AWS Setup

The AWS integration lets you manage EC2 instances directly from Reoclo. Once connected, you can reboot, shut down, and power on instances, view CloudWatch metrics and monthly costs, inspect security groups and volumes, and execute commands remotely via SSM Run Command.

Prerequisites

• An AWS account with at least one EC2 instance
• Permission to create IAM users and policies in your AWS account
• A Reoclo account with server management access

Step 1: Create an IAM User

1. Log into the AWS Console
2. Navigate to IAM > Users > Create user
3. Enter a username (for example, reoclo-service)
4. Select Programmatic access only (no console access needed)
5. Click Next to proceed to permissions

Step 2: Attach the Minimum-Privilege Policy

Instead of attaching a broad managed policy, create a scoped inline policy that grants only the permissions Reoclo needs.

1. On the permissions page, click Attach policies directly
2. Click Create policy > JSON tab
3. Paste the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReocloEC2Read",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeRegions",
        "ec2:DescribeVolumes"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ReocloEC2Control",
      "Effect": "Allow",
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:RebootInstances"
      ],
      "Resource": "arn:aws:ec2:*:*:instance/*"
    },
    {
      "Sid": "ReocloCloudWatch",
      "Effect": "Allow",
      "Action": ["cloudwatch:GetMetricStatistics"],
      "Resource": "*"
    },
    {
      "Sid": "ReocloCostExplorer",
      "Effect": "Allow",
      "Action": ["ce:GetCostAndUsage"],
      "Resource": "*"
    },
    {
      "Sid": "ReocloSSMRead",
      "Effect": "Allow",
      "Action": [
        "ssm:DescribeInstanceInformation",
        "ssm:GetCommandInvocation",
        "ssm:ListCommandInvocations"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ReocloSSMSendCommand",
      "Effect": "Allow",
      "Action": ["ssm:SendCommand"],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ssm:*:*:document/AWS-RunShellScript"
      ]
    },
    {
      "Sid": "ReocloSTS",
      "Effect": "Allow",
      "Action": ["sts:GetCallerIdentity"],
      "Resource": "*"
    }
  ]
}

4. Name the policy (for example, ReocloMinimalAccess) and save it
5. Attach the policy to the reoclo-service user

Restrict to specific instances

If you want to limit Reoclo to specific EC2 instances, add a Condition block to the ReocloEC2Control and ReocloSSMSendCommand statements that checks for a tag. For example, tag your instances with reoclo-managed=true and add:

"Condition": {
  "StringEquals": {
    "ec2:ResourceTag/reoclo-managed": "true"
  }
}

Step 3: Create Access Keys

1. Go to the newly created IAM user
2. Navigate to Security credentials > Access keys
3. Click Create access key
4. Select Third-party service as the use case
5. Copy both the Access Key ID (starts with AKIA) and the Secret Access Key

Caution

The Secret Access Key is shown only once. Copy it immediately and store it securely.

Step 4: Add the Credential in Reoclo

1. In Reoclo, navigate to Cloud Providers in the sidebar
2. Click Add Provider
3. Select Amazon Web Services from the dropdown
4. Enter a label (for example, my-aws-prod)
5. Paste your Access Key ID and Secret Access Key
6. Click Test & Save to verify the credential

Reoclo will call sts:GetCallerIdentity to confirm the keys are valid. If successful, you will see your AWS account ID and IAM user displayed.

Step 5: Add a Server

1. Navigate to Servers and click Add Server
2. Select your AWS credential as the cloud provider
3. Enter the EC2 Instance ID (for example, i-0123456789abcdef0)
4. Select the Region where the instance runs (for example, us-east-1)
5. Save

Reoclo will begin syncing instance metadata, including status, IP addresses, specs, security groups, tags, and attached volumes.

Features

Power Operations

From the server detail page, you can:

• Power On a stopped instance
• Shutdown (graceful stop)
• Reboot the instance
• Hard Reset (force stop, then start)

Operations are tracked in real time with progress indicators.

Metrics and Cost

Reoclo pulls CPU, network, and disk I/O metrics from CloudWatch automatically. Monthly cost is fetched from AWS Cost Explorer and displayed on the server detail page.

Note

Cost data may take up to 24 hours to appear for newly created instances. Reoclo caches cost lookups to minimize Cost Explorer API charges.

SSM Run Command

If your EC2 instances have the SSM Agent installed, you can execute commands directly from Reoclo without SSH access.

Requirements for SSM:

1. The instance must have an IAM instance profile with the AmazonSSMManagedInstanceCore managed policy attached
2. The SSM Agent must be installed and running (pre-installed on Amazon Linux 2, Amazon Linux 2023, Ubuntu 16.04+, and Windows Server 2016+)
3. The instance must have a network path to SSM endpoints (direct internet access, or VPC endpoints for ssm, ssmmessages, and ec2messages)

When SSM is available, the server detail page shows a green SSM ready badge and a Run Command panel where you can execute shell commands and view output.

If SSM is not available, a grey SSM unavailable badge appears with troubleshooting guidance.

Troubleshooting

Credential verification fails

• Confirm the Access Key ID starts with AKIA
• Confirm the Secret Access Key was copied completely (no trailing spaces)
• Check that the IAM user has not been deactivated or deleted

Power operations fail with “IncorrectInstanceState”

This means the instance is in a state that does not allow the requested operation. For example, you cannot start an instance that is already running. Wait for the current transition to complete and try again.

SSM badge shows “unavailable”

Check the three requirements listed above:

1. Instance profile with AmazonSSMManagedInstanceCore
2. SSM Agent installed and running
3. Network path to SSM endpoints

You can verify SSM Agent status in the AWS Console under Systems Manager > Fleet Manager.

Metrics show “Requires CloudWatch Agent”

Basic EC2 monitoring includes CPU and network metrics. Disk utilization requires the CloudWatch Agent to be installed on the instance.

Next Steps

• Cloud Credentials for managing credentials across all providers
• Servers Overview to understand server management
• Scheduled Operations to automate power operations on a schedule
• API Overview for programmatic access to cloud operations