diff --git a/puppet/zulip_ops/files/install-aws-cli b/puppet/zulip_ops/files/install-aws-cli
index 34e5c4db8a..cc19f88b44 100755
--- a/puppet/zulip_ops/files/install-aws-cli
+++ b/puppet/zulip_ops/files/install-aws-cli
@@ -20,6 +20,12 @@ if [ -L "/srv/zulip-aws-tools/v2/current" ] \
     exit 0
 fi
 
+# If not running in the initial host bootstrap, and was called with
+# arguments, this is just a check.
+if [ -z "${RUNNING_IN_CLOUD_INIT+x}" ] && [[ $# -gt 0 ]]; then
+    exit 1
+fi
+
 mkdir -p /srv/zulip-aws-tools
 
 cd /srv/zulip-aws-tools || exit 1
diff --git a/puppet/zulip_ops/manifests/aws_tools.pp b/puppet/zulip_ops/manifests/aws_tools.pp
new file mode 100644
index 0000000000..95dcc0ffc6
--- /dev/null
+++ b/puppet/zulip_ops/manifests/aws_tools.pp
@@ -0,0 +1,17 @@
+# @summary Installs the AWS CLI
+#
+class zulip_ops::aws_tools {
+  file { '/usr/local/bin/install-aws-cli':
+    ensure => file,
+    mode   => '0755',
+    source => 'puppet:///modules/zulip_ops/install-aws-cli',
+  }
+  exec { 'install-aws-cli':
+    require => File['/usr/local/bin/install-aws-cli'],
+    command => '/usr/local/bin/install-aws-cli',
+    # When puppet is initially determining which resources need to be
+    # applied, it will call the unless -- but install-aws-cli may not
+    # exist yet.  Count this as needing to run.
+    unless  => '[ -f /usr/local/bin/install-aws-cli ] && /usr/local/bin/install-aws-cli check',
+  }
+}
diff --git a/puppet/zulip_ops/manifests/profile/base.pp b/puppet/zulip_ops/manifests/profile/base.pp
index 184f245a17..5b10bc57bd 100644
--- a/puppet/zulip_ops/manifests/profile/base.pp
+++ b/puppet/zulip_ops/manifests/profile/base.pp
@@ -120,6 +120,8 @@ class zulip_ops::profile::base {
   if $hosting_provider == 'ec2' {
     # This conditional block is for whether it's not
     # chat.zulip.org, which uses a different hosting provider.
+    include zulip_ops::aws_tools
+
     file { '/root/.ssh/authorized_keys':
       ensure => file,
       mode   => '0600',
diff --git a/tools/setup/bootstrap-aws-installer b/tools/setup/bootstrap-aws-installer
index bb9bbc09dd..f081840380 100644
--- a/tools/setup/bootstrap-aws-installer
+++ b/tools/setup/bootstrap-aws-installer
@@ -8,6 +8,7 @@
 #BRANCH=
 #SSH_SECRET_ID=
 
+export RUNNING_IN_CLOUD_INIT=1
 if ! curl -fLs -m 5 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 10" >/dev/null; then
     echo "This should be run on AWS instances, not locally."
     exit 1