diff --git a/iam.tf b/iam.tf
new file mode 100644
index 0000000..b8d6423
--- /dev/null
+++ b/iam.tf
@@ -0,0 +1,63 @@
+data "aws_iam_policy_document" "assume_role_ec2" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+    effect = "Allow"
+  }
+}
+
+#############################
+### IAM Agent
+#############################
+
+resource "aws_iam_instance_profile" "agent_instance_profile" {
+  name = format("%sAgentInstanceProfile", title(var.name))
+  role = aws_iam_role.agent_role.name
+}
+
+resource "aws_iam_role" "agent_role" {
+  name               = format("%sAgentRole", title(var.name))
+  assume_role_policy = data.aws_iam_policy_document.assume_role_ec2.json
+}
+
+resource "aws_iam_role_policy_attachment" "agent_cloudwatch_server_policy" {
+  count      = var.enable_ssm == true ? 1 : 0
+  role       = aws_iam_role.agent_role.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "agent_ssm_instance_core_policy" {
+  count      = var.enable_ssm == true ? 1 : 0
+  role       = aws_iam_role.agent_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+
+#############################
+### IAM Server
+#############################
+resource "aws_iam_instance_profile" "server_instance_profile" {
+  name = format("%sServerInstanceProfile", title(var.name))
+  role = aws_iam_role.server_role.name
+}
+
+resource "aws_iam_role" "server_role" {
+  name               = format("%sServerRole", title(var.name))
+  assume_role_policy = data.aws_iam_policy_document.assume_role_ec2.json
+}
+
+resource "aws_iam_role_policy_attachment" "server_cloudwatch_server_policy" {
+  count      = var.enable_ssm == "true" ? 1 : 0
+  role       = aws_iam_role.server_role.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "server_ssm_instance_core_policy" {
+  count      = var.enable_ssm == "true" ? 1 : 0
+  role       = aws_iam_role.server_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
diff --git a/infra.tf b/infra.tf
index 1b9e8d8..3db11da 100644
--- a/infra.tf
+++ b/infra.tf
@@ -108,6 +108,10 @@ resource "aws_launch_template" "k3s_server" {
     }
   }
 
+  iam_instance_profile {
+    arn = aws_iam_instance_profile.server_instance_profile.arn
+  }
+
   network_interfaces {
     delete_on_termination = true
     security_groups       = concat([aws_security_group.self.id, aws_security_group.database.id], var.extra_server_security_groups)
@@ -138,10 +142,15 @@ resource "aws_launch_template" "k3s_agent" {
     ebs {
       encrypted   = true
       volume_type = local.agent_volume_type
-      volume_size = "50"
+      volume_size = local.agent_volume_size
+      iops        = var.agent_volume_iops
     }
   }
 
+  iam_instance_profile {
+    arn = aws_iam_instance_profile.agent_instance_profile.arn
+  }
+
   network_interfaces {
     delete_on_termination = true
     security_groups       = concat([aws_security_group.ingress.id, aws_security_group.self.id], var.extra_agent_security_groups)
diff --git a/main.tf b/main.tf
index 4097acd..7eed252 100644
--- a/main.tf
+++ b/main.tf
@@ -34,6 +34,7 @@ locals {
   server_volume_type             = var.server_volume_type
   agent_instance_type            = var.agent_instance_type
   agent_volume_type              = var.agent_volume_type
+  agent_volume_size              = var.agent_volume_size
   agent_image_id                 = var.agent_image_id != null ? var.agent_image_id : data.aws_ami.ubuntu.id
   server_image_id                = var.server_image_id != null ? var.server_image_id : data.aws_ami.ubuntu.id
   aws_azs                        = var.aws_azs
diff --git a/output.tf b/output.tf
index a4188d8..2b1dc47 100644
--- a/output.tf
+++ b/output.tf
@@ -20,3 +20,11 @@ output "k3s_cluster_secret" {
   value     = local.k3s_cluster_secret
   sensitive = true
 }
+
+output "agent_role_arn" {
+  value = aws_iam_role.agent_role.arn
+}
+
+output "server_role_arn" {
+  value = aws_iam_role.server_role.arn
+}
diff --git a/variables.tf b/variables.tf
index 45850e7..e121a14 100644
--- a/variables.tf
+++ b/variables.tf
@@ -319,6 +319,18 @@ variable "agent_volume_type" {
   type        = string
 }
 
+variable "agent_volume_size" {
+  default     = 50
+  description = "Volume Size for K3S Agent nodes"
+  type        = number
+}
+
+variable "agent_volume_iops" {
+  default     = null
+  description = "Volume IOPS for K3S Agent nodes"
+  type        = number
+}
+
 variable "rancher_features" {
   default     = ""
   description = "Comma-separated list of feature flags to enable in Rancher"
@@ -340,4 +352,9 @@ variable "nginx_version" {
   default     = "4.1.3"
   description = "Version of ingress-nginx helm chart to install"
   type        = string
+}
+
+variable "enable_ssm" {
+  default     = false
+  type        = bool
 }
\ No newline at end of file