# Working with Amazon EC2 instances for CodeDeploy
An Amazon EC2 instance is a virtual computing environment that you create and configure using Amazon Elastic Compute Cloud. Amazon EC2 provides scalable computing capacity in the AWS Cloud. You can use Amazon EC2 to launch as many or as few virtual servers as you need for your CodeDeploy deployments.
For more information about Amazon EC2, see [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/).
The instructions in this section show you how to create and configure Amazon EC2 instances for use in your CodeDeploy deployments.
**Topics**
+ [Create an Amazon EC2 instance for CodeDeploy](instances-ec2-create.md)
+ [Create an Amazon EC2 instance (CloudFormation template)](instances-ec2-create-cloudformation-template.md)
+ [Configure an Amazon EC2 instance](instances-ec2-configure.md)
# Create an Amazon EC2 instance for CodeDeploy (AWS CLI or Amazon EC2 console)
These instructions show you how to launch a new Amazon EC2 instance that is configured for use in CodeDeploy deployments.
You can use our CloudFormation template to launch an Amazon EC2 instance running Amazon Linux or Windows Server that is already configured for use in CodeDeploy deployments. We do not provide an CloudFormation template for Amazon EC2 instances running Ubuntu Server or Red Hat Enterprise Linux (RHEL). For alternatives to the use of the template, see [Working with instances for CodeDeploy](instances.md).
You can use the Amazon EC2 console, AWS CLI, or Amazon EC2 APIs to launch an Amazon EC2 instance.
## Launch an Amazon EC2 instance (console)
### Prerequisites
If you have not done so already, follow the instructions in [Getting started with CodeDeploy](getting-started-codedeploy.md) to set up and configure the AWS CLI and create an IAM instance profile.
### Launch an Amazon EC2 instance
1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Instances**, and then choose **Launch Instance**.
1. On the **Step 1: Choose an Amazon Machine Image (AMI)** page, from the **Quick Start** tab, locate the operating system and version you want to use, and then choose **Select**. You must choose an Amazon EC2 AMI operating systems supported by CodeDeploy. For more information, see [Operating systems supported by the CodeDeploy agent](codedeploy-agent.md#codedeploy-agent-supported-operating-systems).
1. On the **Step 2: Choose an Instance Type** page, choose any available Amazon EC2 instance type, and then choose **Next: Configure Instance Details**.
1. On the **Step 3: Configure Instance Details** page, in the **IAM role** list, choose the IAM instance role you created in [Step 4: Create an IAM instance profile for your Amazon EC2 instances](getting-started-create-iam-instance-profile.md). If you used the suggested role name, then choose **CodeDeployDemo-EC2-Instance-Profile**. If you created your own role name, choose that.
**Note**
If a default virtual private cloud (VPC) is not displayed in the **Network** list, you must choose or create an Amazon VPC and subnet. Choose **Create new VPC** or **Create new subnet** or both. For more information, see [Your VPC and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html).
1. Choose **Next: Add Storage**.
1. Leave the **Step 4: Add Storage** page unchanged, and choose **Next: Add Tags**.
1. On the **Step 5: Add Tags** page, choose **Add Tag**.
1. In the **Key** box, type **Name**. In the **Value** box type **CodeDeployDemo**.
**Important**
The contents of the **Key** and **Value** boxes are case-sensitive.
1. Choose **Next: Configure Security Group**.
1. On the **Step 6: Configure Security Group** page, leave the **Create a new security group** option selected.
A default SSH role is configured for Amazon EC2 instances running Amazon Linux, Ubuntu Server, or RHEL. A default RDP role is configured for Amazon EC2 instances running Windows Server.
1. If you want to open the HTTP port, choose the **Add Rule** button, and from the **Type** drop-down list, choose **HTTP**. Accept the default **Source** value of **Custom 0.0.0.0/0**, and then choose **Review and Launch**.
**Note**
In a production environment, we recommend restricting access to the SSH, RDP, and HTTP ports, instead of specifying **Anywhere 0.0.0.0/0**. CodeDeploy does not require unrestricted port access and does not require HTTP access. For more information, see [Tips for securing your Amazon EC2 instance](https://aws.amazon.com/articles/1233).
If a **Boot from General Purpose (SSD)** dialog box appears, follow the instructions, and then choose **Next**.
1. Leave the **Step 7: Review Instance Launch** page unchanged, and choose **Launch**.
1. In the **Select an existing key pair or create a new key pair** dialog box, choose either **Choose an existing key pair** or **Create a new key pair**. If you've already configured an Amazon EC2 instance key pair, you can choose it here.
If you don't already have an Amazon EC2 instance key pair, choose **Create a new key pair** and give it a recognizable name. Choose **Download Key Pair** to download the Amazon EC2 instance key pair to your computer.
**Important**
You must have a key pair if you want to access your Amazon EC2 instance with SSH or RDP.
1. Choose **Launch Instances**.
1. Choose the ID for your Amazon EC2 instance. Do not continue until the instance has been launched and passed all checks.
### Install the CodeDeploy agent
The CodeDeploy agent must be installed on your Amazon EC2 instance before using it in CodeDeploy deployments. For more information, see [Install the CodeDeploy agent](codedeploy-agent-operations-install.md).
**Note**
You can configure automatic installation and updates of the CodeDeploy agent when you create your deployment group in the console.
## Launch an Amazon EC2 instance (CLI)
### Prerequisites
If you have not done so already, follow the instructions in [Getting started with CodeDeploy](getting-started-codedeploy.md) to set up and configure the AWS CLI and create an IAM instance profile.
### Launch an Amazon EC2 instance
1. **For Windows Server only** If you are creating an Amazon EC2 instance running Windows Server, call the **create-security-group** and **authorize-security-group-ingress** commands to create a security group that allows RDP access (which is not allowed by default) and, alternatively, HTTP access. For example, to create a security group named *CodeDeployDemo-Windows-Security-Group*, run the following commands, one at a time:
```
aws ec2 create-security-group --group-name CodeDeployDemo-Windows-Security-Group --description "For launching Windows Server images for use with CodeDeploy"
```
```
aws ec2 authorize-security-group-ingress --group-name CodeDeployDemo-Windows-Security-Group --to-port 3389 --ip-protocol tcp --cidr-ip 0.0.0.0/0 --from-port 3389
```
```
aws ec2 authorize-security-group-ingress --group-name CodeDeployDemo-Windows-Security-Group --to-port 80 --ip-protocol tcp --cidr-ip 0.0.0.0/0 --from-port 80
```
**Note**
For demonstration purposes, these commands create a security group that allows unrestricted access for RDP through port 3389 and, alternatively, HTTP through port 80. As a best practice, we recommend restricting access to the RDP and HTTP ports. CodeDeploy does not require unrestricted port access and does not require HTTP access. For more information, see [Tips for securing your Amazon EC2 instance](https://aws.amazon.com/articles/1233).
1. Call the **run-instances** command to create and launch the Amazon EC2 instance.
Before you call this command, you need to collect the following:
+ The ID of an Amazon Machine Image (AMI) (*ami-id*) you use for the instance. To get the ID, see [Finding a suitable AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html).
+ The name of the type of Amazon EC2 instance (*instance-type*) you create, such as `t1.micro`. For a list, see [Amazon EC2 instance types](https://aws.amazon.com/ec2/instance-types/).
+ The name of an IAM instance profile with permission to access the Amazon S3 bucket where the CodeDeploy agent installation files for your region are stored.
For information about creating an IAM instance profile, see [Step 4: Create an IAM instance profile for your Amazon EC2 instances](getting-started-create-iam-instance-profile.md).
+ The name of an Amazon EC2 instance key pair (*key-name*) to enable SSH access to an Amazon EC2 instance running Amazon Linux, Ubuntu Server, or RHEL or RDP access to an Amazon EC2 instance running Windows Server.
**Important**
Type the key pair name only, not the key pair file extension. For example, *my-keypair*, not *my-keypair.pem*.
To find a key pair name, open the Amazon EC2 console at [https://console.aws.amazon.com/ec2](https://console.aws.amazon.com/ec2). In the navigation pane, under **Network & Security**, choose **Key Pairs**, and note the key pair name in the list.
To generate a key pair, see [Creating your key pair using Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair). Be sure you create the key pair in one of the regions listed in [Region and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#codedeploy_region) in *AWS General Reference*. Otherwise, you won't be able to use the Amazon EC2 instance key pair with CodeDeploy.
**For Amazon Linux, RHEL, and Ubuntu Server**
To call the **run-instances** command to launch an Amazon EC2 instance running Amazon Linux, Ubuntu Server, or RHEL and attach the IAM instance profile you created in [Step 4: Create an IAM instance profile for your Amazon EC2 instances](getting-started-create-iam-instance-profile.md). For example:
```
aws ec2 run-instances \
--image-id ami-id \
--key-name key-name \
--count 1 \
--instance-type instance-type \
--iam-instance-profile Name=iam-instance-profile
```
**Note**
This command creates a default security group for the Amazon EC2 instance that allows access to several ports, including unrestricted access for SSH through port 22 and, alternatively, HTTP through port 80. As a best practice, we recommend restricting access to the SSH and HTTP ports only. CodeDeploy does not require unrestricted port access and does not require HTTP port access. For more information, see [Tips for securing your Amazon EC2 instance](https://aws.amazon.com/articles/1233).
**For Windows Server**
To call the **run-instances** command to launch an Amazon EC2 instance running Windows Server and attach the IAM instance profile you created in [Step 4: Create an IAM instance profile for your Amazon EC2 instances](getting-started-create-iam-instance-profile.md), and specify the name of the security group you created in Step 1. For example:
```
aws ec2 run-instances --image-id ami-id --key-name key-name --count 1 --instance-type instance-type --iam-instance-profile Name=iam-instance-profile --security-groups CodeDeploy-Windows-Security-Group
```
These commands launch a single Amazon EC2 instance with the specified AMI, key pair, and instance type, with the specified IAM instance profile, and run the specified script during launch.
1. Note the value of the `InstanceID` in the output. If you forget this value, you can get it later by calling the **describe-instances** command against the Amazon EC2 instance key pair.
```
aws ec2 describe-instances --filters "Name=key-name,Values=keyName" --query "Reservations[*].Instances[*].[InstanceId]" --output text
```
Use the instance ID to call the **create-tags** command, which tags the Amazon EC2 instance so that CodeDeploy can find it later during a deployment. In the following example, the tag is named **CodeDeployDemo**, but you can specify any Amazon EC2 instance tag you want.
```
aws ec2 create-tags --resources instance-id --tags Key=Name,Value=CodeDeployDemo
```
You can apply multiple tags to an instance at the same time. For example:
```
aws ec2 create-tags --resources instance-id --tags Key=Name,Value=testInstance Key=Region,Value=West Key=Environment,Value=Beta
```
To verify the Amazon EC2 instance has been launched and passed all checks, use the instance ID to call the **describe-instance-status** command.
```
aws ec2 describe-instance-status --instance-ids instance-id --query "InstanceStatuses[*].InstanceStatus.[Status]" --output text
```
If the instance has been launched and passed all checks, `ok` appears in the output.
### Install the CodeDeploy agent
The CodeDeploy agent must be installed on your Amazon EC2 instance before using it in CodeDeploy deployments. For more information, see [Install the CodeDeploy agent](codedeploy-agent-operations-install.md).
**Note**
You can configure automatic installation and updates of the CodeDeploy agent when you create your deployment group in the console.
# Create an Amazon EC2 instance for CodeDeploy (CloudFormation template)
You can use our CloudFormation template to quickly launch an Amazon EC2 instance running Amazon Linux or Windows Server. You can use the AWS CLI, the CodeDeploy console, or the AWS APIs to launch the instance with the template. In addition to launching the instance, the template does the following:
+ Instructs CloudFormation to give the instance permission to participate in CodeDeploy deployments.
+ Tags the instance so CodeDeploy can find it during a deployment.
+ Installs and runs the CodeDeploy agent on the instance.
You don't have to use our CloudFormation to set up an Amazon EC2 instance. For alternatives, see [Working with instances for CodeDeploy](instances.md).
We do not provide an CloudFormation template for Amazon EC2 instances running Ubuntu Server or Red Hat Enterprise Linux (RHEL).
**Topics**
+ [Before you begin](#instances-ec2-create-cloudformation-template-before)
+ [Launch an Amazon EC2 instance with the CloudFormation template (console)](#instances-ec2-create-cloudformation-template-console)
+ [Launch an Amazon EC2 instance with the CloudFormation template (AWS CLI)](#instances-ec2-create-cloudformation-template-cli)
## Before you begin
Before you can use the CloudFormation template to launch Amazon EC2 instances, make sure you complete the following steps.
1. Make sure you have created an administrative user, as described in [Step 1: Setting up](getting-started-setting-up.md). Double-check that the user has the following minimum permissions and add any that are not present:
+ cloudformation:\$1
+ codedeploy:\$1
+ ec2:\$1
+ iam:AddRoleToInstanceProfile
+ iam:CreateInstanceProfile
+ iam:CreateRole
+ iam:DeleteInstanceProfile
+ iam:DeleteRole
+ iam:DeleteRolePolicy
+ iam:GetRole
+ iam:DeleteRolePolicy
+ iam:PutRolePolicy
+ iam:RemoveRoleFromInstanceProfile
1. Make sure you have an instance key pair to enable SSH access to the Amazon EC2 instance running Amazon Linux or RDP access to the instance running Windows Server.
To find a key pair name, open the Amazon EC2 console at [https://console.aws.amazon.com/ec2](https://console.aws.amazon.com/ec2). In the navigation pane, under **Network & Security**, choose **Key Pairs**, and note the key pair name in the list.
To generate a new key pair, see [Creating your key pair using Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair). Be sure the key pair is created in one of the regions listed in [Region and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#codedeploy_region) in *AWS General Reference*. Otherwise, you can't use the instance key pair with CodeDeploy.
## Launch an Amazon EC2 instance with the CloudFormation template (console)
1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
**Important**
Sign in to the AWS Management Console with the same account you used in [Getting started with CodeDeploy](getting-started-codedeploy.md). On the navigation bar, in the region selector, choose one of the regions listed in [Region and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#codedeploy_region) in *AWS General Reference*. CodeDeploy supports these regions only.
1. Choose **Create Stack**.
1. In **Choose a template**, choose **Specify an Amazon S3 template URL**. In the box, type the location of the CloudFormation template for your region, and then choose **Next**.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/codedeploy/latest/userguide/instances-ec2-create-cloudformation-template.html)
1. In the **Stack name** box, type a name for the stack (for example, **CodeDeployDemoStack**).
1. In **Parameters**, type the following, and then choose **Next**.
+ For **InstanceCount**, type the number of instances you want to launch. (We recommend you leave the default of **1**.)
+ For **InstanceType**, type the instance type you want to launch (or leave the default of **t1.micro**).
+ For **KeyPairName**, type the instance key pair name. Type the key pair name only, not the key pair file extension.
+ For **OperatingSystem** box, type **Windows** to launch instances running Windows Server (or leave the default of **Linux**).
+ For **SSHLocation**, type the IP address range to use for connecting to the instance with SSH or RDP (or leave the default of **0.0.0.0/0**).
**Important**
The default of **0.0.0.0/0** is provided for demonstration purposes only. CodeDeploy does not require Amazon EC2 instances to have unrestricted access to ports. As a best practice, we recommend restricting access to SSH (and HTTP) ports. For more information, see [Tips for securing your Amazon EC2 instance](https://aws.amazon.com/articles/1233).
+ For **TagKey**, type the instance tag key CodeDeploy will use to identify the instances during deployment (or leave the default of **Name**).
+ For **TagValue**, type the instance tag value CodeDeploy will use to identify the instances during deployment (or leave the default of **CodeDeployDemo**).
1. On the **Options** page, leave the option boxes blank, and choose **Next**.
**Important**
CloudFormation tags are different from CodeDeploy tags. CloudFormation uses tags to simplify administration of your infrastructure. CodeDeploy uses tags to identify Amazon EC2 instances. You specified CodeDeploy tags on the **Specify Parameters** page.
1. On the **Review** page, in **Capabilities**, select the **I acknowledge that CloudFormation might create IAM resources** box, and then choose **Create**.
After CloudFormation has created the stack and launched the Amazon EC2 instances, in the CloudFormation console, **CREATE\$1COMPLETE** will be displayed in the **Status** column. This process can take several minutes.
To verify the CodeDeploy agent is running on the Amazon EC2 instances, see [Managing CodeDeploy agent operations](codedeploy-agent-operations.md), and then proceed to [Create an application with CodeDeploy](applications-create.md).
## Launch an Amazon EC2 instance with the CloudFormation template (AWS CLI)
1. Use our CloudFormation template in a call to the **create-stack** command. This stack will launch a new Amazon EC2 instance with the CodeDeploy agent installed.
To launch an Amazon EC2 instance running Amazon Linux:
```
aws cloudformation create-stack \
--stack-name CodeDeployDemoStack \
--template-url templateURL \
--parameters ParameterKey=InstanceCount,ParameterValue=1 ParameterKey=InstanceType,ParameterValue=t1.micro \
ParameterKey=KeyPairName,ParameterValue=keyName ParameterKey=OperatingSystem,ParameterValue=Linux \
ParameterKey=SSHLocation,ParameterValue=0.0.0.0/0 ParameterKey=TagKey,ParameterValue=Name \
ParameterKey=TagValue,ParameterValue=CodeDeployDemo \
--capabilities CAPABILITY_IAM
```
To launch an Amazon EC2 instance running Windows Server:
```
aws cloudformation create-stack --stack-name CodeDeployDemoStack --template-url template-url --parameters ParameterKey=InstanceCount,ParameterValue=1 ParameterKey=InstanceType,ParameterValue=t1.micro ParameterKey=KeyPairName,ParameterValue=keyName ParameterKey=OperatingSystem,ParameterValue=Windows ParameterKey=SSHLocation,ParameterValue=0.0.0.0/0 ParameterKey=TagKey,ParameterValue=Name ParameterKey=TagValue,ParameterValue=CodeDeployDemo --capabilities CAPABILITY_IAM
```
*keyName* is the instance key pair name. Type the key pair name only, not the key pair file extension.
*template-url* is the location of the CloudFormation template for your region:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/codedeploy/latest/userguide/instances-ec2-create-cloudformation-template.html)
This command creates an CloudFormation stack named **CodeDeployDemoStack**, using the CloudFormation template in the specified Amazon S3 bucket. The Amazon EC2 instance is based on the t1.micro instance type, but you can use any type. It is tagged with the value **CodeDeployDemo**, but you can tag it with any value. It has the specified instance key pair applied.
1. Call the **describe-stacks** command to verify the CloudFormation stack named **CodeDeployDemoStack** was successfully created:
```
aws cloudformation describe-stacks --stack-name CodeDeployDemoStack --query "Stacks[0].StackStatus" --output text
```
Do not proceed until the value `CREATE_COMPLETE` is returned.
To verify the CodeDeploy agent is running on the Amazon EC2 instance, see [Managing CodeDeploy agent operations](codedeploy-agent-operations.md), and then proceed to [Create an application with CodeDeploy](applications-create.md).
# Configure an Amazon EC2 instance to work with CodeDeploy
These instructions show you how to configure an Amazon EC2 instance running Amazon Linux, Ubuntu Server, Red Hat Enterprise Linux (RHEL), or Windows Server for use in CodeDeploy deployments.
**Note**
If you do not have an Amazon EC2 instance, you can use the CloudFormation template to launch one running Amazon Linux or Windows Server. We do not provide a template for Ubuntu Server or RHEL.
## Step 1: Verify an IAM instance profile is attached to your Amazon EC2 instance
1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, under **Instances**, choose **Instances**.
1. Browse to and choose your Amazon EC2 instance in the list.
1. In the details pane, on the **Description** tab, note the value in the **IAM role** field, and then proceed to the next section.
If the field is empty, you can attach an IAM instance profile to the instance. For information, see [Attaching an IAM role to an instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role).
## Step 2: Verify the attached IAM instance profile has the correct access permissions
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. Browse to and choose the IAM role name you noted in step 4 of the previous section.
**Note**
If you want to use the service role generated by the CloudFormation template instead of one you created by following the instructions in [Step 2: Create a service role for CodeDeploy](getting-started-create-service-role.md), note the following:
In some versions of our CloudFormation template, the display name of the IAM instance profile generated and attached to the Amazon EC2 instances is not the same as the display name in the IAM console. For example, the IAM instance profile might have a display name of `CodeDeploySampleStack-expnyi6-InstanceRoleInstanceProfile-IK8J8A9123EX`, while the IAM instance profile in the IAM console might have a display name of `CodeDeploySampleStack-expnyi6-InstanceRole-C5P33V1L64EX`.
To help you identify the instance profile in the IAM console, you'll see the prefix of `CodeDeploySampleStack-expnyi6-InstanceRole` is the same for both. For information about why these display names might be different, see [Instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/instance-profiles.html).
1. Choose the **Trust Relationships** tab. If there is no entry in **Trusted Entities** that reads **The identity provider(s) ec2.amazonaws.com**, you cannot use this Amazon EC2 instance. Stop and create an Amazon EC2 instance using the information in [Working with instances for CodeDeploy](instances.md).
If there is an entry that reads **The identity provider(s) ec2.amazonaws.com**, and you are storing your applications in GitHub repositories only, then skip ahead to [Step 3: Tag the Amazon EC2 instance](#instances-ec2-configure-3-tag-instance).
If there is an entry that reads **The identity provider(s) ec2.amazonaws.com**, and you are storing your applications in Amazon S3 buckets, choose the **Permissions** tab.
1. If there is a policy in the **Permissions policies** area, expand the policy, then choose **Edit policy**.
1. Choose the **JSON** tab. If you are storing your applications in Amazon S3 buckets, make sure `"s3:Get*"` and `"s3:List*"` are in the list of specified actions.
It may look something like this:
```
{"Statement":[{"Resource":"*","Action":[
... Some actions may already be listed here ...
"s3:Get*","s3:List*"
... Some more actions may already be listed here ...
],"Effect":"Allow"}]}
```
Or it may look something like this:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
```
------
If `"s3:Get*"` and `"s3:List*"` are not in the list of specified actions, choose **Edit** to add them, and then choose **Save**. (If neither `"s3:Get*"` or `"s3:List*"` is the last action in the list, be sure to add a comma after the action, so the policy document validates.)
**Note**
We recommend that you restrict this policy to only those Amazon S3 buckets your Amazon EC2 instances must access. Make sure to give access to the Amazon S3 buckets that contain the CodeDeploy agent. Otherwise, an error might occur when the CodeDeploy agent is installed or updated on the instances. To grant the IAM instance profile access to only some CodeDeploy resource kit buckets in Amazon S3, use the following policy, but remove the lines for buckets you want to prevent access to:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:s3:::aws-codedeploy-us-east-2/*",
"arn:aws:s3:::aws-codedeploy-us-east-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-2/*",
"arn:aws:s3:::aws-codedeploy-ca-central-1/*",
"arn:aws:s3:::aws-codedeploy-eu-west-1/*",
"arn:aws:s3:::aws-codedeploy-eu-west-2/*",
"arn:aws:s3:::aws-codedeploy-eu-west-3/*",
"arn:aws:s3:::aws-codedeploy-eu-central-1/*",
"arn:aws:s3:::aws-codedeploy-eu-central-2/*",
"arn:aws:s3:::aws-codedeploy-eu-north-1/*",
"arn:aws:s3:::aws-codedeploy-eu-south-1/*",
"arn:aws:s3:::aws-codedeploy-eu-south-2/*",
"arn:aws:s3:::aws-codedeploy-il-central-1/*",
"arn:aws:s3:::aws-codedeploy-ap-east-1/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-1/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-3/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-1/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-3/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-4/*",
"arn:aws:s3:::aws-codedeploy-ap-south-1/*",
"arn:aws:s3:::aws-codedeploy-ap-south-2/*",
"arn:aws:s3:::aws-codedeploy-me-central-1/*",
"arn:aws:s3:::aws-codedeploy-me-south-1/*",
"arn:aws:s3:::aws-codedeploy-sa-east-1/*"
]
}
]
}
```
## Step 3: Tag the Amazon EC2 instance
For instructions about how to tag the Amazon EC2 instance so that CodeDeploy can find it during a deployment, see [Working with tags in the console](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console), and then return to this page.
**Note**
You can tag the Amazon EC2 instance with any key and value you like. Just make sure to specify this key and value when you deploy to it.
## Step 4: Install the AWS CodeDeploy agent on the Amazon EC2 instance
For instructions about how to install the CodeDeploy agent on the Amazon EC2 instance and verify it is running, see [Managing CodeDeploy agent operations](codedeploy-agent-operations.md), and then proceed to [Create an application with CodeDeploy](applications-create.md).