# AWS - Integration & Permissions Configuration

1. Log in to the AWS management console and open the AWS IAM Console.
2. Under Roles select "Create Role"
3. Under "Trusted Entity Type" Select "AWS Account" and chose "Another AWS Account"
4. Enter the AWS account ID you will be provided in app (hit 'Click for instructions' from the Add provider page). 
5. Check "Require External ID" and enter the extenral ID provided in the app (hit 'Click for instructions' from the Add provider page).
6. Ensure that "Require MFA" is un-checked and click "Next"
7. Add the following standardrole:

```
arn:aws:iam::aws:policy/ReadOnlyAccess
```

8. Add the following custom policy:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowTurnitoffManagement",
            "Effect": "Allow",
            "Action": [
                "ec2:StopInstances",
                "ec2:AssociateAddress",
                "ec2:DisassociateAddress",
                "ec2:StartInstances",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:DeregisterTargets",
                "rds:StartDBInstance",
                "rds:StopDBInstance",
                "elasticbeanstalk:UpdateEnvironment",
                "ecs:UpdateService",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling-plans:UpdateScalingPlan",
                "ec2:CreateTags",
                "kms:CreateGrant"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowTerminateInstances",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/ManagedBy": "Turnitoff.ai"
                }
            }
        },
        {
            "Sid": "AllowRunInstancesRestrictByInstanceTag",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:RequestTag/ManagedBy": "Turnitoff.ai"
                }
            }
        },
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:CreateVolume"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:network-interface/*"
            ]
        }
    ]
}
```

9. Select the role, copy the Role ARN from the summary page and paste into the "Role ARN" field in the Turn It Off app. 

The demo below shows the process of integrating with your AWS provider:

{% embed url="<https://youtu.be/C_gd7gjrvF8>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.turnitoff.ai/integrations/cloud-providers/amazon-web-services-aws/aws-integration-and-permissions-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.