{section: advanced usage}
-The basic usage, above, possibly in conjuction with some of the other options, should suffice for the efficient provisioning of many instance from pre-existing images. If you'd like to use the prototype
+The basic usage, above, possibly in conjuction with some of the other options, should suffice for the efficient provisioning of many instance from pre-existing images. If you'd like to use the prototype to start annexes, the procedure is somewhat involved. The basic idea is as follows: when HTCondor starts up (this may be replaced by "when the OS finishes booting" in future releases), it runs a script which looks at the permissions which have been granted to the instance. (Obviously, this fails if the instance hasn't been granted permission to look at its own permissions.) If one of those permisssions is read access to a specific file in a specific S3 bucket, the script downloads the file into the HTCondor =config.d= directory, or, if the file is a tarball, untars it there. Because this mechanism is entirely independent of the usual userdata-dependent contextualization methods, it can be used to dynamically configure HTCondor regardless of an how an instance otherwise might configure itself. We expect this ability to generally be used to configure HTCondor to join one specific pool or another.
+
+We have provided a second CloudWatch template to help construct this mechanism. Actually, because it was easier, we have provided a script which -- given the S3 bucket name and file -- outputs a CloudWatch which creates the corresponding IAM role and instance profile. ....
