diff --git a/.aws/config b/.aws/config
new file mode 100644
index 0000000000000000000000000000000000000000..386f4eaaccd36a43d0360efc499fcf3d9dc926f7
--- /dev/null
+++ b/.aws/config
@@ -0,0 +1,2 @@
+[profile shore]
+region = us-east-1
diff --git a/Makefile b/Makefile
index 9c9a80be4b6ba1ba3408a6e36d8f9994afbedc62..23e87bd7908159ff7beed13e124279fa63f71b8f 100644
--- a/Makefile
+++ b/Makefile
@@ -1,10 +1,32 @@
-DESTDIR ?= .local
 ansible-local = ansible localhost -c local -i localhost, -e "ansible_python_interpreter=$$(which python3)"
 ssh_configs != find ".ssh/config.d/" -type f \! -name '.*' | sort
+curl = curl --location --silent --fail
+download = $(curl) --output $@
+mkd = mkdir -p $$(dirname $@)
+
+.PHONY: all
+all: .ssh/gitlab_ed25519
+all: .ssh/gitlab_fdo
+all: .ssh/gitlab_toptal
+all: .ssh/github_ed25519
+all: .ssh/shore_ecdsa
+all: .ssh/shore_ed25519
+all: .ssh/shore_rsa
+all: .ssh/smile_ed25519
+all: .ssh/smile_rsa
+
+.ssh/%: Documents/Database.kdbx
+	$(mkd)
+	ph show --field Notes "SSH/$$(basename '$@')" > '$@'
+	chmod 600 '$@'
+
+# Disable the implicit rule above so that other files under .ssh/ will be
+# created using an explicit rule.
+.ssh/%: Documents/Database.kdbx
 
 all: .config/pythonrc.py
 .config/pythonrc.py:
-	mkdir -p $$(dirname $@)
+	$(mkd)
 	$(download) https://raw.githubusercontent.com/lonetwin/pythonrc/0.8.4/pythonrc.py
 
 all: .bashrc.private
@@ -14,84 +36,30 @@ all: .bashrc.private
 	echo "export GITLAB_REGISTRATION_TOKEN='$$(ph show --field Password 'shore.co.il/GitLab runner registration token')'" >> '$@'
 	echo "export GITHUB_TOKEN='$$(ph show --field 'CLI token' 'Web Sites/GitHub')'" >> '$@'
 
-all: .ssh/github_ed25519
-.ssh/github_ed25519: Documents/Database.kdbx
-	mkdir -p $$(dirname $@)
-	ph show --field Notes "SSH/$$(basename '$@')" > '$@'
-	chmod 600 '$@'
-
-all: .ssh/gitlab_fdo
-.ssh/gitlab_fdo: Documents/Database.kdbx
-	mkdir -p $$(dirname $@)
-	ph show --field Notes "SSH/$$(basename '$@')" > '$@'
-	chmod 600 '$@'
-
-all: .ssh/gitlab_toptal
-.ssh/gitlab_toptal: Documents/Database.kdbx
-	mkdir -p $$(dirname $@)
-	ph show --field Notes "SSH/$$(basename '$@')" > '$@'
-	chmod 600 '$@'
-
-all: .ssh/shore_rsa
-.ssh/shore_rsa: Documents/Database.kdbx
-	mkdir -p $$(dirname $@)
-	ph show --field Notes "SSH/$$(basename '$@')" > '$@'
-	chmod 600 '$@'
-
-all: .ssh/gitlab_ed25519
-.ssh/gitlab_ed25519: Documents/Database.kdbx
-	mkdir -p $$(dirname $@)
-	ph show --field Notes "SSH/$$(basename '$@')" > '$@'
-	chmod 600 '$@'
-
-all: .ssh/shore_ecdsa
-.ssh/shore_ecdsa: Documents/Database.kdbx
-	mkdir -p $$(dirname $@)
-	ph show --field Notes "SSH/$$(basename '$@')" > '$@'
-	chmod 600 '$@'
-
-all: .ssh/shore_ed25519
-.ssh/shore_ed25519: Documents/Database.kdbx
-	mkdir -p $$(dirname $@)
-	ph show --field Notes "SSH/$$(basename '$@')" > '$@'
-	chmod 600 '$@'
-
-all: .ssh/smile_rsa
-.ssh/smile_rsa: Documents/Database.kdbx
-	mkdir -p $$(dirname $@)
-	ph show --field Notes "SSH/$$(basename '$@')" > '$@'
-	chmod 600 '$@'
-
-all: .ssh/smile_ed25519
-.ssh/smile_ed25519: Documents/Database.kdbx
-	mkdir -p $$(dirname $@)
-	ph show --field Notes "SSH/$$(basename '$@')" > '$@'
-	chmod 600 '$@'
-
 all: .ssh/config
 .ssh/config: $(ssh_configs)
-	mkdir -p $$(dirname $@)
+	$(mkd)
 	cat $(ssh_configs) > $@
 
 all: .ssh/localhost
 .ssh/localhost:
-	mkdir -p $$(dirname $@)
+	$(mkd)
 	-rm $@ $@.pub
 	ssh-keygen -t ecdsa -N '' -C localhost -f $@
 
 all: .ssh/localhost.pub
 .ssh/localhost.pub: .ssh/localhost
-	mkdir -p $$(dirname $@)
+	$(mkd)
 	ssh-keygen -y -f $< > $@
 
 all: .ssh/authorized_keys
 .ssh/authorized_keys: .ssh/localhost.pub
-	mkdir -p $$(dirname $@)
+	$(mkd)
 	-$(ansible-local) -m authorized_key -a "user=$$(whoami) key='$$(cat .ssh/localhost.pub)' key_options='from=\"127.0.0.1/8\"'"
 
 all: .config/python-gitlab.cfg
 .config/python-gitlab.cfg: Documents/Database.kdbx
-	mkdir -p $$(dirname $@)
+	$(mkd)
 	echo '[global]' > '$@'
 	echo 'default = shore.co.il' >> '$@'
 	echo 'ssl_verify = true' >> '$@'
@@ -103,7 +71,7 @@ all: .config/python-gitlab.cfg
 
 all: .config/gem/gemrc
 .config/gem/gemrc: Documents/Database.kdbx
-	mkdir -p $$(dirname $@)
+	$(mkd)
 	echo '# vim: ft=yaml' > '$@'
 	echo '---' >> '$@'
 	echo ':backtrace: false' >> '$@'
@@ -114,3 +82,10 @@ all: .config/gem/gemrc
 	echo ':update_sources: true' >> '$@'
 	echo ':verbose: true' >> '$@'
 	echo ':concurrent_downloads: 8' >> '$@'
+
+all: .aws/credentials
+.aws/credentials: Documents/Database.kdbx
+	$(mkd)
+	echo '[shore]' > '$@'
+	echo "aws_access_key_id = $$(ph show --field 'UserName' 'shore.co.il/AWS CLI')" >> '$@'
+	echo "aws_secret_access_key = $$(ph show --field 'Password' 'shore.co.il/AWS CLI')" >> '$@'