diff --git a/aws-ec2-podman/README.md b/aws-ec2-podman/README.md
new file mode 100644
index 0000000..c2ffc2a
--- /dev/null
+++ b/aws-ec2-podman/README.md
@@ -0,0 +1,30 @@
+# Podman Lab on AWS EC2
+
+## Development on local machine
+
+Pre-requisites: Libvirt on Fedora
+
+```sh
+cd cloud-init
+./install-libvirt.sh
+```
+
+## Installation on AWS EC2
+
+Pre-requisites:
+
+- Terraform
+- OpenSSL
+- Bash
+- mkpasswd
+- gzip
+
+```sh
+cd cloud-init
+./generate-users.sh
+cd ..
+terraform init
+terraform apply
+```
+
+User accounts are in **cloud-init/users.csv**.
diff --git a/aws-ec2-podman/cloud-init/.gitignore b/aws-ec2-podman/cloud-init/.gitignore
new file mode 100644
index 0000000..afcdaa5
--- /dev/null
+++ b/aws-ec2-podman/cloud-init/.gitignore
@@ -0,0 +1,3 @@
+users.csv
+users.yaml
+user-data.yaml.gz
diff --git a/aws-ec2-podman/cloud-init/generate-users.sh b/aws-ec2-podman/cloud-init/generate-users.sh
new file mode 100755
index 0000000..4f90907
--- /dev/null
+++ b/aws-ec2-podman/cloud-init/generate-users.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -Eeuo pipefail
+
+echo -n > users.yaml
+echo "username,password" > users.csv
+
+read -p 'MASTER KEY: ' -s MASTER_KEY
+
+for i in $(seq 1 80); do
+  user="$(printf 'user%02d' $i)"
+  password="$(echo -n "$MASTER_KEY:$user" | openssl dgst -sha256 -binary | openssl base64 | cut -c 1-8)"
+  echo "$user,$password" >> users.csv
+  hash="$(echo -n "$password" | mkpasswd -m sha512crypt -s)"
+  cat >> users.yaml <<EOF
+- name: $user
+  gecos: Utilisateur $i
+  shell: /bin/bash
+  primary_group: lab
+  lock_passwd: false
+  passwd: $hash
+EOF
+done
+
+cat user-data.yaml users.yaml | gzip -c > user-data.yaml.gz
diff --git a/aws-ec2-podman/cloud-init/install-libvirt.sh b/aws-ec2-podman/cloud-init/install-libvirt.sh
new file mode 100755
index 0000000..fd75a6e
--- /dev/null
+++ b/aws-ec2-podman/cloud-init/install-libvirt.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -Eeuo pipefail
+
+virsh destroy lab-podman || true
+virsh undefine lab-podman || true
+rm -rf /var/lib/libvirt/images/lab-podman
+
+mkdir -p /var/lib/libvirt/images/base-images /var/lib/libvirt/images/lab-podman
+
+if [ ! -f /var/lib/libvirt/images/base-images/Fedora-Cloud-Base-36-1.5.x86_64.qcow2 ]; then
+  curl -Lo /var/lib/libvirt/images/base-images/Fedora-Cloud-Base-36-1.5.x86_64.qcow2 https://download.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-Base-36-1.5.x86_64.qcow2
+fi
+
+# dnf install -y cloud-utils genisoimage
+cloud-localds /var/lib/libvirt/images/lab-podman/cloud-init.iso user-data.yaml
+
+virt-install --name lab-podman --autostart --noautoconsole --cpu host-passthrough \
+             --vcpus 2 --ram 4096 --os-variant fedora36 \
+             --disk path=/var/lib/libvirt/images/lab-podman/lab-podman.qcow2,backing_store=/var/lib/libvirt/images/base-images/Fedora-Cloud-Base-36-1.5.x86_64.qcow2,size=20 \
+             --network network=default \
+             --console pty,target.type=virtio --serial pty --import \
+             --disk path=/var/lib/libvirt/images/lab-podman/cloud-init.iso,readonly=on \
+             --sysinfo system.serial=ds=nocloud
+
+virsh console lab-podman
diff --git a/aws-ec2-podman/cloud-init/user-data.yaml b/aws-ec2-podman/cloud-init/user-data.yaml
new file mode 100644
index 0000000..4284b03
--- /dev/null
+++ b/aws-ec2-podman/cloud-init/user-data.yaml
@@ -0,0 +1,124 @@
+#cloud-config
+packages:
+- zsh
+- neofetch
+- podman
+- buildah
+- skopeo
+- jq
+- curl
+- vim-enhanced
+- java-17-openjdk-headless
+- maven-openjdk17
+- git
+runcmd:
+# Disable SSH password authentication
+- [ "sed", "-i.post-install", "-e", "s/PasswordAuthentication no/PasswordAuthentication yes/", "/etc/ssh/sshd_config" ]
+- [ "systemctl", "restart", "sshd" ]
+# Enable sudo without password
+- [ "sed", "-i.post-install", "-e", "s/^%wheel\tALL=(ALL)\tALL/%wheel  ALL=(ALL)       NOPASSWD: ALL/", "/etc/sudoers" ]
+write_files:
+- path: /etc/neofetch/config.conf
+  content: |
+    print_info() {
+        info title
+        info underline
+        info "OS" distro
+        info "Host" model
+        info "Kernel" kernel
+        info "Uptime" uptime
+        info "Shell" shell
+        info "CPU" cpu
+        info "Memory" memory
+        info "CPU Usage" cpu_usage
+        info "Disk" disk
+        info "Local IP" local_ip
+        info "Public IP" public_ip
+        info cols
+    }
+    title_fqdn="off"
+    kernel_shorthand="on"
+    distro_shorthand="off"
+    os_arch="on"
+    uptime_shorthand="on"
+    memory_percent="on"
+    memory_unit="gib"
+    package_managers="on"
+    shell_path="off"
+    shell_version="on"
+    speed_type="bios_limit"
+    speed_shorthand="off"
+    cpu_brand="on"
+    cpu_speed="on"
+    cpu_cores="logical"
+    cpu_temp="off"
+    gpu_brand="on"
+    gpu_type="all"
+    refresh_rate="off"
+    gtk_shorthand="off"
+    gtk2="on"
+    gtk3="on"
+    public_ip_host="http://ident.me"
+    public_ip_timeout=2
+    de_version="on"
+    disk_show=('/')
+    disk_subtitle="mount"
+    disk_percent="on"
+    music_player="auto"
+    song_format="%artist% - %album% - %title%"
+    song_shorthand="off"
+    mpc_args=()
+    colors=(distro)
+    bold="on"
+    underline_enabled="on"
+    underline_char="-"
+    separator=":"
+    block_range=(0 15)
+    color_blocks="off"
+    block_width=3
+    block_height=1
+    col_offset="auto"
+    bar_char_elapsed="-"
+    bar_char_total="="
+    bar_border="on"
+    bar_length=15
+    bar_color_elapsed="distro"
+    bar_color_total="distro"
+    cpu_display="off"
+    memory_display="off"
+    battery_display="off"
+    disk_display="off"
+    image_backend="ascii"
+    image_source="auto"
+    ascii_distro="auto"
+    ascii_colors=(distro)
+    ascii_bold="on"
+    image_loop="off"
+    thumbnail_dir="${XDG_CACHE_HOME:-${HOME}/.cache}/thumbnails/neofetch"
+    crop_mode="normal"
+    crop_offset="center"
+    image_size="auto"
+    gap=3
+    yoffset=0
+    xoffset=0
+    background_color=
+    stdout="off"
+- path: /etc/profile.d/neofetch.sh
+  content: |
+    #!/bin/bash
+    if [ -n "$PS1" ]; then
+      neofetch --config /etc/neofetch/config.conf
+    fi
+  permissions: '0755'
+groups:
+- lab
+users:
+- name: nicolas
+  gecos: Nicolas MASSE
+  shell: /bin/bash
+  primary_group: wheel
+  lock_passwd: false
+  # mkpasswd -m sha512crypt
+  passwd: CHANGEME
+  ssh_authorized_keys:
+  - ssh-ed25519 UPDATEME nmasse@redhat.com
diff --git a/aws-ec2-podman/main.tf b/aws-ec2-podman/main.tf
new file mode 100644
index 0000000..9078339
--- /dev/null
+++ b/aws-ec2-podman/main.tf
@@ -0,0 +1,145 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "4.34.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "eu-west-3"
+}
+
+provider "aws" {
+  region = "us-east-1"
+  alias  = "aws-us"
+}
+
+data "aws_ami" "fedora" {
+  provider    = aws.aws-us
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["Fedora-Cloud-Base-36*x86_64-hvm-*-gp2-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["125523088429"] # Fedora
+}
+
+resource "aws_ami_copy" "lab_ami" {
+  name              = "Fedora-Cloud-Base-36.x86_64-hvm-eu-west-3-gp2-0"
+  description       = "A copy of Fedora-Cloud-Base-36-20221013.0.x86_64-hvm-us-east-1-gp2-0"
+  source_ami_id     = data.aws_ami.fedora.id
+  source_ami_region = "us-east-1"
+
+  tags = {
+    Name = "lab-podman"
+  }
+}
+
+resource "aws_vpc" "lab_vpc" {
+  cidr_block           = "172.16.0.0/16"
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+
+  tags = {
+    Name = "lab-podman"
+  }
+}
+
+resource "aws_subnet" "lab_subnet" {
+  vpc_id                  = aws_vpc.lab_vpc.id
+  cidr_block              = "172.16.10.0/24"
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "lab-podman"
+  }
+}
+
+resource "aws_route_table" "lab_route" {
+  vpc_id = aws_vpc.lab_vpc.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.lab_gw.id
+  }
+
+  tags = {
+    Name = "lab-podman"
+  }
+}
+
+resource "aws_route_table_association" "lab_rta" {
+  subnet_id      = aws_subnet.lab_subnet.id
+  route_table_id = aws_route_table.lab_route.id
+}
+
+resource "aws_security_group" "lab_podman" {
+  vpc_id = aws_vpc.lab_vpc.id
+
+  ingress {
+    description = "Incoming SSH connection"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    description = "Outgoing connections"
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "lab-podman"
+  }
+}
+
+resource "aws_internet_gateway" "lab_gw" {
+  vpc_id = aws_vpc.lab_vpc.id
+  tags = {
+    Name = "lab-podman"
+  }
+}
+
+resource "aws_key_pair" "admin" {
+  key_name   = "lab-podman-nmasse@redhat.com"
+  public_key = file("~/.ssh/id_ed25519.pub")
+  tags = {
+    Name = "lab-podman"
+  }
+}
+
+resource "aws_instance" "lab_podman" {
+  ami                         = aws_ami_copy.lab_ami.id
+  instance_type               = "m5a.xlarge"
+  key_name                    = aws_key_pair.admin.key_name
+  subnet_id                   = aws_subnet.lab_subnet.id
+  depends_on                  = [aws_internet_gateway.lab_gw]
+  vpc_security_group_ids      = [aws_security_group.lab_podman.id]
+  user_data                   = filebase64("cloud-init/user-data.yaml.gz")
+  associate_public_ip_address = true
+
+  credit_specification {
+    cpu_credits = "unlimited"
+  }
+
+  tags = {
+    Name = "lab-podman"
+  }
+}
+
+output "public_ip" {
+  value = aws_instance.lab_podman.public_ip
+}