diff --git a/iam_policy.tf b/iam_policy.tf
index 964bc08..d676520 100644
--- a/iam_policy.tf
+++ b/iam_policy.tf
@@ -2,13 +2,13 @@ resource "aws_iam_role" "rhel_x86_codepipeline_role" {
   name = "rhel-x86-image-pipeline-demo-codepipeline-role"
 
   assume_role_policy = jsonencode({
-    Version = "2012-10-17"
+    Version = "2012-10-17",
     Statement = [
       {
-        Effect = "Allow"
+        Effect = "Allow",
         Principal = {
           Service = "codepipeline.amazonaws.com"
-        }
+        },
         Action = "sts:AssumeRole"
       }
     ]
@@ -18,11 +18,12 @@ resource "aws_iam_role" "rhel_x86_codepipeline_role" {
 resource "aws_iam_policy" "rhel_x86_codepipeline_permissions" {
   name        = "rhel-x86-codepipeline-permissions"
   description = "IAM policy for RHEL x86 CodePipeline to access necessary AWS services"
-  policy      = jsonencode({
-    Version = "2012-10-17"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
     Statement = [
       {
-        Effect = "Allow"
+        Effect = "Allow",
         Action = [
           "codecommit:GetBranch",
           "codecommit:GetCommit",
@@ -36,7 +37,7 @@ resource "aws_iam_policy" "rhel_x86_codepipeline_permissions" {
           "codecommit:CreateCommit",
           "codecommit:BatchGetRepositories",
           "codecommit:BatchGetCommits"
-        ]
+        ],
         Resource = [
           "arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:linux-image-pipeline",
           "arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:image-pipeline-ansible-playbooks",
@@ -44,7 +45,7 @@ resource "aws_iam_policy" "rhel_x86_codepipeline_permissions" {
         ]
       },
       {
-        Effect = "Allow"
+        Effect = "Allow",
         Action = [
           "ec2:DescribeInstances",
           "ec2:DescribeImages",
@@ -61,36 +62,36 @@ resource "aws_iam_policy" "rhel_x86_codepipeline_permissions" {
           "ec2:CreateImage",
           "ec2:CreateSnapshot",
           "ec2:RegisterImage"
-        ]
+        ],
         Resource = "*"
       },
       {
-        Effect = "Allow"
+        Effect = "Allow",
         Action = [
           "s3:GetObject",
           "s3:PutObject",
           "s3:ListBucket"
-        ]
+        ],
         Resource = [
-          "arn:aws-us-gov:s3:::your-bucket-name",
-          "arn:aws-us-gov:s3:::your-bucket-name/*"
+          "arn:aws-us-gov:s3:::${aws_s3_bucket.rhel_x86_codepipeline_bucket.bucket}",
+          "arn:aws-us-gov:s3:::${aws_s3_bucket.rhel_x86_codepipeline_bucket.bucket}/*"
         ]
       },
       {
-        Effect = "Allow"
+        Effect = "Allow",
         Action = [
           "kms:Encrypt",
           "kms:Decrypt",
           "kms:GenerateDataKey",
           "kms:DescribeKey"
-        ]
-        Resource = "arn:aws-us-gov:kms:us-gov-west-1:229685449397:key/02684d21-d541-4d83-8e0b-e8c95877d8cb"
+        ],
+        Resource = aws_kms_key.rhel_x86_codepipeline_key.arn
       },
       {
-        Effect = "Allow"
+        Effect = "Allow",
         Action = [
           "iam:PassRole"
-        ]
+        ],
         Resource = "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role"
       }
     ]
@@ -101,3 +102,79 @@ resource "aws_iam_role_policy_attachment" "rhel_x86_codepipeline_role_attachment
   role       = aws_iam_role.rhel_x86_codepipeline_role.name
   policy_arn = aws_iam_policy.rhel_x86_codepipeline_permissions.arn
 }
+
+resource "aws_iam_role" "rhel_x86_ec2_role" {
+  name = "rhel-x86-image-pipeline-demo-ec2-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "rhel_x86_ec2_permissions" {
+  name        = "rhel-x86-ec2-permissions"
+  description = "IAM policy for RHEL x86 EC2 to access necessary AWS services"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ec2:DescribeInstances",
+          "ec2:DescribeImages",
+          "ec2:DescribeInstanceStatus",
+          "ec2:RunInstances",
+          "ec2:TerminateInstances",
+          "ec2:CreateTags",
+          "ec2:DescribeKeyPairs",
+          "ec2:DescribeSecurityGroups",
+          "ec2:DescribeSubnets",
+          "ec2:DescribeVpcs",
+          "ec2:DescribeVolumes",
+          "ec2:DescribeSnapshots",
+          "ec2:CreateImage",
+          "ec2:CreateSnapshot",
+          "ec2:RegisterImage"
+        ],
+        Resource = "*"
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:ListBucket"
+        ],
+        Resource = [
+          "arn:aws-us-gov:s3:::${aws_s3_bucket.rhel_x86_codepipeline_bucket.bucket}",
+          "arn:aws-us-gov:s3:::${aws_s3_bucket.rhel_x86_codepipeline_bucket.bucket}/*"
+        ]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:GenerateDataKey",
+          "kms:DescribeKey"
+        ],
+        Resource = aws_kms_key.rhel_x86_codepipeline_key.arn
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "rhel_x86_ec2_role_attachment" {
+  role       = aws_iam_role.rhel_x86_ec2_role.name
+  policy_arn = aws_iam_policy.rhel_x86_ec2_permissions.arn
+}
\ No newline at end of file
diff --git a/kms.tf b/kms.tf
new file mode 100644
index 0000000..a70a69e
--- /dev/null
+++ b/kms.tf
@@ -0,0 +1,44 @@
+resource "aws_kms_key" "rhel_x86_codepipeline_key" {
+  description = "KMS key for RHEL x86 CodePipeline"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "Allow use of the key for EC2 and CodePipeline",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role",
+          "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-ec2-role"
+        ]
+      },
+      "Action": [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "Allow admin actions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws-us-gov:iam::229685449397:root"
+        ]
+      },
+      "Action": "kms:*",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_kms_alias" "rhel_x86_codepipeline_alias" {
+  name          = "alias/rhel-x86-codepipeline-key"
+  target_key_id = aws_kms_key.rhel_x86_codepipeline_key.id
+}
\ No newline at end of file
diff --git a/s3.tf b/s3.tf
new file mode 100644
index 0000000..6762c9b
--- /dev/null
+++ b/s3.tf
@@ -0,0 +1,14 @@
+resource "aws_s3_bucket" "rhel_x86_codepipeline_bucket" {
+  bucket = "rhel-x86-codepipeline-bucket-${random_string.suffix.result}"
+}
+
+resource "aws_s3_bucket_acl" "rhel_x86_codepipeline_bucket_acl" {
+  bucket = aws_s3_bucket.rhel_x86_codepipeline_bucket.bucket
+  acl    = "private"
+}
+
+resource "random_string" "suffix" {
+  length  = 8
+  special = false
+  upper   = false
+}
\ No newline at end of file