Skip to content

Infrastructure

Overview

In this lab, you'll use your AI coding agent to launch an EC2 instance in the workshop VPC with a properly configured security group and IAM instance profile — demonstrating how agents can provision infrastructure through natural language.

What You'll Learn

  • How to launch EC2 instances through your agent's MCP Server connection
  • How to create security groups with precise ingress rules
  • How to attach IAM instance profiles for service access

Instructions

Explore

Try to accomplish this goal using your agent. Here are some hints if you get stuck:

  1. Ask your agent to find the workshop VPC and its public subnets
  2. Tell your agent to create a security group allowing SSH only from your current IP address
  3. Ask your agent to launch a t3.micro instance in a public subnet with S3 read-only access
Step-by-step Walkthrough
  1. First, ask your agent to discover the existing infrastructure:

Find the workshop VPC (tagged with Workshop=AgentToolkit) and list its public subnets.

  1. Create a security group with SSH access restricted to your IP:

Create a security group named workshop-ssh-sg in the workshop VPC that allows SSH (port 22) inbound only from my current public IP address. Add a description "Workshop SSH access".

Your agent will determine your public IP and create the security group with a /32 CIDR rule.

  1. Launch an EC2 instance with the security group and an IAM instance profile for S3 access:

Launch a t3.micro EC2 instance in one of the workshop VPC's public subnets with the workshop-ssh-sg security group. Use the Amazon Linux 2023 AMI. Attach an IAM instance profile that grants read-only access to S3.

  1. Verify the instance is running:

Show me the status of the EC2 instance you just launched, including its public IP, security groups, and IAM instance profile.

Validation

Open the CloudWatch Dashboard in the AWS Console. The Module 3 widget checks:

  • ✅ A security group created by the participant exists in the workshop VPC

You can also verify manually:

List all security groups in the workshop VPC and show their inbound rules.

Agent-Specific Tips

Claude Code can determine your public IP automatically using the MCP Server's knowledge tools. If it asks for your IP, you can say:

Look up my current public IP address and use it for the security group rule.

Kiro will use the AWS MCP tools to find the VPC and create resources. If you want to see the resource IDs as they're created:

Launch the instance and show me the instance ID, security group ID, and subnet ID used.

Cursor may attempt to use run_script to find resources. For direct API operations, be specific:

Use the MCP Server API tools to create the security group and launch the instance — don't use run_script for this.

Codex can chain the VPC lookup, security group creation, and instance launch in sequence. If it pauses between steps:

Continue — create the security group and launch the instance in the VPC you just found.