazon EC2 instance is accessed that requires SSH login details that the instance must have an inbound security group rule for. If you select this option, a service role is automatically created. You can view the name of the service role in a note at the bottom of the setup screen.

If creating an environment using the [AWS CLI](tutorials-basic.md#tutorial-create-environment), you can configure a no-ingress EC2 instance by setting the `--connection-type CONNECT_SSM` option when calling the `create-environment-ec2` command. For more information about creating the required service role and instance profile, see [Managing instance profiles for Systems Manager with the AWS CLI](#aws-cli-instance-profiles). 

After you complete creating an environment that uses a no-ingress EC2 instance, confirm the following:
+ Systems Manager Session Manager has permissions to perform actions on the EC2 instance on your behalf. For more information, see [Managing Systems Manager permissions](#service-role-ssm).
+ AWS Cloud9 users can access the instance managed by Session Manager. For more information, see [Giving users access to instances managed by Session Manager](#access-ec2-session).

## Benefits of using Systems Manager for EC2 environments
<a name="ssm-benefits"></a>

Allowing [Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) to handle the secure connection between AWS Cloud9 and its EC2 instance offers two key benefits: 
+ No requirement to open inbound ports for the instance
+ Option to launch the instance into a public or private subnet

------
#### [ No open inbound ports ]

Secure connections between AWS Cloud9 and its EC2 instance are handled by [Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html). Session Manager is a fully managed Systems Manager capability that enables AWS Cloud9 to connect to its EC2 instance without the need to open inbound ports. 

**Important**  
The option to use Systems Manager for no-ingress connections is currently available only when creating new EC2 environments.

 With the start of a Session Manager session, a connection is made to the target instance. With the connection in place, the environment can now interact with the instance through the Systems Manager service. The Systems Manager service communicates with the instance through the Systems Manager Agent ([SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html)).

By default, SSM Agent is installed on all instances that are used by EC2 environments.

------
#### [ Private/public subnets ]

When selecting a subnet for your instance in the **Network settings (advanced)** section, you can select a private or public subnet if the instance for your environment is accessed through Systems Manager.

![\[Selecting a new no-ingress EC2 instance for your environment\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/private-subnet-option.png)


**Private subnets**

For a private subnet, ensure that the instance can still connect to the SSM service. This can be done by [setting up a NAT gateway in a public subnet](https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-subnet) or [configuring a VPC endpoint for Systems Manager](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints).

The advantage of using the NAT gateway is that it prevents the internet from initiating a connection to the instance in the private subnet. The instance for your environment is assigned a private IP address instead of a public one. So, the NAT gateway forwards traffic from the instance to the internet or other AWS services, and then sends the response back to the instance.

For the VPC option, create at least three required *interface endpoints* for Systems Manager: *com.amazonaws.region.ssm*, *com.amazonaws.region.ec2messages*, and *com.amazonaws.region.ssmmessages*. For more information, see [ Creating VPC endpoints for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html#sysman-setting-up-vpc-create) in the *AWS Systems Manager User Guide*.

**Important**  
Currently, if the EC2 instance for your environment is launched into a private subnet, you can't use [AWS managed temporary credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials) to allow the EC2 environment to access an AWS service on behalf of an AWS entity (an IAM user, for example).

**Public subnets**

If your development environment is using SSM to access an EC2 instance, ensure that the instance is assigned a public IP address by the public subnet it's launched into. To do so, you can specify your own IP address or enable the automatic assignment of a public IP address. For the steps involved in modifying auto-assign IP settings, see [IP Addressing in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html) in the *Amazon VPC User Guide*. 

For more information on configuring private and public subnets for your environment instances, see [Create a subnet for AWS Cloud9](vpc-settings.md#vpc-settings-create-subnet). 

------

## Managing Systems Manager permissions
<a name="service-role-ssm"></a>

By default, Systems Manager doesn't have permission to perform actions on EC2 instances. Access is provided through an AWS Identity and Access Management (IAM) instance profile. (An instance profile is a container that passes IAM role information to an EC2 instance at launch.)

When you create the no-ingress EC2 instance using the AWS Cloud9 console, both the service role (`AWSCloud9SSMAccessRole`) and the IAM instance profile (`AWSCloud9SSMInstanceProfile`) are created automatically for you. (You can view `AWSCloud9SSMAccessRole` in the IAM Management console. Instance profiles aren't displayed in the IAM console.) 

**Important**  
If you create a no-ingress EC2 environment for the first time with AWS CLI, you must explicitly define the required service role and instance profile. For more information, see [Managing instance profiles for Systems Manager with the AWS CLI](#aws-cli-instance-profiles).

**Important**  
If you are creating a AWS Cloud9 environment and are using Amazon EC2 Systems Manager with either the `AWSCloud9Administrator` or `AWSCloud9User` policies attached, you must also attach a custom policy that has specific IAM permissions, see [Custom IAM policy for SSM environment creation](security-iam.md#custom-policy-ssm-environment). This is due to a permissions issue with the `AWSCloud9Administrator` and `AWSCloud9User` policies. 

For additional security protection, the AWS Cloud9 service-linked role, `AWSServiceRoleforAWSCloud9`, features a `PassRole` restriction in its `AWSCloud9ServiceRolePolicy` policy. When you *pass* an IAM role to a service, it allows that service to assume the role and perform actions on your behalf. In this case, the `PassRole` permission ensures that AWS Cloud9 can pass only the `AWSCloud9SSMAccessRole` role (and its permission) to an EC2 instance. This restricts the actions that can be performed on the EC2 instance to only those required by AWS Cloud9. 

**Note**  
If you no longer need to use Systems Manager to access an instance, you can delete the `AWSCloud9SSMAccessRole` service role. For more information, see [Deleting roles or instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html) in the *IAM User Guide*. 

### Managing instance profiles for Systems Manager with the AWS CLI
<a name="aws-cli-instance-profiles"></a>

You can also create a no-ingress EC2 environment with the AWS CLI. When you call `create-environment-ec2`, set the `--connection-type` option to `CONNECT_SSM`.

If you use this option, the `AWSCloud9SSMAccessRole` service role and `AWSCloud9SSMInstanceProfile` aren't automatically created. So, to create the required service profile and instance profile, do one of the following: 
+ Create an EC2 environment using the console once have the `AWSCloud9SSMAccessRole` service role and `AWSCloud9SSMInstanceProfile` created automatically afterward. After they're created, the service role and instance profile are available for any additional EC2 Environments created using the AWS CLI. 
+ Run the following AWS CLI commands to create the service role and instance profile.

  ```
  aws iam create-role --role-name AWSCloud9SSMAccessRole --path /service-role/ --assume-role-policy-document '{"Version": "2012-10-17",		 	 	 "Statement": [{"Effect": "Allow","Principal": {"Service": ["ec2.amazonaws.com","cloud9.amazonaws.com"]      },"Action": "sts:AssumeRole"}]}'
  aws iam attach-role-policy --role-name AWSCloud9SSMAccessRole --policy-arn arn:aws:iam::aws:policy/AWSCloud9SSMInstanceProfile
  aws iam create-instance-profile --instance-profile-name AWSCloud9SSMInstanceProfile --path /cloud9/
  aws iam add-role-to-instance-profile --instance-profile-name AWSCloud9SSMInstanceProfile --role-name AWSCloud9SSMAccessRole
  ```

## Giving users access to instances managed by Session Manager
<a name="access-ec2-session"></a>

To open an AWS Cloud9 environment that's connected to an EC2 instance through Systems Manager, a user must have permission for the API operation, `StartSession`. This operation initiates a connection to the managed EC2 instance for a Session Manager session. You can give users access by using an AWS Cloud9 specific managed policy (recommended) or by editing an IAM policy and adding the necessary permissions. 


****  

| Method | Description | 
| --- | --- | 
|  Use AWS Cloud9-specific managed policy  |  We recommend using AWS managed policies to allow users to access EC2 instances managed by Systems Manager. Managed policies provide a set of permissions for standard AWS Cloud9 use cases and can be easily attached to an IAM entity. All the managed policies also include the permissions to run the `StartSession` API operation. The following are managed policies specific to AWS Cloud9: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/ec2-ssm.html)  If you are creating a AWS Cloud9 environment and are using Amazon EC2 Systems Manager with either the `AWSCloud9Administrator` or `AWSCloud9User` policies attached, you must also attach a custom policy that has specific IAM permissions, see [Custom IAM policy for SSM environment creation](security-iam.md#custom-policy-ssm-environment). This is due to a permissions issue with the `AWSCloud9Administrator` and `AWSCloud9User` policies.   For more information, see [AWS managed policies for AWS Cloud9](security-iam.md#auth-and-access-control-managed-policies).  | 
|  Edit an IAM policy and add required policy statements  |  To edit an existing policy, you can add permissions for the `StartSession` API. To edit a policy using the AWS Management Console or AWS CLI, follow the instructions that are provided by [Editing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/#edit-managed-policy-console) in the *IAM User Guide*. When editing the policy, add the [policy statement](#policy-statement) (see the following) that allows the `ssm:startSession` API operation to run.  | 

You can use the following permissions to run the `StartSession` API operation. The `ssm:resourceTag` condition key specifies that a Session Manager session can be started for any instance (`Resource: arn:aws:ec2:*:*:instance/*`) on the condition that the instance is an AWS Cloud9 EC2 development environment (`aws:cloud9:environment`). 

**Note**  
The following managed policies also include these policy statements: `AWSCloud9Administrator`, `AWSCloud9User`, and `AWSCloud9EnvironmentMember`.

```
{
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "ssm:resourceTag/aws:cloud9:environment": "*"
                },
                "StringEquals": {
                    "aws:CalledViaFirst": "cloud9.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:document/*"
            ]
        }
```

## Using CloudFormation to create no-ingress EC2 environments
<a name="cfn-role-and-permissions"></a>

When using an [CloudFormation template](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloud9-environmentec2.html) to define a no-ingress Amazon EC2 development environment, do the following before creating the stack:

1. Create the `AWSCloud9SSMAccessRole` service role and `AWSCloud9SSMInstanceProfile` instance profile. For more information, see [Creating service role and instance profile with an CloudFormation template](#creating-cfn-instance-profile).

1. Update the policy for the IAM entity calling CloudFormation. This way, the entity can start a Session Manager session that connects to the EC2 instance. For more information, see [Adding Systems Manager permissions to an IAM policy](#updating-IAM-policy).

### Creating service role and instance profile with an CloudFormation template
<a name="creating-cfn-instance-profile"></a>

You need to create the service role `AWSCloud9SSMAccessRole` and the instance profile `AWSCloud9SSMInstanceProfile` to enable Systems Manager to manage the EC2 instance that backs your development environment. 

If you previously created `AWSCloud9SSMAccessRole` and `AWSCloud9SSMInstanceProfile` by creating a no-ingress EC2 environment [with the console](#using-the-console) or [running AWS CLI commands](#aws-cli-instance-profiles), the service role and instance profile are already available for use.

**Note**  
Suppose that you attempt to create an CloudFormation stack for a no-ingress EC2 environment but you didn't first create the required service role and instance profile. Then, the stack isn't created and the following error message is displayed:   
Instance profile AWSCloud9SSMInstanceProfile does not exist in account.

When creating a no-ingress EC2 environment for the first time using CloudFormation, you can define the `AWSCloud9SSMAccessRole` and `AWSCloud9SSMInstanceProfile` as IAM resources in the template.

This excerpt from a sample template shows how to define these resources. The `AssumeRole` action returns security credentials that provide access to both the AWS Cloud9 environment and its EC2 instance.

```
AWSTemplateFormatVersion: 2010-09-09
Resources: 
  AWSCloud9SSMAccessRole:
    Type: AWS::IAM::Role
    Properties: 
      AssumeRolePolicyDocument:
        Version: 2012-10-17		 	 	 
        Statement:
          - Effect: Allow
            Principal:
              Service:
              - cloud9.amazonaws.com
              - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Description: 'Service linked role for AWS Cloud9'
      Path: '/service-role/'
      ManagedPolicyArns: 
        - arn:aws:iam::aws:policy/AWSCloud9SSMInstanceProfile
      RoleName: 'AWSCloud9SSMAccessRole'

  AWSCloud9SSMInstanceProfile:
    Type: "AWS::IAM::InstanceProfile"
    Properties: 
      InstanceProfileName: AWSCloud9SSMInstanceProfile
      Path: "/cloud9/"
      Roles: 
        - 
          Ref: AWSCloud9SSMAccessRole
```

### Adding Systems Manager permissions to an IAM policy
<a name="updating-IAM-policy"></a>

After [defining a service role and instance profile](#creating-cfn-instance-profile) in the [CloudFormation template](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloud9-environmentec2.html), ensure that the IAM entity creating the stack has permission to start a Session Manager session. A session is a connection made to the EC2 instance using Session Manager.

**Note**  
If you don't add permissions to start a Session Manager session before creating a stack for a no-ingress EC2 environment, an `AccessDeniedException` error is returned.

Add the following permissions to the policy for the IAM entity by calling CloudFormation.

```
{
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "ssm:resourceTag/aws:cloud9:environment": "*"
                },
                "StringEquals": {
                    "aws:CalledViaFirst": "cloudformation.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:document/*"
            ]
        }
```

## Configuring VPC endpoints for Amazon S3 to download dependencies
<a name="configure-s3-endpoint"></a>

If your AWS Cloud9 environment’s EC2 instance doesn't have access to the internet, create a VPC endpoint for a specified Amazon S3 bucket. This bucket contains the dependencies that are required to keep your IDE up-to-date.

Setting up a VPC endpoint for Amazon S3 also involves customizing the access policy. You want the access policy to allow access to only the trusted S3 bucket that contains the dependencies to be downloaded.

**Note**  
You can create and configure VPC endpoints using the AWS Management Console, AWS CLI, or Amazon VPC API. The following procedure shows how to create a VPC endpoint by using the console interface.<a name="create-s3-endpoint"></a>

## Create and configure a VPC endpoint for Amazon S3
<a name="create-s3-endpoint"></a>

1. In the AWS Management Console, go to the console page for Amazon VPC.

1. Choose **Endpoints** in the navigation bar.

1. In the **Endpoints** page, choose **Create Endpoint**.

1. In the **Create Endpoint** page, enter "s3" in the search field and press **Return** to list available endpoints for Amazon S3 in the current AWS Region.

1. From the list of returned Amazon S3 endpoints, select the **Gateway** type.

1. Next, choose the VPC that contains your environment's EC2 instance.

1. Now choose the VPC's route table. This way, the associated subnets can access the endpoint. Your environment's EC2 instance is in one of these subnets. 

1. In the **Policy** section, choose the **Custom** option, and replace the standard policy with the following.

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
         {
             "Sid": "Access-to-C9-bucket-only",
             "Effect": "Allow",
             "Principal": "*",
             "Action": "s3:GetObject",
             "Resource": "arn:aws:s3:::{bucket_name}/content/dependencies/*"
         }
     ]
   }
   ```

------

   For the `Resource` element, replace `{bucket_name}` with the actual name of the bucket that's available in your AWS Region. For example, if you're using AWS Cloud9 in the Europe (Ireland) Region, you specify the following: `"Resource": "arn:aws:s3:::static-eu-west-1-prod-static-hld3vzaf7c4h/content/dependencies/`.

   The following table lists the bucket names for the AWS Regions where AWS Cloud9 is available.  
**Amazon S3 buckets in AWS Cloud9 Regions**    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/ec2-ssm.html)

1. Choose **Create Endpoint**.

   If you provided the correct configuration information, a message displays the ID of the endpoint that's created.

1. To check that your IDE can access the Amazon S3 bucket, start a terminal session by choosing **Window**, **New Terminal** on the menu bar. Then run the following command, replacing `{bucket_name}` with the actual name of the bucket for your Region.

   ```
   ping {bucket_name}.s3.{region}.amazonaws.com.
   ```

   For example, if you created an endpoint for an S3 bucket in the US East (N. Virginia) Region, run the following command.

   ```
   ping static-us-east-1-prod-static-mft1klnkc4hl.s3.us-east-1.amazonaws.com
   ```

   If the ping gets a response, this confirms that your IDE can access the bucket and its dependencies.

For more information about this feature, see [Endpoints for Amazon S3](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html) in the *AWS PrivateLink Guide*.

## Configuring VPC endpoints for private connectivity
<a name="configure-no-egress"></a>

When you launch an instance into a subnet with the **access using Systems Manager** option, its security group doesn't have an inbound rule to allow incoming network traffic. But, the security group has an outbound rule that permits outbound traffic from the instance. This is required to download packages and libraries required to keep the AWS Cloud9 IDE up to date. 

To prevent outbound and inbound traffic for the instance, create and configure Amazon VPC endpoints for Systems Manager. With an interface VPC endpoint (interface endpoint), you can connect to services powered by [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html). AWS PrivateLink is a technology that can be used to privately access Amazon EC2 and Systems Manager APIs by using private IP addresses. To configure VPC endpoints to use Systems Manager, follow the instructions provided by this [Knowledge Center resource](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/).

**Warning**  
Assume that you configure a security group that doesn't permit inbound or outbound networking traffic. Then, the EC2 instance that supports your AWS Cloud9 IDE doesn't have internet access. You need to create an [Amazon S3 endpoint for your VPC](#configure-s3-endpoint) to allow access to the dependencies that are contained in a trusted S3 bucket. In addition, some AWS services, such as AWS Lambda, might not work as intended without internet access.   
With AWS PrivateLink, there are data processing charges for each gigabyte processed through the VPC endpoint. This is regardless of the traffic’s source or destination. For more information, see [AWS PrivateLink pricing](https://aws.amazon.com/privatelink/pricing/).

# Opening an environment in AWS Cloud9
<a name="open-environment"></a>

This procedure describes how to open an environment in AWS Cloud9.

**Note**  
This procedure assumes that you already created an AWS Cloud9 development environment. To create an environment, see [Creating an Environment](create-environment.md).

1. Sign in to the AWS Cloud9 console as follows:
   + If you're the only one using your AWS account or you're an IAM user in a single AWS account, go to [https://console.aws.amazon.com/cloud9/](https://console.aws.amazon.com/cloud9/).
   + If your organization uses AWS IAM Identity Center, ask your AWS account administrator for sign-in instructions.
**Important**  
If you [sign out of your AWS account](https://aws.amazon.com/premiumsupport/knowledge-center/sign-out-account/), the AWS Cloud9 IDE can still be accessed for up to 5 minutes afterwards. Access is then denied when the required permissions expire.

1. In the top navigation bar, choose the AWS Region where the environment is located.  
![\[AWS Region selector in the AWS Cloud9 console\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/consolas_region_new_UX.png)

1. In the list of environments, for the environment that you want to open, do one of the following actions:
   + Inside of the card, choose the **Open in Cloud9** link.
   + Select the card, and then choose the **Open in Cloud9** button.  
![\[Choosing an environment using the Open in Cloud9 button\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/console_create_env_new_UX.png)

If your environment isn't displayed in the console, try doing one or more of the following actions to have it be displayed.
+ In the dropdown menu bar on the **Environments** page, choose one or more of the following.
  + Choose **My environments** to display all environments that your AWS entity owns within the selected AWS Region and AWS account.
  + Choose **Shared with me** to display all environments your AWS entity was invited to within the selected AWS Region and AWS account.
  + Choose **All account environments** to display all environments within the selected AWS Region and AWS account that your AWS entity has permissions to display.
+ If you think you are a member of an environment, but the environment isn't displayed in the **Shared with you** list, check with the environment owner.
+ In the top navigation bar, choose a different AWS Region.

# Calling AWS services from an environment in AWS Cloud9
<a name="credentials"></a>

You can call AWS services from an AWS Cloud9 development environment. For example, you can do the following actions:
+ Upload and download data in Amazon Simple Storage Service (Amazon S3) buckets.
+ Send broadcast notifications through Amazon Simple Notification Service (Amazon SNS) topics.
+ Read and write data in Amazon DynamoDB (DynamoDB) databases.

You can call AWS services from your environment in several ways. For example, you can use the AWS Command Line Interface (AWS CLI) or the AWS CloudShell to run commands from a terminal session. You can also call AWS services from code you run within your environment. You can do this by using AWS SDKs for programming languages such as JavaScript, Python, Ruby, PHP, Go, and C\$1\$1. For more information, see the [AWS CLI and aws-shell Sample](sample-aws-cli.md), the [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/), and the [AWS SDKs](https://aws.amazon.com/developer/tools/#sdk).

Each time the AWS CLI, the AWS CloudShell, or your code calls an AWS service, the AWS CLI, the AWS CloudShell, or your code must provide a set of AWS access credentials along with the call. These credentials determine whether the caller has the appropriate permissions to make the call. If the credentials don't cover the appropriate permissions, the call fails.

There are several ways to provide credentials to your environment. The following table describes some approaches.


****  

| Environment type | Approach | 
| --- | --- | 
|  EC2  |  Use AWS managed temporary credentials. We recommend this approach for an EC2 environment. AWS managed temporary credentials manage AWS access credentials in an EC2 environment on your behalf, while also following AWS security best practices.  **If you're using an EC2 environment, you can skip the rest of this topic. This is because AWS managed temporary credentials are already set up for you in the environment.**  For more information, see [AWS Managed Temporary Credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials).  | 
|  EC2  |  Attach an IAM instance profile to the instance. Only use this approach if for some reason you can't use AWS managed temporary credentials. Similar to AWS managed temporary credentials, an instance profile manages AWS access credentials on your behalf. However, you must create, manage, and attach the instance profile to the Amazon EC2 instance yourself. For instructions, see [Create and Use an Instance Profile to Manage Temporary Credentials](#credentials-temporary).  | 
|  EC2 or SSH  |  Store your permanent AWS access credentials within the environment. This approach is less secure than using temporary AWS access credentials. However, it's the only supported approach for an SSH environment. For instructions, see [Create and Store Permanent Access Credentials in an Environment](#credentials-permanent-create).  | 
|  EC2 or SSH  |  Insert your permanent AWS access credentials directly into your code. We discourage this approach because it doesn't follow AWS security best practices. Because we discourage this approach, we do not cover it in this topic.  | 

## Create and use an instance profile to manage temporary credentials
<a name="credentials-temporary"></a>

**Note**  
You can't use this procedure for an AWS Cloud9 SSH development environment. Instead, skip ahead to [Create and Store Permanent Access Credentials in an Environment](#credentials-permanent-create).  
We recommend that you use AWS managed temporary credentials instead of an instance profile. Follow these instructions only if for some reason you can't use AWS managed temporary credentials. For more information, see [AWS Managed Temporary Credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials).

This procedure uses IAM and Amazon EC2 to create and attach an IAM instance profile to the Amazon EC2 instance that connects to your environment. This instance profile manages temporary credentials on your behalf. This procedure assumes you have already created an environment in AWS Cloud9. To create an environment, see [Create an Environment](create-environment.md).

You can complete these tasks with the [IAM and Amazon EC2 consoles](#credentials-temporary-create-console) or the [AWS Command Line Interface (AWS CLI)](#credentials-temporary-create-cli).

### Create an instance profile with the IAM console
<a name="credentials-temporary-create-console"></a>

**Note**  
If you already have an IAM role that contains an instance profile, skip ahead to [Attach an Instance Profile to an Instance with the Amazon EC2 Console](#credentials-temporary-attach-console).

1. Sign in to the IAM console, at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam).

   For this step, we recommend you sign in using administrator-level credentials in your AWS account. If you can't do this, check with your AWS account administrator.

1. In the navigation bar, choose **Roles**.
**Note**  
You cannot use the IAM console to create an instance profile by itself. You must create an IAM role, which contains an instance profile.

1. Choose **Create role**.

1. On the **Select type of trusted entity** page, with **AWS service** already chosen, for **Choose the service that will use this role**, choose **EC2**.

1. For **Select your use case**, choose **EC2**.

1. Choose **Next: Permissions**.

1. On the **Attach permissions policies** page, in the list of policies, select the box next to **AdministratorAccess**, and then choose **Next: Review**.
**Note**  
The **AdministratorAccess** policy allows unrestricted access to all AWS actions and resources across your AWS account. Use it only for experimentation purposes. For more information, see [IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.

1. On the **Review** page, for **Role Name**, enter a name for the role (for example, `my-demo-cloud9-instance-profile`).

1. Choose **Create Role**.

Skip ahead to [Attach an Instance Profile to an Instance with the Amazon EC2 Console](#credentials-temporary-attach-console).

### Create an instance profile with the AWS CLI
<a name="credentials-temporary-create-cli"></a>

**Note**  
If you already have an IAM role that contains an instance profile, skip ahead to [Attach an Instance Profile to an Instance with the AWS CLI](#credentials-temporary-attach-cli).  
For this topic, we recommend you configure the AWS CLI using administrator-level credentials in your AWS account. If you can't do this, check with your AWS account administrator.

**Note**  
If you're using [AWS managed temporary credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials), you can't use a terminal session in the AWS Cloud9 IDE to run some or all of the commands in this section. To address AWS security best practices, AWS managed temporary credentials don’t allow some commands to be run. Instead, you can run those commands from a separate installation of the AWS Command Line Interface (AWS CLI).

1. Define a trust relationship in AWS for the instance profile's required IAM role. To do this, create and then save a file with the following contents (for example, `my-demo-cloud9-instance-profile-role-trust.json`).

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Sid": "",
         "Effect": "Allow",
         "Principal": {
           "Service": "ec2.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }
   ```

------

1. Using the terminal or command prompt, switch to the directory where you just saved this file.

1. Create an IAM role for the instance profile. To do this, run the IAM `create-role` command. When you do, specify a name for the new IAM role (for example, `my-demo-cloud9-instance-profile-role`), and the name of the file that you just saved.

   ```
   aws iam create-role --role-name my-demo-cloud9-instance-profile-role --assume-role-policy-document file://my-demo-cloud9-instance-profile-role-trust.json
   ```

1. Attach AWS access permissions to the instance profile IAM role. To do this, run the IAM `attach-role-policy` command. Specify the name of the existing IAM role and the Amazon Resource Name (ARN) of the AWS managed policy that's named `AdministratorAccess`.

   ```
   aws iam attach-role-policy --role-name my-demo-cloud9-instance-profile-role --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
   ```
**Note**  
The **AdministratorAccess** policy allows unrestricted access to all AWS actions and resources across your AWS account. Use it only for experimentation purposes. For more information, see [IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.

1. Create the instance profile. To do this, run the IAM `create-instance-profile` command, specifying a name for the new instance profile (for example, `my-demo-cloud9-instance-profile`).

   ```
   aws iam create-instance-profile --instance-profile-name my-demo-cloud9-instance-profile
   ```

1. Attach the IAM role to the instance profile. To do this, run the IAM `add-role-to-instance-profile`, specifying the names of the existing IAM role and instance profile.

   ```
   aws iam add-role-to-instance-profile --role-name my-demo-cloud9-instance-profile-role --instance-profile-name my-demo-cloud9-instance-profile
   ```

Skip ahead to [Create an Instance Profile with the AWS CLI](#credentials-temporary-create-cli).

### Attach an instance profile to an instance with the Amazon EC2 console
<a name="credentials-temporary-attach-console"></a>

1. Sign in to the Amazon EC2 console, at [https://console.aws.amazon.com/ec2](https://console.aws.amazon.com/ec2).

   For this step, we recommend that you sign in using administrator-level credentials in your AWS account. If you can't do this, check with your AWS account administrator.

1. In the navigation bar, make sure that the Region selector displays the AWS Region that matches the one for your environment. For example, if you created your environment in the US East (Ohio) Region, choose **US East (Ohio)** in the Region selector here.

1. Choose the **Running Instances** link or, in the navigation pane, expand **Instances**, and then choose **Instances**.

1. In the list of instances, choose the instance with the **Name** that includes your environment name. For example, if your environment name is `my-demo-environment`, choose the instance with the **Name** that includes **my-demo-environment**.

1. Choose **Actions**, **Security**, **Modify IAM role**.
**Note**  
Although you are attaching a role to the instance, the role contains an instance profile.

1. On the **Modify IAM role** page, for **IAM role**, choose the name of the role you identified or that you created in the previous procedure, and then choose **Apply**.

1. Back in the environment, use the AWS CLI to run the `aws configure` command or the AWS CloudShell to run the `configure` command. Don't specify any values for **AWS Access Key ID** or **AWS Secret Access Key** (press `Enter` after each of these prompts). For **Default Region name**, specify the AWS Region closest to you or the Region where your AWS resources are located. For example, `us-east-2` for the US East (Ohio) Region. For a list of Regions, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*. Optionally, specify a value for **Default output format** (for example, `json`).

You can now start calling AWS services from your environment. To use the AWS CLI, the aws-shell, or both to call AWS services, see the [AWS CLI and aws-shell Sample](sample-aws-cli.md). To call AWS services from your code, see our other [tutorials and samples](tutorials.md).

### Attach an instance profile to an instance with the AWS CLI
<a name="credentials-temporary-attach-cli"></a>

**Note**  
If you're using [AWS managed temporary credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials), you can't use a terminal session in the AWS Cloud9 IDE to run some or all of the commands in this section. To address AWS security best practices, AWS managed temporary credentials don’t allow some commands to be run. Instead, you can run those commands from a separate installation of the AWS Command Line Interface (AWS CLI).

1. Run the Amazon EC2 `associate-iam-instance-profile` command. Specify the name of the instance profile and the ID and AWS Region ID of the Amazon EC2 instance for the environment.

   ```
   aws ec2 associate-iam-instance-profile --iam-instance-profile Name=my-demo-cloud9-instance-profile --region us-east-2 --instance-id i-12a3b45678cdef9a0
   ```

   In the preceding command, replace `us-east-2` with the AWS Region ID for the instance and `i-12a3b45678cdef9a0` with the instance ID.

   To get the instance ID, you can, for example, run the Amazon EC2 `describe-instances` command, specifying the name and AWS Region ID of the environment.

   ```
   aws ec2 describe-instances --region us-east-2 --filters Name=tag:Name,Values=*my-environment* --query "Reservations[*].Instances[*].InstanceId" --output text
   ```

   In the preceding command, replace `us-east-2` with the AWS Region ID for the instance and `my-environment` with the name of the environment.

1. Back in the environment, use the AWS CLI to run the `aws configure` command or the aws-shell to run the `configure` command. Don't specify any values for **AWS Access Key ID** or **AWS Secret Access Key**. Press `Enter` after each of these prompts. For **Default Region name**, specify the AWS Region closest to you or the Region where your AWS resources are located. For example, `us-east-2` for the US East (Ohio) Region. For a list of Regions, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*. Optionally, specify a value for **Default output format** (for example, `json`).

You can now start calling AWS services from your environment. To use the AWS CLI, the aws-shell, or both to call AWS services, see the [AWS CLI and aws-shell Sample](sample-aws-cli.md). To call AWS services from your code, see our other [tutorials and samples](tutorials.md).

## Create and store permanent access credentials in an Environment
<a name="credentials-permanent-create"></a>

**Note**  
If you're using an AWS Cloud9 EC2 development environment, we recommend that you use AWS managed temporary credentials instead of AWS permanent access credentials. To work with AWS managed temporary credentials, see [AWS managed temporary credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials).

In this section, you use AWS Identity and Access Management (IAM) to generate a set of permanent credentials. The AWS CLI, the aws-shell, or your code can use this set of credentials when calling AWS services. This set includes an AWS access key ID and an AWS secret access key, which are unique to your user in your AWS account. If you already have an AWS access key ID and an AWS secret access key, note those credentials, and then skip ahead to [Store Permanent Access Credentials in an Environment](#credentials-permanent-create-store).

You can create a set of permanent credentials with the [IAM console](#credentials-permanent-create-console) or the [AWS CLI](#credentials-permanent-create-cli).

### Grant programmatic access
<a name="credentials-permanent-create-console"></a>

Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.

To grant users programmatic access, choose one of the following options.


****  

| Which user needs programmatic access? | To | By | 
| --- | --- | --- | 
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. |  Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/credentials.html)  | 
|  Workforce identity (Users managed in IAM Identity Center)  | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. |  Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/credentials.html)  | 
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. | 
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. |  Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/credentials.html)  | 

### Create permanent access credentials with the AWS CLI
<a name="credentials-permanent-create-cli"></a>

**Note**  
For this section, we recommend that you configure the AWS CLI using administrator-level credentials in your AWS account. If you can't do this, check with your AWS account administrator.

**Note**  
If you're using [AWS managed temporary credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials), you can't use a terminal session in the AWS Cloud9 IDE to run some or all of the commands in this section. To address AWS security best practices, AWS managed temporary credentials don’t allow some commands to be run. Instead, you can run those commands from a separate installation of the AWS Command Line Interface (AWS CLI).

Run the IAM `create-access-key` command to create a new AWS access key and corresponding AWS secret access key for the user.

```
aws iam create-access-key --user-name MyUser
```

In the preceding command, replace `MyUser` with the name of the user.

In a secure location, save the `AccessKeyId` and `SecretAccessKey` values that are displayed. After you run the IAM `create-access-key` command, this is the only time you can use the AWS CLI to view the user's AWS secret access key. To generate a new AWS secret access key for the user later if needed, see [Creating, Modifying, and Viewing Access Keys (API, CLI, PowerShell)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey_CLIAPI) in the *IAM User Guide*.

### Store permanent access credentials in an Environment
<a name="credentials-permanent-create-store"></a>

In this procedure, you use the AWS Cloud9 IDE to store your permanent AWS access credentials in your environment. This procedure assumes you already created an environment in AWS Cloud9, opened the environment, and are displaying the AWS Cloud9 IDE in your web browser. For more information, see [Creating an Environment](create-environment.md) and [Opening an Environment](open-environment.md).

**Note**  
The following procedure shows how to store your permanent access credentials by using environment variables. If you have the AWS CLI or the aws-shell installed in your environment, you can use the ** `aws configure` ** command for the AWS CLI or the ** `configure` ** command for the aws-shell to store your permanent access credentials instead. For instructions, see [Quick Configuration](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-quick-configuration) in the *AWS Command Line Interface User Guide*.

1. With your environment open, in the AWS Cloud9 IDE, start a new terminal session, if one is not already started. To start a new terminal session, on the menu bar, choose **Window**, **New Terminal**.

1. Run each of the following commands, one command at a time, to set local environment variables representing your permanent access credentials. In these commands, after `AWS_ACCESS_KEY_ID:`, enter your AWS access key ID. After `AWS_SECRET_ACCESS_KEY`, enter your AWS secret access key. After `AWS_DEFAULT_REGION_ID`, enter the AWS Region identifier associated with the AWS Region closest to you (or your preferred AWS Region). For a list of available identifiers, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*. For example, for the US East (Ohio), you use `us-east-2`.

   ```
   export AWS_ACCESS_KEY_ID=
   export AWS_SECRET_ACCESS_KEY=
   export AWS_DEFAULT_REGION=
   ```

1. Note that the preceding environment variables are valid only for the current terminal session. To make these environment variables available across terminal sessions, you must add them to your shell profile file as user environment variables, as follows.

   1. In the **Environment** window of the IDE, choose the gear icon, and then choose **Show Home in Favorites**. Repeat this step and choose **Show Hidden Files** as well.

   1. Open the `~/.bashrc` file.

   1. Enter or paste the following code at the end of the file. In these commands, after `AWS_ACCESS_KEY_ID:`, enter your AWS access key ID. After `AWS_SECRET_ACCESS_KEY`, enter your AWS secret access key. After `AWS_DEFAULT_REGION_ID`, enter the AWS Region identifier associated with the AWS Region closest to you (or your preferred AWS Region). For a list of available identifiers, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*. For example, for the US East (Ohio) Region, you use `us-east-2`.

      ```
      export AWS_ACCESS_KEY_ID=
      export AWS_SECRET_ACCESS_KEY=
      export AWS_DEFAULT_REGION=
      ```

   1. Save the file.

   1. Source the `~/.bashrc` file to load these new environment variables.

      ```
      . ~/.bashrc
      ```

You can now start calling AWS services from your environment. To use the AWS CLI or the aws-shell to call AWS services, see the [AWS CLI and aws-shell Sample](sample-aws-cli.md). To call AWS services from your code, see our other [tutorials and samples](tutorials.md).

# Changing environment settings in AWS Cloud9
<a name="change-environment"></a>

You can change the preferences or settings for an AWS Cloud9 development environment.
+  [Change Environment Preferences](#change-environment-single) 
+  [Change Environment Settings with the Console](#change-environment-description) 
+  [Change Environment Settings with Code](#change-environment-description-code) 

## Change environment preferences
<a name="change-environment-single"></a>

1. Open the environment that you want to change settings for. To open an environment, see [Opening an Environment](open-environment.md).

1. In the AWS Cloud9 IDE, on the menu bar, choose **AWS Cloud9**, **Preferences**.

1. In the **Preferences** window, choose **Project Settings**.

1. Change any of the available project settings as you want. These include settings such as **Code Editor (Ace)** and **Find in Files**.

**Note**  
For more information, see [Project Setting Changes You Can Make](settings-project-change.md).

### Adjusting the timeout of an environment in the AWS Cloud9 IDE
<a name="change-environment-timeout"></a>

The following steps outline how to update the timeout period for an Amazon EC2 environment in the AWS Cloud9 IDE. This will be the amount of time before the environment stops.

1. Open the environment that you want to configure.

1. In the **AWS Cloud9 IDE**, on the menu bar, choose **AWS Cloud9** **Preferences**.

1. In the **Preferences** window scroll to the **Amazon EC2 instance** section.

1. Select the timeout value from the list available and update.

## Change environment settings with the console
<a name="change-environment-description"></a>

1. Sign in to the AWS Cloud9 console as follows:
   + If you're the only individual using your AWS account or you're an IAM user in a single AWS account, go to [https://console.aws.amazon.com/cloud9/](https://console.aws.amazon.com/cloud9/).
   + If your organization uses AWS IAM Identity Center, see your AWS account administrator for sign-in instructions.

1. In the top navigation bar, choose the AWS Region where the environment is located.  
![\[AWS Region selector in the AWS Cloud9 console\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/consolas_region_new_UX.png)

1. In the list of environments, for the environment whose settings you want to change, do one of the following.
   + Choose the title of the card for the environment. Then choose **View details** on the next page.
   + Select the card for the environment, and then choose the **View details** button.

1. Make your changes, and then choose **Save changes**.

   You can use the AWS Cloud9 console to change the following settings.
   + For EC2 environments, **Name** and **Description**.
   + For SSH environments: **Name**, **Description**, **User**, **Host**, **Port**, **Environment path**, **Node.js binary path**, and **SSH jump host**.

   To change other settings, do the following.
   + For EC2 environments, do the following.
     + You cannot change **Type**, **Security groups**, **VPC**, **Subnet**, **Environment path**, or **Environment ARN**.
     + For **Permissions** or **Number of members**, see [Change the Access Role of an Environment Member](share-environment-change-access.md), [Remove Your User](share-environment-change-access.md), [Invite an IAM user](share-environment.md#share-environment-invite-user), and [Remove Another Environment Member](share-environment-delete-member.md).
     + For **EC2 instance type**, **Memory**, or **vCPU**, see [Moving or Resizing an Environment](move-environment.md).
   + For SSH environments, do the following.
     + You cannot change **Type** or **Environment ARN**.
     + For **Permissions** or **Number of members**, see [Change the Access Role of an Environment Member](share-environment-change-access.md), [Remove Your User](share-environment-change-access.md), [Invite an IAM User](share-environment.md#share-environment-invite-user), and [Remove Another Environment Member](share-environment-delete-member.md).

If your environment isn't displayed in the console, try doing one or more of the following actions to have it be displayed.
+ In the dropdown menu bar on the **Environments** page, choose one or more of the following.
  + Choose **My environments** to display all environments that your AWS entity owns within the selected AWS Region and AWS account.
  + Choose **Shared with me** to display all environments your AWS entity was invited to within the selected AWS Region and AWS account.
  + Choose **All account environments** to display all environments within the selected AWS Region and AWS account that your AWS entity has permissions to display.
+ If you think you are a member of an environment, but the environment isn't displayed in the **Shared with you** list, check with the environment owner.
+ In the top navigation bar, choose a different AWS Region.

## Change environment settings with code
<a name="change-environment-description-code"></a>

To use code to change the settings of an environment in AWS Cloud9, call the AWS Cloud9 update environment operation, as follows.


****  

|  |  | 
| --- |--- |
|  AWS CLI  |   [update-environment](https://docs.aws.amazon.com/cli/latest/reference/cloud9/update-environment.html)   | 
|  AWS SDK for C\$1\$1  |   [UpdateEnvironmentRequest](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_update_environment_request.html), [UpdateEnvironmentResult](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_update_environment_result.html)   | 
|  AWS SDK for Go  |   [UpdateEnvironment](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.UpdateEnvironment), [UpdateEnvironmentRequest](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.UpdateEnvironmentRequest), [UpdateEnvironmentWithContext](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.UpdateEnvironmentWithContext)   | 
|  AWS SDK for Java  |   [UpdateEnvironmentRequest](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/UpdateEnvironmentRequest.html), [UpdateEnvironmentResult](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/UpdateEnvironmentResult.html)   | 
|  AWS SDK for JavaScript  |   [updateEnvironment](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Cloud9.html#updateEnvironment-property)   | 
|  AWS SDK for .NET  |   [UpdateEnvironmentRequest](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TUpdateEnvironmentRequest.html), [UpdateEnvironmentResponse](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TUpdateEnvironmentResponse.html)   | 
|  AWS SDK for PHP  |   [updateEnvironment](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cloud9-2017-09-23.html#updateenvironment)   | 
|  AWS SDK for Python (Boto)  |   [update\$1environment](https://boto3.readthedocs.io/en/latest/reference/services/cloud9.html#Cloud9.Client.update_environment)   | 
|  AWS SDK for Ruby  |   [update\$1environment](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Cloud9/Client.html#update_environment-instance_method)   | 
|  AWS Tools for Windows PowerShell  |   [Update-C9Environment](https://docs.aws.amazon.com/powershell/latest/reference/items/Update-C9Environment.html)   | 
|  AWS Cloud9 API  |   [UpdateEnvironment](https://docs.aws.amazon.com/cloud9/latest/APIReference/API_UpdateEnvironment.html)   | 

# Working with shared environment in AWS Cloud9
<a name="share-environment"></a>

A *shared environment* is an AWS Cloud9 development environment that multiple users were invited to participate in. This topic provides instructions for sharing an environment in AWS Cloud9 and how to participate in a shared environment.

To invite a user to participate in an environment that you own, follow one of these sets of procedures. Choose based on the type of user that you want to invite. 
+ If you are a user in the same AWS account as the environment you should [Invite a User in the Same Account as the Environment](#share-environment-invite-user).
+ If you are an AWS Cloud9 administrator in the same AWS account as the environment, specifically the AWS account root user, an administrator user or a user with the AWS managed policy `AWSCloud9Administrator` attached, then you should invite the AWS Cloud9 administrator yourself, see [Invite a User in the Same Account as the Environment](#share-environment-invite-user), or have the AWS Cloud9 administrator invite themself (or others in the same AWS account), see [Have an AWS Cloud9 Administrator in the Same Account as the Environment Invite Themself or Others](#share-environment-admin-user).

## Shared Environment use cases
<a name="share-environment-about"></a>

A shared environment is good for the following use cases:
+ **Pair programming **(**also known as *peer programming***)**: **This is where two users work together on the same code in a single environment. In pair programming, typically one user writes code while the other user observes the code being written. The observer gives immediate input and feedback to the code writer. These positions frequently switch during a project. Without a shared environment, teams of pair programmers typically sit in front of a single machine. Only one user at a time can write code. With a shared environment, both users can sit in front of their own machine. Moreover, they can write code at the same time, even if they are in different physical offices.
+ **Computer science classes: **This is useful when teachers or teaching assistants want to access a student's environment. Doing so can be for review a student's homework or fix issues with their environment in real time. Students can also work together with their classmates on shared homework projects, writing code together in a single environment in real time. They can do this even though they might be in different locations using different computer operating systems and web browser types.
+ Any other situation where multiple users need to collaborate on the same code in real time.

## About environment member access roles
<a name="share-environment-member-roles"></a>

Before you share an environment or participate in a shared environment in AWS Cloud9, you should understand the access permission levels for a shared environment. We call these permission levels *environment member access roles*.

A shared environment in AWS Cloud9 offers three environment member access roles: *owner*, *read/write*, and *read-only*.
+ An owner has full control over an environment. Each environment has one and only one owner, who is the environment creator. An owner can do the following actions.
  + Add, change, and remove members for the environment
  + Open, view, and edit files
  + Run code
  + Change environment settings
  + Chat with other members
  + Delete existing chat messages

  In the AWS Cloud9 IDE, an environment owner is displayed with **Read\$1Write** access.
+ A read/write member can do the following actions.
  + Open, view, and edit files
  + Run code
  + Change various environment settings from within the AWS Cloud9 IDE
  + Chat with other members
  + Delete existing chat messages

  In the AWS Cloud9 IDE, read/write members are displayed with **Read\$1Write** access.
+ A read-only member can do the following actions.
  + Open and view files
  + Chat with other members
  + Delete existing chat messages

  In the AWS Cloud9 IDE, read-only members are displayed with **Read Only** access.

Before a user can become an environment owner or member, that user must meet one of the following criteria.
+ The user is an **AWS account root user**.
+ The user is an **administrator user**. For more information, see [Creating Your First IAM Admin User and Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-set-up.html#create-an-admin) in the *IAM User Guide*.
+ The user is a **user who belongs to an IAM group**, a **user who assumes a role**, or a **federated user who assumes a role**, *and* that group or role has the AWS managed policy `AWSCloud9Administrator` or `AWSCloud9User` (or `AWSCloud9EnvironmentMember`, to be a member only) attached. For more information, see [AWS Managed (Predefined) Policies](security-iam.md#auth-and-access-control-managed-policies).
  + To attach one of the preceding managed policies to an IAM group, you can use the [AWS Management Console](#share-environment-member-roles-console) or the [AWS Command Line Interface (AWS CLI)](#share-environment-member-roles-cli) as described in the following procedures.
  + You can create a role in IAM with one of the preceding managed policies for a user or a federated user to assume. For more information, see [Creating Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html) in the *IAM User Guide*. To have a user or a federated user assume the role, see coverage of assuming roles in [Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide*.

### Attach an AWS managed policy for AWS Cloud9 to a group using the console
<a name="share-environment-member-roles-console"></a>

The following procedure outlines how to attach an AWS managed policy for AWS Cloud9 to a group using the console.

1. Sign in to the AWS Management Console, if you are not already signed in.

   For this step, we recommend you sign in using IAM administrator-level credentials in your AWS account. If you can't do this, check with your AWS account administrator.

1. Open the IAM console. To do this, in the console navigation bar, choose **Services**. Then choose **IAM**.

1. Choose **Groups**.

1. Choose the name of the group.

1. On the **Permissions** tab, for **Managed Policies**, choose **Attach Policy**.

1. In the list of policy names, choose one of the following boxes.
   +  **AWSCloud9User** (preferred) or **AWSCloud9Administrator** to enable each user in the group to be an environment owner
   +  **AWSCloud9EnvironmentMember** to enable each user in the group to be a member only

   (If you don't see one of these policy names in the list, type the policy name in the **Search** box to display it.)

1. Choose **Attach policy**.

### Attach an AWS managed policy for AWS Cloud9 to a group using the AWS CLI
<a name="share-environment-member-roles-cli"></a>

**Note**  
If you're using [AWS managed temporary credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials), you can't use a terminal session in the AWS Cloud9 IDE to run some or all of the commands in this section. To address AWS security best practices, AWS managed temporary credentials don’t allow some commands to be run. Instead, you can run those commands from a separate installation of the AWS Command Line Interface (AWS CLI).

Run the IAM `attach-group-policy` command to attach the AWS managed policy for AWS Cloud9 to the group. Specify the group name and the Amazon Resource Name (ARN) of the policy:

```
aws iam attach-group-policy --group-name MyGroup --policy-arn arn:aws:iam::aws:policy/POLICY_NAME
```

In the preceding command, replace `MyGroup` with the name of the group. Replace `POLICY_NAME` with the name of one of the following AWS managed policies.
+  `AWSCloud9User` (preferred) or `AWSCloud9Administrator` to enable each user in the group to be an environment owner
+  `AWSCloud9EnvironmentMember` to enable each user in the group to be a member only

## Invite a user in the same account as the Environment
<a name="share-environment-invite-user"></a>

Use the instructions in this section to share an AWS Cloud9 development environment that you own in your AWS account with a user in that same account.

1. Suppose that the user that you want to invite *isn't* one of the following types of users. Make sure the user that you want to invite already has the corresponding environment member access role. For instructions, see [About Environment Member Access Roles](#share-environment-member-roles).
   + The **AWS account root user**.
   + An **Administrator user**.
   + A **user who belongs to an IAM group**, a **user who assumes a role**, or a **federated user who assumes a role**, *and* that group or role has the AWS managed policy `AWSCloud9Administrator` attached.

1. Open the environment that you own and want to invite the user to, if the environment isn't already open.

1. In the menu bar in the AWS Cloud9 IDE, do one of the following.
   + Choose **Window, Share**.
   + Choose **Share** (located next to the **Preferences** gear icon).  
![\[The Share command in the AWS Cloud9 IDE menu bar\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/ide-share.png)

1. In the **Share this environment** dialog box, for **Invite Members**, type one of the following.
   + To invite an **IAM user**, enter the name of the user.
   + To invite the **AWS account root user**, enter `arn:aws:iam::123456789012:root`. Replace `123456789012` with your AWS account ID.
   + To invite a **user with an assumed role** or a **federated user with an assumed role**, enter `arn:aws:sts::123456789012:assumed-role/MyAssumedRole/MyAssumedRoleSession`. Replace `123456789012` with your AWS account ID, `MyAssumedRole` with the name of the assumed role. Replace `MyAssumedRoleSession` with the session name for the assumed role.

1. To make this user a read-only member, choose **R**. To make this user read/write, choose **RW**.

1. Choose **Invite**.
**Note**  
If you make this user a read/write member, a dialog box is displayed, containing information about possibly putting your AWS security credentials at risk. The following information provides more background about this issue.  
You should share an environment only with those you trust.  
A read/write member may be able to use the AWS CLI, the AWS CloudShell, or AWS SDK code in your environment to take actions in AWS on your behalf. Furthermore, if you store your permanent AWS access credentials within the environment, that member could potentially copy those credentials and use them outside of the environment.  
Removing your permanent AWS access credentials from your environment and using temporary AWS access credentials instead does not fully address this issue. It lessens the opportunity of the member to copy those temporary credentials and use them outside of the environment (as those temporary credentials will work only for a limited time). However, temporary credentials still enable a read/write member to take actions in AWS from the environment on your behalf.

1. Contact the user to let them know they can open this environment and begin using it.

## Have an AWS Cloud9 administrator in the same account as the Environment invite themself or others
<a name="share-environment-admin-user"></a>

**Note**  
If you're using [AWS managed temporary credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials), you can't use a terminal session in the AWS Cloud9 IDE to run some or all of the commands in this section. To address AWS security best practices, AWS managed temporary credentials don’t allow some commands to be run. Instead, you can run those commands from a separate installation of the AWS Command Line Interface (AWS CLI).

The following types of users can invite themselves (or other users in the same AWS account) to any environment in the same account.
+ The **AWS account root user**.
+ An **administrator user**.
+ A **user who belongs to an IAM group**, a **user who assumes a role**, or a **federated user who assumes a role**, *and* that group or role has the AWS managed policy `AWSCloud9Administrator` attached.

Suppose that the invited user *isn't* one of the preceding types of users. Make sure that user already has the corresponding environment member access role. For instructions, see [About Environment Member Access Roles](#share-environment-member-roles).

To invite the user, use the AWS CLI or the AWS CloudShell to run the AWS Cloud9 `create-environment-membership` command.

```
aws cloud9 create-environment-membership --environment-id 12a34567b8cd9012345ef67abcd890e1 --user-arn USER_ARN --permissions PERMISSION_LEVEL
```

In the preceding command, replace `12a34567b8cd9012345ef67abcd890e1` with the ID of the environment. Replace `PERMISSION_LEVEL` with `read-write` or `read-only`. And, replace `USER_ARN` with one of the following:
+ To invite an **IAM user**, enter `arn:aws:iam::123456789012:user/MyUser`. Replace `123456789012` with your AWS account ID and replace `MyUser` with the name of the user.
+ To invite the **AWS account root user**, enter `arn:aws:iam::123456789012:root`. Replace `123456789012` with your AWS account ID.
+ To invite a **user with an assumed role** or a **federated user with an assumed role**, enter `arn:aws:sts::123456789012:assumed-role/MyAssumedRole/MyAssumedRoleSession`. Replace `123456789012` with your AWS account ID. Replace `MyAssumedRole` with the name of the assumed role. And, replace `MyAssumedRoleSession` with the session name for the assumed role.

For example, to invite the AWS account root user for account ID `123456789012` to an environment with ID `12a34567b8cd9012345ef67abcd890e1` as a read/write member, run the following command.

```
aws cloud9 create-environment-membership --environment-id 12a34567b8cd9012345ef67abcd890e1 --user-arn arn:aws:iam::123456789012:root --permissions read-write
```

**Note**  
If you're using the AWS CloudShell, omit the `aws` prefix from the preceding commands.

# Open a shared Environment
<a name="share-environment-open"></a>

To open a shared environment, you can use your AWS Cloud9 dashboard. Use the AWS Cloud9 IDE to perform actions and complete work in a shared environment. Examples are working with files and chatting with other team members.

1. Make sure the corresponding access policy is attached to the group or role for your user. For more information, see [About Environment Member Access Roles](share-environment.md#share-environment-member-roles).

1. Sign in to the AWS Cloud9 console as follows:
   + If you're the only individual using your AWS account or you're an IAM user in a single AWS account, go to [https://console.aws.amazon.com/cloud9/](https://console.aws.amazon.com/cloud9/).
   + If your organization uses IAM Identity Center, see your AWS account administrator for sign-in instructions.
   + If you're a student in a classroom, see your instructor for sign-in instructions.

1. Open the shared environment from your AWS Cloud9 dashboard. For more information, see [Opening an Environment in AWS Cloud9](open-environment.md).

You use the **Collaborate** window to interact with other members, as described in the rest of this topic.

**Note**  
If the **Collaborate** window isn't visible, choose **Collaborate**. If the **Collaborate** button isn't visible, on the menu bar, choose **Window, Collaborate**.

![\[The Collaborate window in the AWS Cloud9 IDE\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/ide-collaborate.png)


# See a list of environment members
<a name="share-environment-members-list"></a>

With the shared environment open, in the **Collaborate** window, expand **Environment Members**, if the list of members isn't visible.

A circle next to each member indicates their online status, as follows:
+ Active members have a green circle.
+ Offline members have a gray circle.
+ Idle members have an orange circle.

![\[Member online status in the AWS Cloud9 IDE\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/ide-collaborate-status.png)


To use code to get a list of environment members, call the AWS Cloud9 describe environment memberships operation, as follows.


****  

|  |  | 
| --- |--- |
|  AWS CLI  |   [describe-environment-memberships](https://docs.aws.amazon.com/cli/latest/reference/cloud9/describe-environment-memberships.html)   | 
|  AWS SDK for C\$1\$1  |   [DescribeEnvironmentMembershipsRequest](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_describe_environment_memberships_request.html), [DescribeEnvironmentMembershipsResult](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_describe_environment_memberships_result.html)   | 
|  AWS SDK for Go  |   [DescribeEnvironmentMemberships](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DescribeEnvironmentMemberships), [DescribeEnvironmentMembershipsRequest](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DescribeEnvironmentMembershipsRequest), [DescribeEnvironmentMembershipsWithContext](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DescribeEnvironmentMembershipsWithContext)   | 
|  AWS SDK for Java  |   [DescribeEnvironmentMembershipsRequest](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/DescribeEnvironmentMembershipsRequest.html), [DescribeEnvironmentMembershipsResult](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/DescribeEnvironmentMembershipsResult.html)   | 
|  AWS SDK for JavaScript  |   [describeEnvironmentMemberships](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Cloud9.html#describeEnvironmentMemberships-property)   | 
|  AWS SDK for .NET  |   [DescribeEnvironmentMembershipsRequest](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TDescribeEnvironmentMembershipsRequest.html), [DescribeEnvironmentMembershipsResponse](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TDescribeEnvironmentMembershipsResponse.html)   | 
|  AWS SDK for PHP  |   [describeEnvironmentMemberships](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cloud9-2017-09-23.html#describeenvironmentmemberships)   | 
|  AWS SDK for Python (Boto)  |   [describe\$1environment\$1memberships](https://boto3.readthedocs.io/en/latest/reference/services/cloud9.html#Cloud9.Client.describe_environment_memberships)   | 
|  AWS SDK for Ruby  |   [describe\$1environment\$1memberships](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Cloud9/Client.html#describe_environment_memberships-instance_method)   | 
|  AWS Tools for Windows PowerShell  |   [Get-C9EnvironmentMembershipList](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-C9EnvironmentMembershipList.html)   | 
|  AWS Cloud9 API  |   [DescribeEnvironmentMemberships](https://docs.aws.amazon.com/cloud9/latest/APIReference/API_DescribeEnvironmentMemberships.html)   | 

# Open the active file of an environment member
<a name="share-environment-active-file"></a>

This step shows how you can open the active file of an environment member.

With the shared environment open, in the menu bar, choose the member name. Then, choose **Open Active File**.

![\[The Open Active File command in the AWS Cloud9 IDE\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/ide-collaborate-active-file.png)


# Open the open file of an environment member
<a name="share-environment-open-file"></a>

This step shows how you can open the open file of an environment member.

1. With the shared environment open, in the **Collaborate** window, expand **Environment Members**, if the list of members isn't visible.

1. Expand the name of the user whose open file that you want to open in your environment.

1. Open (double-click) the name of the file that you want to open.

![\[Opening a team member's file in the AWS Cloud9 IDE\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/ide-collaborate-open-file.png)


# Go to the active cursor of an environment member
<a name="share-environment-active-cursor"></a>

This step shows how you can navigate the active cursor of an environment member.

1. With the shared environment open, in the **Collaborate** window, expand **Environment Members**, if the list of members isn't visible.

1. Open the context (right-click) menu for the member name, and then choose **Show Location**.

# Manage chat in a shared Environment
<a name="chat-delete-share-environment"></a>

This topic shows how you can chat with other environment members, view chat messages in a shared Environment, and delete them from a shared Environment.

## Chat with other environment members
<a name="share-environment-chat"></a>

With the shared environment open, at the bottom of the **Collaborate** window, for **Enter your message here**, enter your chat message, and then press `Enter`.

![\[The chat area in the AWS Cloud9 IDE\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/ide-collaborate-chat.png)


## View chat messages in a shared Environment
<a name="share-environment-chat-view"></a>

With the shared environment open, in the **Collaborate** window, expand **Group Chat**, if the list of chat messages isn't visible.

## Delete chat messages from a shared Environment
<a name="share-environment-chat-delete"></a>

With the shared environment open, in the **Collaborate** window, open the context (right-click) menu for the chat message in **Group Chat**. Then, choose **Delete Message**.

**Note**  
When you delete a chat message, it is deleted from the environment for all members.

## Delete all chat messages from a shared Environment
<a name="share-environment-chat-delete-all"></a>

With the shared environment open, in the **Collaborate** window, open a context (right-click) menu anywhere in **Group Chat**. Then, choose **Clear history**.

**Note**  
When you delete all chat messages, they're deleted from the environment for all members.

# Change the access role of an environment member
<a name="share-environment-change-access"></a>

This step shows how you can change the access role of an environment member. You can also use code to change the access role and update the AWS Cloud9 environment membership. 

1. Open the environment that you own and that contains the member whose access role you want to change, if the environment isn't already open. For more information, see [Opening an Environment in AWS Cloud9](open-environment.md).

1. If the list of members isn't visible, expand **Environment Members** in the **Collaborate** window.

1. Do one of the following actions:
   + Next to the member name whose access role that you want to change, choose **R** or **RW** to make this member owner or read/write, respectively.
   + To change a read/write member to read-only, open the context (right-click) menu for the member name, and then choose **Revoke Write Access**.
   + To change a read-only member to read/write, open the context (right-click) menu for the member name, and then choose **Grant Read\$1Write Access**.
**Note**  
If you make this user a read/write member, a dialog box is displayed, containing information about possibly putting your AWS security credentials at risk. Unless you trust that user to take actions in AWS on your behalf, don't make a user a read/write member. For more information, see the related note in [Invite a User in the Same Account as the Environment](share-environment.md#share-environment-invite-user).

To use code to change the access role of an environment member, call the AWS Cloud9 update environment membership operation, as follows.


****  

|  |  | 
| --- |--- |
|  AWS CLI  |   [update-environment-membership](https://docs.aws.amazon.com/cli/latest/reference/cloud9/update-environment-membership.html)   | 
|  AWS SDK for C\$1\$1  |   [UpdateEnvironmentMembershipRequest](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_update_environment_membership_request.html), [UpdateEnvironmentMembershipResult](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_update_environment_membership_result.html)   | 
|  AWS SDK for Go  |   [UpdateEnvironmentMembership](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.UpdateEnvironmentMembership), [UpdateEnvironmentMembershipRequest](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.UpdateEnvironmentMembershipRequest), [UpdateEnvironmentMembershipWithContext](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.UpdateEnvironmentMembershipWithContext)   | 
|  AWS SDK for Java  |   [UpdateEnvironmentMembershipRequest](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/UpdateEnvironmentMembershipRequest.html), [UpdateEnvironmentMembershipResult](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/UpdateEnvironmentMembershipResult.html)   | 
|  AWS SDK for JavaScript  |   [updateEnvironmentMembership](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Cloud9.html#updateEnvironmentMembership-property)   | 
|  AWS SDK for .NET  |   [UpdateEnvironmentMembershipRequest](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TUpdateEnvironmentMembershipRequest.html), [UpdateEnvironmentMembershipResponse](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TUpdateEnvironmentMembershipResponse.html)   | 
|  AWS SDK for PHP  |   [updateEnvironmentMembership](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cloud9-2017-09-23.html#updateenvironmentmembership)   | 
|  AWS SDK for Python (Boto)  |   [update\$1environment\$1membership](https://boto3.readthedocs.io/en/latest/reference/services/cloud9.html#Cloud9.Client.update_environment_membership)   | 
|  AWS SDK for Ruby  |   [update\$1environment\$1membership](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Cloud9/Client.html#update_environment_membership-instance_method)   | 
|  AWS Tools for Windows PowerShell  |   [Update-C9EnvironmentMembership](https://docs.aws.amazon.com/powershell/latest/reference/items/Update-C9EnvironmentMembership.html)   | 
|  AWS Cloud9 API  |   [UpdateEnvironmentMembership](https://docs.aws.amazon.com/cloud9/latest/APIReference/API_UpdateEnvironmentMembership.html)   | 

# Remove your user from a shared Environment
<a name="share-environment-delete-you"></a>

This step shows how you can remove your user from a shared environment.

**Note**  
If you're the environment owner, you can't remove your user from an environment.  
Removing your user from an environment doesn't remove your user from IAM.

1. With the shared environment open, in the **Collaborate** window, expand **Environment Members**, if the list of members isn't visible.

1. Do one of the following actions:
   + Next to **You**, choose the trash can icon.
   + Open the context (right-click) menu for **You**, and then choose **Leave environment**.

1. When prompted, choose **Leave**.

To use code to remove your user from a shared environment, call the AWS Cloud9 delete environment membership operation, as follows.


****  

|  |  | 
| --- |--- |
|  AWS CLI  |   [delete-environment-membership](https://docs.aws.amazon.com/cli/latest/reference/cloud9/delete-environment-membership.html)   | 
|  AWS SDK for C\$1\$1  |   [DeleteEnvironmentMembershipRequest](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_delete_environment_membership_request.html), [DeleteEnvironmentMembershipResult](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_delete_environment_membership_result.html)   | 
|  AWS SDK for Go  |   [DeleteEnvironmentMembership](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DeleteEnvironmentMembership), [DeleteEnvironmentMembershipRequest](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DeleteEnvironmentMembershipRequest), [DeleteEnvironmentMembershipWithContext](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DeleteEnvironmentMembershipWithContext)   | 
|  AWS SDK for Java  |   [DeleteEnvironmentMembershipRequest](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/DeleteEnvironmentMembershipRequest.html), [DeleteEnvironmentMembershipResult](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/DeleteEnvironmentMembershipResult.html)   | 
|  AWS SDK for JavaScript  |   [deleteEnvironmentMembership](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Cloud9.html#deleteEnvironmentMembership-property)   | 
|  AWS SDK for .NET  |   [DeleteEnvironmentMembershipRequest](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TDeleteEnvironmentMembershipRequest.html), [DeleteEnvironmentMembershipResponse](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TDeleteEnvironmentMembershipResponse.html)   | 
|  AWS SDK for PHP  |   [deleteEnvironmentMembership](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cloud9-2017-09-23.html#deleteenvironmentmembership)   | 
|  AWS SDK for Python (Boto)  |   [delete\$1environment\$1membership](https://boto3.readthedocs.io/en/latest/reference/services/cloud9.html#Cloud9.Client.delete_environment_membership)   | 
|  AWS SDK for Ruby  |   [delete\$1environment\$1membership](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Cloud9/Client.html#delete_environment_membership-instance_method)   | 
|  AWS Tools for Windows PowerShell  |   [Remove-C9EnvironmentMembership](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-C9EnvironmentMembership.html)   | 
|  AWS Cloud9 API  |   [DeleteEnvironmentMembership](https://docs.aws.amazon.com/cloud9/latest/APIReference/API_DeleteEnvironmentMembership.html)   | 

# Remove another environment member
<a name="share-environment-delete-member"></a>

This step shows how you can remove any member other than your user from an environment.

**Note**  
To remove any member other than your user from an environment, you must be signed in to AWS Cloud9 by using the environment owner's credentials.  
Removing a member doesn't remove the user from IAM.

1. Open the environment that contains the member you want to remove, if the environment isn't already open. For more information, see [Opening an Environment in AWS Cloud9](open-environment.md).

1. In the **Collaborate** window, expand **Environment Members**, if the list of members isn't visible.

1. Do one of the following:
   + Next to the name of the member you want to delete, choose the trash can icon.
   + Open the context (right-click) menu for the name of the member that you want to delete, and then choose **Revoke Access**.

1. When prompted, choose **Remove Member**.

To use code to remove a member from an environment, call the AWS Cloud9 delete environment membership operation, as follows.


****  

|  |  | 
| --- |--- |
|  AWS CLI  |   [delete-environment-membership](https://docs.aws.amazon.com/cli/latest/reference/cloud9/delete-environment-membership.html)   | 
|  AWS SDK for C\$1\$1  |   [DeleteEnvironmentMembershipRequest](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_delete_environment_membership_request.html), [DeleteEnvironmentMembershipResult](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_delete_environment_membership_result.html)   | 
|  AWS SDK for Go  |   [DeleteEnvironmentMembership](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DeleteEnvironmentMembership), [DeleteEnvironmentMembershipRequest](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DeleteEnvironmentMembershipRequest), [DeleteEnvironmentMembershipWithContext](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DeleteEnvironmentMembershipWithContext)   | 
|  AWS SDK for Java  |   [DeleteEnvironmentMembershipRequest](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/DeleteEnvironmentMembershipRequest.html), [DeleteEnvironmentMembershipResult](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/DeleteEnvironmentMembershipResult.html)   | 
|  AWS SDK for JavaScript  |   [deleteEnvironmentMembership](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Cloud9.html#deleteEnvironmentMembership-property)   | 
|  AWS SDK for .NET  |   [DeleteEnvironmentMembershipRequest](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TDeleteEnvironmentMembershipRequest.html), [DeleteEnvironmentMembershipResponse](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TDeleteEnvironmentMembershipResponse.html)   | 
|  AWS SDK for PHP  |   [deleteEnvironmentMembership](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cloud9-2017-09-23.html#deleteenvironmentmembership)   | 
|  AWS SDK for Python (Boto)  |   [delete\$1environment\$1membership](https://boto3.readthedocs.io/en/latest/reference/services/cloud9.html#Cloud9.Client.delete_environment_membership)   | 
|  AWS SDK for Ruby  |   [delete\$1environment\$1membership](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Cloud9/Client.html#delete_environment_membership-instance_method)   | 
|  AWS Tools for Windows PowerShell  |   [Remove-C9EnvironmentMembership](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-C9EnvironmentMembership.html)   | 
|  AWS Cloud9 API  |   [DeleteEnvironmentMembership](https://docs.aws.amazon.com/cloud9/latest/APIReference/API_DeleteEnvironmentMembership.html)   | 

# Environment sharing best practices
<a name="share-environment-best-practices"></a>

We recommend the following practices when sharing environments:
+ Only invite read/write members you trust to your environments.
+ For EC2 environments, read/write members can use the environment owner's AWS access credentials to make calls from the environment to AWS services. This is instead of their own credentials. To prevent this, the environment owner can disable AWS managed temporary credentials for the environment. However, this also prevents the environment owner from making calls. For more information, see [AWS Managed Temporary Credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials).
+ Turn on AWS CloudTrail to track activity in your environments. For more information, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
+ Don't use your AWS account root user to create and share environments. Use IAM users in the account instead. For more information, see [First-Time Access Only: Your Root User Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html#intro-identity-first-time-access) and [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html#intro-identity-users) in the *IAM User Guide*.

# Moving an AWS Cloud9 IDE from Amazon EBS volumes
<a name="move-environment"></a>

You can move an AWS Cloud9 development environment from one Amazon EC2 instance to another. For example, you might want to do the following actions:
+ Transfer an environment from an Amazon EC2 instance that's impaired or performing in unexpected ways compared with a healthy instance.
+ Transfer an environment from an existing instance to one that has the latest system updates.
+ Increase or decrease an instance's compute resources because the environment is overused or underused on the current instance.

You can upgrade from one AWS Cloud9 supported AMI to another by migrating to a new AWS Cloud9 EC2 environment, while keeping the project files. You may want to upgrade to another version of the AMI because: 
+ The AMI of the current environment has reached end-of-life and is no longer supported.
+ The package that you need is outdated in the current AMI. 

You can also resize the Amazon Elastic Block Store (Amazon EBS) volume that's associated with an Amazon EC2 instance for an environment. For example, you might want to do one or both of the following actions:
+ Increase the size of a volume because you're running out of storage space on the instance.
+ Decrease the size of a volume because you don't want to pay for extra storage space that you aren't using.

Before you move or resize an environment, you can try stopping some running processes in the environment or adding a swap file to the environment. For more information about dealing with low memory or high CPU usage, see [*Troubleshooting*](troubleshooting.md#troubleshooting-ide-low-memory).

**Note**  
This topic only describes moving an environment from one Amazon EC2 instance to another or resizing an Amazon EBS volume. To resize an environment from one of your own servers or to change the storage space for one of your own servers, refer to your server's documentation.

Last, you can encrypt Amazon EBS resources to ensure the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.

## Move an environment
<a name="move-environment-move"></a>

Before you start the move process, note the following conditions:
+ You can't move an environment to an Amazon EC2 instance of the same type. When you move, you must choose a different Amazon EC2 instance type for the new instance.
**Important**  
If you move your environment to another Amazon EC2 instance type, that instance type must also be supported by AWS Cloud9 in the current AWS Region. To check the instance types that are available in each Region, go to the **Configure settings** page that's displayed when [creating an EC2 environment with the console](create-environment-main.md#create-environment-console). Your choice in the **Instance type** section is determined by the AWS Region that's selected in the upper right of the console. 
+ You must stop the Amazon EC2 instance that's associated with an environment before you can change the instance type. While the instance is stopped, you and any members can't use the environment that's associated with the stopped instance.
+ AWS moves the instance to new hardware, however, the instance's ID doesn't change.
+ If the instance is running in an Amazon VPC and has a public IPv4 address, AWS releases the address and gives the instance a new public IPv4 address. The instance retains its private IPv4 addresses and any Elastic IP addresses or IPv6 addresses.
+ Plan for downtime while your instance is stopped. The process might take several minutes.

**To move an environment**

1. (Optional) If the new instance type requires drivers that aren't installed on the existing instance, connect to your instance and install those drivers. For more information, see [Compatibility for resizing instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html#resize-limitations) in the *Amazon EC2 User Guide*.

1. Close all web browser tabs that are currently displaying the environment.
**Important**  
If you don't close all of the web browser tabs that are currently displaying the environment, AWS Cloud9 might interfere with completing this procedure. Specifically, AWS Cloud9 might try at the wrong time during this procedure to restart the Amazon EC2 instance that's associated with the environment. The instance must stay stopped until the very last step in this procedure.

1. Sign in to the AWS Management Console, if you're not already signed in, at [https://console.aws.amazon.com](https://console.aws.amazon.com).

   We recommend you sign in using administrator-level credentials in your AWS account. If you can't do this, check with your AWS account administrator.

1. Open the Amazon EC2 console. To do this, in the **Services** list, choose **EC2**.

1. In the AWS navigation bar, choose the AWS Region that contains the environment that you want to move (for example, **US East (Ohio)**).

1. In the service navigation pane, expand **Instances**, and then choose **Instances**.

1. In the list of instances, choose the one that's associated with the environment that you want to move. For an EC2 environment, the instance name starts with `aws-cloud9-` followed by the environment name. For example, if the environment is named `my-demo-environment`, the instance name starts with `aws-cloud9-my-demo-environment`.

1. If the **Instance State** is not **Stopped**, choose **Actions**, **Instance state**, **Stop**. When prompted, choose **Yes, Stop**. It can take a few minutes for the instance to stop.

1. After the **Instance State** is **stopped**, with the instance still selected, choose **Actions**, **Instance Settings**, **Change Instance Type**.

1. In the **Change Instance Type** dialog box, choose the new **Instance Type** for the environment to use.
**Note**  
If the instance type that you want doesn't appear in the list, it's not compatible with the configuration of the instance. For example, the instance might not be compatible because of the virtualization type.

1. (Optional) If the instance type that you chose supports EBS–optimization, select **EBS-optimized** to enable EBS–optimization, or clear **EBS-optimized** to disable EBS–optimization.
**Note**  
If the instance type you chose is EBS–optimized by default, **EBS-optimized** is selected and you can't clear it.

1. Choose **Apply** to accept the new settings.
**Note**  
If you didn't choose a different instance type for **Instance Type** earlier in this procedure, nothing happens after you choose **Apply**.

1. Reopen the environment. For more information, see [Opening an environment in AWS Cloud9](open-environment.md).

For more information about the preceding procedure, see [Changing the instance type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html) in the *Amazon EC2 User Guide*.

## Moving an AWS Cloud9 EC2 environment to a different Amazon Machine Image (AMI)
<a name="moving-ec2-environ-to-ami"></a>

 

This topic explains how to migrate an AWS Cloud9 EC2 environment from one Amazon Linux AMI to another AWS Cloud9 supported AMI. 

**Note**  
If you want to move your environment to a new instance without updating the OS version, see [Move an environment](#move-environment-move).

You can migrate your data between environments using one of the following procedures:

**To move an environment by downloading archive to a local machine**

1. Create a new environment in the same Availability Zone with a different base image:

   1. Complete the steps in the [Creating an EC2 Environment](create-environment-main.md) section to create a new environment. 
**Note**  
While choosing the **Platform**, select the platform that you want to migrate your environment to.

   1. By default, environments are created with 10 GiB volume. If you don't have sufficient space to upload or unpack the archive to the new environment, complete the steps in [Resize an Amazon EBS volume that an environment uses](move-environment-resize.md) procedure to resize Amazon EBS volume size.

1. Open the environment that you want to migrate in the AWS Cloud9 IDE.

1. After the AWS Cloud9 IDE loads, select **File** > **Download project** from the menu to download the archive with the contents of the environment project directory.

1. Open AWS Cloud9 IDE in the new environment.

1. Choose **File** > **Upload local files...** to upload the archive.

1. (Optional) To back up the old `.c9` directory to `.c9.backup`, in the environment terminal, run the following command: 

   ```
   cp .c9 .c9.backup
   ```

   You may need these backup files if you want to restore the configuration files later.

1. To unpack the archive, run the following command: 

   ```
   tar xzvf <old_environment_name>.tar.gz -C ~/
   ```

1. To delete the archive from the project directory, run the following command:

   ```
   rm <old_environment_name>.tar.gz
   ```

   Ensure that the new environment works as expected.

1. You can now delete the old environment.

**To move an environment using Amazon EBS volume**

If you are not able to download the archive, or if the resulting archive is too large, you can use the Amazon EBS volume to migrate. Also, this method enables you to copy files that are located outside the `~/environment` directory.

1. Close all AWS Cloud9 IDE tabs that are open in the existing environment. 

1. Complete the following steps to stop the existing instance:

   1. In the AWS Cloud9 console, select the environment to navigate to view its details.

   1. On the **Environment details** page, under the **EC2 instance** tab, choose **Manage EC2 instance**.

   1. In the EC2 console, select the instance to navigate to the instance details. 

   1. Ensure that the **Instance state** is set to **Stopped**. If not, select **Stop instance** from the **Instance state** dropdown list. When prompted, choose **Stop**. It can take a few minutes for the instance to stop. 

1. Create a new environment in the same Availability Zone with a different base image:

   1. Complete the steps in the [Creating an EC2 Environment](create-environment-main.md) section to create a new environment. 
**Note**  
While choosing the **Platform**, select the platform that you want to migrate your environment to.

   1. By default, environments are created with 10 GiB volume. If you don’t have sufficient space to move files from the source volume to the new environment, complete the steps in [Resize an Amazon EBS volume that an environment uses](move-environment-resize.md) procedure to resize Amazon EBS volume size.

1. Complete the following steps to detach the volume from the existing instance:

   1. On the **Instance summary** page, choose the **Storage** tab and select the volume. The device name of the selected volume must be the same as the one that is specified in the **Root device name** of the **Root device details** section.

   1. On the volume details page, choose **Actions** > **Detach volume**.

   1. After the volume is successfully detached, choose **Actions** > **Attach volume** and then find and select the instance of the new environment from the dropdown list. The name of the Amazon EC2 instance that you select must contain the AWS Cloud9 environment name prefixed with `aws-cloud9`.

1. Open AWS Cloud9 IDE in the new environment.

1. After the environment loads, to identify the device of the newly attached volume, run the following command in the terminal: 

   ```
   lsblk
   ```

   In the following sample output, partition `nvme0n1` of root device `nvme0n1p1` is already mounted, hence the `nvme1n1p1` partition must also be mounted. The full path for its device is `/dev/nvme1n1p1`:

   ```
   Admin:~/environment $ lsblk
   NAME          MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
   nvme0n1       259:0    0  10G  0 disk 
   ├─nvme0n1p1   259:2    0  10G  0 part /
   ├─nvme0n1p127 259:3    0   1M  0 part 
   └─nvme0n1p128 259:4    0  10M  0 part /boot/efi
   nvme1n1       259:1    0  10G  0 disk 
   ├─nvme1n1p1   259:5    0  10G  0 part 
   └─nvme1n1p128 259:6    0   1M  0 part
   ```
**Note**  
The output varies when you run this command in your terminal.

1. Complete the following steps in the environment terminal to mount the existing volume:

   1. To create a temporary directory where the volume’s partition will be mounted, run the following command:

      ```
      MOUNT_POINT=$(mktemp -d)
      ```

   1. Based on the `lsblk` command's sample output, specify the following path of the device to be mounted:

      ```
      MOUNT_DEVICE=/dev/nvme1n1p1
      ```
**Note**  
The output varies when you run this command in your terminal.

   1. To mount the existing volume, run the following command: 

      ```
      sudo mount $MOUNT_DEVICE $MOUNT_POINT
      ```

   1. Complete the following steps to verify if the existing volume is correctly mounted:

      1. To ensure that the volume is included in the output, run the following command: 

         ```
         df -h
         ```

      1. To verify contents of the volume, run the following command:

         ```
         ls $MOUNT_POINT/home/ec2-user/environment/
         ```

1. (Optional) To back up the old `.c9` directory to `.c9.backup`, in the environment terminal, run the following command: 

   ```
   cp .c9 .c9.backup
   ```

   You may need these backup files if you want to restore the configuration files later.

1. To copy the old environment from the existing volume, run the following command:

   ```
   cp -R $MOUNT_POINT/home/ec2-user/environment ~
   ```
**Note**  
If required, you can also copy files or directories outside of the environment directory using the preceding command. 

   Ensure that the new environment works as expected.

1. To unmount the previous device, run one of the two following commands: 

   ```
   sudo umount $MOUNT_DEVICE
   ```

   ```
   sudo umount $MOUNT_POINT
   ```

1. Choose **Detach volume** from the **Actions** dropdown list to detach the volume that you attached in **Step 3**.

1. You can now delete the old environment and its volume.
**Note**  
Since the volume is no longer attached to the environment’s Amazon EC2 instance, you’ll need to remove it manually. You can do this by choosing **Delete** on the **Volume details** page.

# Resize an Amazon EBS volume that an environment uses
<a name="move-environment-resize"></a>

This step shows how you can resize an Amazon EBS volume.

1. Open the environment that's associated with the Amazon EC2 instance for the Amazon EBS volume that you want to resize.

1. In the AWS Cloud9 IDE for the environment, create a file with the following contents, and then save the file with the extension `.sh` (for example, `resize.sh`).
**Note**  
This script works for Amazon EBS volumes that are connected to EC2 instances that run AL2023, Amazon Linux 2, Amazon Linux, or Ubuntu Server and is configured to use IMDSv2.  
The script also resizes Amazon EBS volumes exposed as NVMe block devices on Nitro-based instances. For a list of instances based on the Nitro system, see [Nitro-based instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) in the *Amazon EC2 User Guide*.

   ```
   #!/bin/bash
   
   # Specify the desired volume size in GiB as a command line argument. If not specified, default to 20 GiB.
   SIZE=${1:-20}
   
   # Get the ID of the environment host Amazon EC2 instance.
   TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
   INSTANCEID=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/instance-id 2> /dev/null)
   REGION=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/placement/region 2> /dev/null)
   
   # Get the ID of the Amazon EBS volume associated with the instance.
   VOLUMEID=$(aws ec2 describe-instances \
     --instance-id $INSTANCEID \
     --query "Reservations[0].Instances[0].BlockDeviceMappings[0].Ebs.VolumeId" \
     --output text \
     --region $REGION)
   
   # Resize the EBS volume.
   aws ec2 modify-volume --volume-id $VOLUMEID --size $SIZE
   
   # Wait for the resize to finish.
   while [ \
     "$(aws ec2 describe-volumes-modifications \
       --volume-id $VOLUMEID \
       --filters Name=modification-state,Values="optimizing","completed" \
       --query "length(VolumesModifications)"\
       --output text)" != "1" ]; do
   sleep 1
   done
   
   # Check if we're on an NVMe filesystem
   if [[ -e "/dev/xvda" && $(readlink -f /dev/xvda) = "/dev/xvda" ]]
   then
   # Rewrite the partition table so that the partition takes up all the space that it can.
     sudo growpart /dev/xvda 1
   # Expand the size of the file system.
   # Check if we're on AL2 or AL2023
     STR=$(cat /etc/os-release)
     SUBAL2="VERSION_ID=\"2\""
     SUBAL2023="VERSION_ID=\"2023\""
     if [[ "$STR" == *"$SUBAL2"* || "$STR" == *"$SUBAL2023"* ]]
     then
       sudo xfs_growfs -d /
     else
       sudo resize2fs /dev/xvda1
     fi
   
   else
   # Rewrite the partition table so that the partition takes up all the space that it can.
     sudo growpart /dev/nvme0n1 1
   
   # Expand the size of the file system.
   # Check if we're on AL2 or AL2023
     STR=$(cat /etc/os-release)
     SUBAL2="VERSION_ID=\"2\""
     SUBAL2023="VERSION_ID=\"2023\""
     if [[ "$STR" == *"$SUBAL2"* || "$STR" == *"$SUBAL2023"* ]]
     then
       sudo xfs_growfs -d /
     else
       sudo resize2fs /dev/nvme0n1p1
     fi
   fi
   ```

1. From a terminal session in the IDE, switch to the directory that contains the `resize.sh` file. Then run either of the following commands, replacing `20` with the size in GiB that you want to resize the Amazon EBS volume to:
   + 

     ```
     bash resize.sh 20
     ```
   + 

     ```
     chmod +x resize.sh
     ./resize.sh 20
     ```

# Encrypt Amazon EBS volumes that AWS Cloud9 uses
<a name="encrypting-volumes"></a>

This topic shows how you can encrypt Amazon EBS volumes tfor EC2 instances used by AWS Cloud9 development environments.

Amazon EBS encryption encrypts the following data:
+ Data at rest in the volume
+ All data that moves between the volume and the instance
+ All snapshots that are created from the volume
+ All volumes that are created from those snapshots

You have two encryption options for Amazon EBS volumes that are used by AWS Cloud9 EC2 development environments:
+ **Encryption by default** – You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. Encryption by default is enabled at the level of an AWS Region. So, you can't enable it for individual volumes or snapshots in that Region. In addition, Amazon EBS encrypts the volume that's created when you launch an instance. So, you must enable this setting before you create an EC2 environment. For more information, see [ Encryption by default](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html#encryption-by-default) in the *Amazon EC2 User Guide*. 
+ **Encryption of an existing Amazon EBS volume used by an EC2 environment** – You can encrypt specific Amazon EBS volumes that are already created for EC2 instances. This option involves using the AWS Key Management Service (AWS KMS) to manage access to the encrypted volumes. For the relevant procedure, see [Encrypt an existing Amazon EBS volume that AWS Cloud9 uses](#encrypting-existing-volume).

**Important**  
If your AWS Cloud9 IDE uses Amazon EBS volumes that are encrypted by default, the AWS Identity and Access Management service-linked role for AWS Cloud9 requires access to the AWS KMS key for these EBS volumes. If access isn't provided, the AWS Cloud9 IDE might fail to launch and debugging might be difficult.  
To provide access, add the service-linked role for AWS Cloud9, `AWSServiceRoleForAWSCloud9`, to the KMS key that's used by your Amazon EBS volumes. For more information about this task, see [Create an AWS Cloud9 IDE that uses Amazon EBS volumes with default encryption](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-an-aws-cloud9-ide-that-uses-amazon-ebs-volumes-with-default-encryption.html) in *AWS Prescriptive Guidance Patterns*.

## Encrypt an existing Amazon EBS volume that AWS Cloud9 uses
<a name="encrypting-existing-volume"></a>

Encrypting an existing Amazon EBS volume involves using AWS KMS to create a KMS key. After you create a snapshot of the volume to replace, you use the KMS key to encrypt a copy of the snapshot.

Next, you create an encrypted volume with that snapshot. Then, you replace the unencrypted volume by detaching it from the EC2 instance and attaching the encrypted volume. 

Finally, you must update the key policy for the customer managed key to enable access for the AWS Cloud9 service role. 

**Note**  
The following procedure focuses on using a customer managed key to encrypt a volume. You can also use an AWS managed key for an AWS service in your account. The alias for Amazon EBS is `aws/ebs`. If you choose this default option for encryption, skip step 1 where you create a customer managed key. Also, skip step 8 where you update the key policy. This is because you can't change the key policy for an AWS managed key.<a name="creating-encrypted-volume"></a>

**To encrypt an existing Amazon EBS volume**

1. In the AWS KMS console, create a symmetric KMS key. For more information, see [Creating symmetric KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*.

1. In the Amazon EC2 console, stop the Amazon EBS-backed instance used by the environment. You can [stop the instance using the console or the command line](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html).

1. In the navigation pane of the Amazon EC2 console, choose **Snapshots** [to create a snapshot of the existing volume](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html#ebs-create-snapshot) that you want to encrypt.

1. In the navigation pane of the Amazon EC2 console, choose **Snapshots** [to copy the snapshot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html). In the **Copy snapshot** dialog box, do the following to enable encryption:
   + Choose **Encrypt this snapshot**. 
   + For **Master Key**, select the KMS key that you created earlier. (If you're using an AWS managed key, keep the **(default) aws/ebs** setting.)

1. [Create a new volume from the encrypted snapshot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-volume.html#ebs-create-volume-from-snapshot). 
**Note**  
New Amazon EBS volumes that are created from encrypted snapshots are automatically encrypted. 

1. [Detach the old Amazon EBS volume](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-detaching-volume.html) from the Amazon EC2 instance. 

1. [Attach the new encrypted volume](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-attaching-volume.html) to the Amazon EC2 instance.

1. Update the key policy for the KMS key [using the AWS Management Console default view, AWS Management Console policy view, or AWS KMS API](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html#key-policy-modifying-how-to). Add the following key policy statements to allow the AWS Cloud9 service, `AWSServiceRoleForAWSCloud9`, to access the KMS key.
**Note**  
If you're using an AWS managed key, skip this step.

   ```
   {
       "Sid": "Allow use of the key",
       "Effect": "Allow",
       "Principal": {
           "AWS": "arn:{Partition}:iam::{AccountId}:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9"
       },
       "Action": [
           "kms:Encrypt",
           "kms:Decrypt",
           "kms:ReEncrypt*",
           "kms:GenerateDataKey*",
           "kms:DescribeKey"
       ],
       "Resource": "*"
      },
      {
       "Sid": "Allow attachment of persistent resources",
       "Effect": "Allow",
       "Principal": {
           "AWS": "arn:{Partition}:iam::{AccountId}:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9"
       },
       "Action": [
           "kms:CreateGrant",
           "kms:ListGrants",
           "kms:RevokeGrant"
       ],
       "Resource": "*",
       "Condition": {
           "Bool": {
               "kms:GrantIsForAWSResource": "true"
           }
       }
   }
   ```

1. Restart the Amazon EC2 instance. For more information about restarting an Amazon EC2 instance, see [Stop and start your instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html).

# Deleting an environment in AWS Cloud9
<a name="delete-environment"></a>

To prevent any ongoing charges to your AWS account related to an AWS Cloud9 development environment that you're no longer using, delete the environment.
+  [Deleting an Environment with the Console](#delete-environment-console) 
+  [Deleting an Environment with Code](#delete-environment-code) 

## Deleting an Environment with the console
<a name="delete-environment-console"></a>

**Warning**  
When you delete an environment, AWS Cloud9 deletes the environment permanently. This includes permanently deleting all related settings, user data, and uncommitted code. Deleted environments can't be recovered.

1. Sign in to the AWS Cloud9 console:
   + If you're the only one using your AWS account or you're an IAM user in a single AWS account, go to [https://console.aws.amazon.com/cloud9/](https://console.aws.amazon.com/cloud9/).
   + If your organization uses AWS IAM Identity Center, ask your AWS account administrator for sign-in instructions.

1. In the top navigation bar, choose the AWS Region where the environment is located.  
![\[AWS Region selector in the AWS Cloud9 console\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/consolas_region_new_UX.png)

1. In the list of environments, for the environment that you want to delete, do one of the following actions.
   + Choose the title of the card for the environment. Then, choose **Delete** on the next page.  
![\[Deleting an environment from the environment details page\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/console-delete-env.png)
   + Select the card for the environment, and then choose the **Delete** button.  
![\[Deleting an environment from the environments list\]](http://docs.aws.amazon.com/cloud9/latest/user-guide/images/console-delete-env-card.png)

1. In the **Delete** dialog box, type `Delete`, and then choose **Delete**.
   + **EC2 environment**

     AWS Cloud9 also terminates the Amazon EC2 instance that was connected to that environment.
**Note**  
If account deletion fails, a banner is displayed at the top of the console webpage. Additionally, the card for the environment, if it exists, indicates that environment deletion failed.
   + **SSH environment**

     If the environment was connected to an Amazon EC2 instance, AWS Cloud9 doesn't terminate that instance. If you don't terminate that instance later, your AWS account might continue to have ongoing charges for Amazon EC2 related to that instance.

1. If the environment was an SSH environment, AWS Cloud9 leaves behind a hidden subdirectory on the cloud compute instance or your own server that was connected to that environment. If you want to delete it, you can now safely delete that subdirectory. The subdirectory is named `.c9`. The subdirectory is located in the **Environment path** directory that you specified when you created the environment.

   If your environment isn't displayed in the console, try doing one or more of the following actions to have it be displayed.
   + In the dropdown menu bar on the **Environments** page, choose one or more of the following.
     + Choose **My environments** to display all environments that your AWS entity owns within the selected AWS Region and AWS account.
     + Choose **Shared with me** to display all environments your AWS entity was invited to within the selected AWS Region and AWS account.
     + Choose **All account environments** to display all environments within the selected AWS Region and AWS account that your AWS entity has permissions to display.
   + If you think you are a member of an environment, but the environment isn't displayed in the **Shared with you** list, check with the environment owner.
   + In the top navigation bar, choose a different AWS Region.

## Deleting an Environment with code
<a name="delete-environment-code"></a>

**Warning**  
When you delete an environment, AWS Cloud9 deletes the environment permanently. This includes permanently deleting all related settings, user data, and uncommitted code. Deleted environments can't be recovered.

To use code to delete an environment in AWS Cloud9, call the AWS Cloud9 delete environment operation, as follows.


****  

|  |  | 
| --- |--- |
|  AWS CLI  |   [delete-environment](https://docs.aws.amazon.com/cli/latest/reference/cloud9/delete-environment.html)   | 
|  AWS SDK for C\$1\$1  |   [DeleteEnvironmentRequest](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_delete_environment_request.html), [DeleteEnvironmentResult](https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_cloud9_1_1_model_1_1_delete_environment_result.html)   | 
|  AWS SDK for Go  |   [DeleteEnvironment](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DeleteEnvironment), [DeleteEnvironmentRequest](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DeleteEnvironmentRequest), [DeleteEnvironmentWithContext](https://docs.aws.amazon.com/sdk-for-go/api/service/cloud9/#Cloud9.DeleteEnvironmentWithContext)   | 
|  AWS SDK for Java  |   [DeleteEnvironmentRequest](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/DeleteEnvironmentRequest.html), [DeleteEnvironmentResult](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cloud9/model/DeleteEnvironmentResult.html)   | 
|  AWS SDK for JavaScript  |   [deleteEnvironment](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Cloud9.html#deleteEnvironment-property)   | 
|  AWS SDK for .NET  |   [DeleteEnvironmentRequest](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TDeleteEnvironmentRequest.html), [DeleteEnvironmentResponse](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Cloud9/TDeleteEnvironmentResponse.html)   | 
|  AWS SDK for PHP  |   [deleteEnvironment](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cloud9-2017-09-23.html#deleteenvironment)   | 
|  AWS SDK for Python (Boto)  |   [delete\$1environment](https://boto3.readthedocs.io/en/latest/reference/services/cloud9.html#Cloud9.Client.delete_environment)   | 
|  AWS SDK for Ruby  |   [delete\$1environment](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Cloud9/Client.html#delete_environment-instance_method)   | 
|  AWS Tools for Windows PowerShell  |   [Remove-C9Environment](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-C9Environment.html)   | 
|  AWS Cloud9 API  |   [DeleteEnvironment](https://docs.aws.amazon.com/cloud9/latest/APIReference/API_DeleteEnvironment.html)   |