diff --git a/docs/AWS_DEPLOYMENT.md b/docs/AWS_DEPLOYMENT.md
new file mode 100644
index 0000000000000000000000000000000000000000..4071567e366499de26596de5dcd71543e448055e
--- /dev/null
+++ b/docs/AWS_DEPLOYMENT.md
@@ -0,0 +1,148 @@
+# Deploying BrowserID on Amazon Web Services
+
+This document will show you how to use the in-tree scripts to deploy
+different versions of BrowserID onto Amazon's cloud infrastructure.
+
+This is useful for testing changes in an environment similar to
+production, or for sharing experimental changes with other people.
+
+## Prerequisites
+
+In order to use these deploy scripts, you need the following:
+
+  1. have built and locally run browserid
+  2. an ssh key in `~/.ssh/id_rsa.pub`
+  3. an AWS account that is "signed up" for EC2
+  4. the "DNS secret" that you get from lloyd
+
+Once you have these things, you'll need to relay them to deployment
+scripts via your environment.  you might put something like this
+in your .bashrc:
+
+    export AWS_ID=<your id>
+    export AWS_SECRET=<your secret>
+    export BROWSERID_DEPLOY_DNS_KEY=98...33
+
+## test!
+
+You can verify that your credentials are properly configured, try:
+
+    $ scripts/deploy.js test
+    Checking DNS management access: good
+    Checking AWS access: good
+
+## Deploying your first VM
+
+Let's get started.  To deploy your first vm, all you have to do is pick a 
+hostname.  This might be something like `feature385` or `issue1000`, or 
+you can use a different name that is short but meaningful to what you're
+going to deploy.  Once chosen, invoke deploy.js like this:
+
+    $ scripts/deploy.js deploy some_name_i_chose
+    attempting to set up some_name_i_chose.hacksign.in
+       ... VM launched, waiting for startup (should take about 20s)
+       ... Instance ready, setting up DNS
+       ... DNS set up, setting human readable name in aws
+       ... name set, waiting for ssh access and configuring
+       ... nope.  not yet.  retrying.
+       ... nope.  not yet.  retrying.
+       ... nope.  not yet.  retrying.
+       ... nope.  not yet.  retrying.
+       ... nope.  not yet.  retrying.
+       ... victory!  server is accessible and configured
+       ... and your git remote is all set up
+    
+    Yay!  You have your very own deployment.  Here's the basics:
+    
+     1. deploy your code:  git push some_name_i_chose <mybranch>:master
+     2. visit your server on the web: https://some_name_i_chose.hacksign.in
+     3. test via a website: http://some_name_i_chose.myfavoritebeer.org
+     4. ssh in with sudo: ssh ec2-user@some_name_i_chose.hacksign.in
+     5. ssh as the deployment user: ssh app@some_name_i_chose.hacksign.in
+    
+    enjoy!  Here's your server details {
+        "instanceId": "i-8f4beeea",
+        "imageId": "ami-6900d100",
+        "instanceState": {
+            "code": "16",
+            "name": "running"
+        },
+        "dnsName": "ec2-184-73-84-132.compute-1.amazonaws.com",
+        "keyName": "browserid deploy key (4736caec113ccb53aa62bb165c58c17d)",
+        "instanceType": "t1.micro",
+        "ipAddress": "184.73.84.132"
+    }
+
+
+The output contains instructions for use.  Note that every occurance of 
+`some_name_i_chose` will be replaces with the name *YOU* chose.
+
+## deploying code
+
+The deployment process sets up a 'git remote', which just means it runs
+the following command for you:
+
+    $ git remote add some_name_i_chose app@<ip>:git
+
+This allows you to more conveniently push code to your server.  Say 
+you wanted to now deploy code from `mybranch` on this new VM:
+
+    $ git push some_name_i_chose mybranch:master
+
+IMPORTANT: you are pushing *from* the local `mybranch`, to the remote 
+`master` branch.  The VM will always deploy what's on its master branch.
+
+Say you want to go push new changes from mybranch:
+
+    $ git push some_name_i_chose mybranch:master
+
+Yeah.  Same thing.
+
+Say you want to push changes to this server from a completely different
+branch:
+
+    $ git push -f some_name_i_chose myotherbranch:master
+
+
+## Seeing what VMs you have running
+
+    $ scripts/deploy.js list
+    ...
+
+## Destroying your first VM
+
+These things cost money, not a lot, but money.  So when you want to 
+decomission a VM and release your hold on the DNS name, simply:"
+
+    $ scripts/deploy.js destroy some_name_i_chose
+    trying to destroy VM for some_name_i_chose.hacksign.in: done
+    trying to remove DNS for some_name_i_chose.hacksign.in: done
+
+## An overview of deployments
+
+Deploying code in this fashion spins up a pre-configured VM template.
+There are several things that are pre-configured for your pleasure:
+
+  1. ssh keys: your publick key is copied up to the server for passphraseless
+     ssh access.
+  2. Git support: an 'app' user is created with a repository under `~/git`
+     that you can push to
+  3. `post-update` hook: the code that runs after you push to update and
+     restart your servers
+  4. nginx with SSL and 503 support - you'll get SSL for free and will see
+     a reasonable message when your servers aren't running
+  5. a mysql database with a browserid user without any password
+
+### User Accounts
+
+VMs have two pre-configured users, both which you have passphraseless SSH
+access to:
+
+  * `ec2-user` is an acct with full sudo access
+  * `app` is an acct that has no sudo and is the user who recieves and
+    builds code, and starts the servers.
+
+Feel free to start a new server, and ssh in as `app` to explore all of the
+configuration.  An attempt has been made to isolate as much configuration 
+under this user's account as possible.
+