> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Add an EC2 instance

> Add your AWS EC2 instances to Opal to allow your developers to request temporary access.

<Info>
  This guide assumes you've already [configured your AWS organization in
  Opal](/integrations/setting-up-your-aws-organization-in-opal).
</Info>

The following diagram illustrates how Opal connects to AWS EC2. Use this guide to learn how you can add EC2 instances to Opal.

<img src="https://mintcdn.com/opalsecurity/fu-nWazMe1LxLhxi/images/docs/2b9f012-AWSEC2.png?fit=max&auto=format&n=fu-nWazMe1LxLhxi&q=85&s=adbcdd4566218272f3782b681fa2e598" alt="1920" width="1920" height="1080" data-path="images/docs/2b9f012-AWSEC2.png" />

With Opal, you can grant `ssh` access to any EC2 instance running on Amazon to your developers in minutes. We make this easy by using AWS's Systems Manager API. To make this available for your organization, you'll have to enable a few things.

## Add an EC2 instance

### 1. Enable Secure Session Manager (SSM)

By default, EC2 instances don't allow `ssh` sessions using Secure Session Manager. You'll need to attach the `AmazonSSMManagedInstanceCore` AWS-managed policy to your EC2 instance profile. If an instance profile doesn't exist on that instance you'll have to create one. To determine if your EC2 instance already has a role attached to it, you can check in the AWS Console using the following instructions:

#### 1a. Check the AWS Console

First navigate to your running [EC2 instances using this link](https://console.aws.amazon.com/ec2/v2/home#Instances:instanceState=running)\*.

<Frame caption="View your EC2 instances in the console.">
  <img src="https://mintcdn.com/opalsecurity/TlQj9FwRe9HHNEYB/images/docs/0a00ea4-Screen_Shot_2020-12-03_at_4.29.27_PM.png?fit=max&auto=format&n=TlQj9FwRe9HHNEYB&q=85&s=f1a980e6753a8971424b982798578ecf" width="2584" height="496" data-path="images/docs/0a00ea4-Screen_Shot_2020-12-03_at_4.29.27_PM.png" />
</Frame>

Now click on the instance ID of the EC2 in question, and verify whether a role is attached already.

<Frame caption="EC2 instance with an IAM role already attached.">
  <img src="https://mintcdn.com/opalsecurity/4Xj9diJ3E3kX-9Xd/images/docs/eac0347-Screen_Shot_2020-12-03_at_4.29.45_PM.png?fit=max&auto=format&n=4Xj9diJ3E3kX-9Xd&q=85&s=bff812c0e7ba7ce6aa2d234b4f893c58" width="2576" height="986" data-path="images/docs/eac0347-Screen_Shot_2020-12-03_at_4.29.45_PM.png" />
</Frame>

If a role already exists then skip to Step 1c. Otherwise, proceed to Step 1b.

#### 1b. Create an IAM role

If you already had a role attached skip to the next section. Otherwise, create a new IAM role using the steps below:

<Frame caption="Create a new IAM role.">
  <img src="https://mintcdn.com/opalsecurity/odnvD_MsXBxTor9u/images/docs/78f2db4-Screen_Shot_2020-12-03_at_4.50.33_PM.png?fit=max&auto=format&n=odnvD_MsXBxTor9u&q=85&s=a6f016b8900cafff367babc35b18217d" width="1996" height="1454" data-path="images/docs/78f2db4-Screen_Shot_2020-12-03_at_4.50.33_PM.png" />
</Frame>

Attach the `AmazonSSMManagedInstanceCore` and `CloudWatchAgentServerPolicy` policies to your new role.

<Frame caption="Find the policy that enables SSM on your instance.">
  <img src="https://mintcdn.com/opalsecurity/fu-nWazMe1LxLhxi/images/docs/339373c-Screen_Shot_2020-12-03_at_4.51.42_PM.png?fit=max&auto=format&n=fu-nWazMe1LxLhxi&q=85&s=8440fbdcadd1ace49e7df9beda026bda" width="2028" height="684" data-path="images/docs/339373c-Screen_Shot_2020-12-03_at_4.51.42_PM.png" />
</Frame>

Finally, you should attach your newly created role to your EC2 instance. Since your instance didn't originally have a role attached, **you'll need to restart it**. You can now skip to step 2!

#### 1c. Add the SSM policy to your existing role

Click on the role in the EC2 dashboard to attach a role to it.

<Frame caption="Attach policies to an existing IAM role.">
  <img src="https://mintcdn.com/opalsecurity/fu-nWazMe1LxLhxi/images/docs/27bef46-Screen_Shot_2020-12-03_at_5.28.34_PM.png?fit=max&auto=format&n=fu-nWazMe1LxLhxi&q=85&s=8c555cd8cad909a0d727b5203b202d6b" width="2466" height="1040" data-path="images/docs/27bef46-Screen_Shot_2020-12-03_at_5.28.34_PM.png" />
</Frame>

Now search and find the `AmazonSSMManagedInstanceCore` policy and attach it to your existing profile.

### 2. Tag your EC2 instance

To have Opal automatically import your EC2 instance, you'll need to tag it. You can do this using the AWS Console, CLI, or Terraform below:

#### AWS Console

Navigate to your EC2 instance in the EC2 Dashboard.

<Frame caption="Find your EC2 instance in the dashboard.">
  <img src="https://mintcdn.com/opalsecurity/4Xj9diJ3E3kX-9Xd/images/docs/e49d07f-Screen_Shot_2020-12-03_at_5.38.14_PM.png?fit=max&auto=format&n=4Xj9diJ3E3kX-9Xd&q=85&s=87814c4a8625aa592733d3405a596728" width="2536" height="1236" data-path="images/docs/e49d07f-Screen_Shot_2020-12-03_at_5.38.14_PM.png" />
</Frame>

Select "Manage tags" and add the `opal` tag as seen below.

<Frame caption="Add an &#x22;opal&#x22; tag with an empty value.">
  <img src="https://mintcdn.com/opalsecurity/E-CmJXh0QNjZUl4g/images/docs/6093b1f-Screen_Shot_2020-12-03_at_5.39.10_PM.png?fit=max&auto=format&n=E-CmJXh0QNjZUl4g&q=85&s=c7ff3f6ede30abbde360e9cf7014e365" width="1684" height="734" data-path="images/docs/6093b1f-Screen_Shot_2020-12-03_at_5.39.10_PM.png" />
</Frame>

#### AWS CLI or Terraform

<CodeGroup>
  ```shell AWS CLI Commands theme={null}
  aws ec2 create-tags \
    --resources "i-0000000000" \
    --tags "Key=opal,Value="
  ```

  ```text Terraform (aws_instance) theme={null}
  # If you are using `aws_instance` in Terraform to provision EC2 nodes,
  # add the following `tags` argument to the `aws_instance`.

  tags = {
    opal = ""
  }
  ```

  ```text Terraform (aws_eks_node_group) theme={null}
  # If you are using an `aws_eks_node_group` to launch EC2 instances,
  # add the following launch template to your Terraform file.

  resource "aws_launch_template" "ec2_launch" {
    instance_type = YOUR_INSTANCE_TYPE

    tag_specifications {
      resource_type = "instance"

      tags = {
        opal = ""
      }
    }
  }

  # Then, reference the launch template in your EKS node group by
  # adding the following argument to your EKS node group.

  launch_template {
    id = aws_launch_template.ec2_launch.id
    version = aws_launch_template.ec2_launch.latest_version
  }
  ```
</CodeGroup>

### Optional: Enable KMS Encryption

#### 1. Create an Opal KMS key

To enable KMS encryption, first create a KMS key with the following alias: `opalssmkms`. Under advanced settings, make sure to make this key multi-regional.

#### 2. Enable encryption

You can enable encryption in the Session Manager console in AWS by going to **Systems Manager > Session Manager > Preferences > KMS Encryption** and selecting the key created in the previous step.

## Access your instance in Opal

If you followed the above steps to configure your EC2 instance, it should now show up in Opal.

<Frame caption="EC2 instances in Opal.">
  <img src="https://mintcdn.com/opalsecurity/fu-nWazMe1LxLhxi/images/docs/24473b3-AWS-EC2.png?fit=max&auto=format&n=fu-nWazMe1LxLhxi&q=85&s=f1014cb52d715610c9b245eee52c5261" width="2958" height="1658" data-path="images/docs/24473b3-AWS-EC2.png" />
</Frame>

Permissions to EC2 instances are session-based, meaning they require your developers to initiate a session when they want to access that instance. They can do so by clicking the "**Connect**" button.

<img src="https://mintcdn.com/opalsecurity/CCjTTkaW-43B4efd/images/docs/ff68a03-EC2-Connect.png?fit=max&auto=format&n=CCjTTkaW-43B4efd&q=85&s=5ddffebb8a4ad26d8f1083b6a6d2ef29" alt="2312" width="2958" height="1658" data-path="images/docs/ff68a03-EC2-Connect.png" />

Once they're connected, they can SSH instance using an in-browser command line or in their own terminal!

<Frame caption="Using an EC2 session in Opal.">
  <img src="https://mintcdn.com/opalsecurity/4Xj9diJ3E3kX-9Xd/images/docs/dee8cf7-Screen_Shot_2020-12-03_at_5.43.14_PM.png?fit=max&auto=format&n=4Xj9diJ3E3kX-9Xd&q=85&s=a461e40cf2f3bca1ee104bfc89d47b29" width="1080" height="1290" data-path="images/docs/dee8cf7-Screen_Shot_2020-12-03_at_5.43.14_PM.png" />
</Frame>