Amazon Machine Images (AMI)

Wazuh provides a pre-built Amazon Machine Image that you can directly launch using our AMI in the AWS Marketplace or, as an alternative, you can configure and deploy the instance manually. Additionally, our Wazuh Consulting Service is also available in the AWS Marketplace for you to check the Professional Service packages Wazuh has to offer.

Specifications of the latest AMI:

  • Amazon Linux 2

  • Wazuh manager 4.2.5

  • Open Distro for Elasticsearch 1.13.2

  • Filebeat-OSS 7.10.2

  • Kibana 7.10.2

  • Wazuh Kibana plugin 4.2.5-1.13.2

Deployment alternatives

There are two different options for deploying the Wazuh All-In-One Deployment instance.

Deploy a predefined instance

  1. Subscribe to our Server product:

    1. Go to Wazuh All-In-One Deployment, then click Continue to Subscribe.

    2. Review the information and accept the terms for this software, then click Continue to Configuration to confirm the action.

  2. Configure the software by selecting a Software Version and the Region where the instance will be deployed. Once configured, click Continue to Launch.

  3. Review your configuration before launching the software and make sure that all default settings are correct. When selecting the EC2 Instance Type, we recommend that you use an instance type c5.2xlarge or similar, and check the minimum and recommended requirements for this type of instance.

  4. Click Launch to generate the instance.

Your instance is successfully launched and you can now access the Wazuh web interface.

Deploy and configure the instance manually

  1. Subscribe to our Server product:

    1. From your AWS Management Console dashboard, select Launch instance.

    2. Search for Wazuh All-In-One Deployment by Wazuh Inc., and click Select to subscribe.

  2. Review the Server Product characteristics, then click Continue.

  3. Select the instance type according to your needs, then click Next: Configure Instance Details. We recommend that you use an instance type c5.2xlarge or similar, and check the minimum and recommended requirements for this type of instance.

  4. Configure your instance as needed, then click Next: Add Storage.

  5. Set the storage capacity of your instance under the Size (GiB) column, then click Next: Add Tags. We recommend 100GiB or more.

  6. Add as many tags as you need, then click Next: Configure Security Group.

  7. Establish a Segurity Group (SG). To do this, make sure you check the protocols and ports necessary for its correct operation and the security measures for your instance. Once the SG is configured, click Review and Launch.

  8. Review the instance configuration and click Launch.

  9. Configure key pair settings:

    1. Select one of the three configuration options available.

      • Choose an existing key pair

      • Create a new key pair

      • Proceed without a key pair

      You need to select a key pair to access the instance with SSH. If you proceed without a key pair, the instance is only available through EC2 Instance Connect.

    2. To complete the process and deploy your instance, click Launch instances.

Your instance is fully configured and ready. You can now access the Wazuh web interface.

Configuration files

All components included in this AMI are configured to work out-of-the-box without the need to modify any settings. However, all components can be fully customized. These are the configuration files locations:

  • Wazuh manager: /var/ossec/etc/ossec.conf

  • Open Distro for Elasticsearch: /etc/elasticsearch/elasticsearch.yml

  • Filebeat-OSS: /etc/filebeat/filebeat.yml

  • Kibana: /etc/kibana/kibana.yml

  • Wazuh Kibana plugin: /usr/share/kibana/data/wazuh/config/wazuh.yml

To learn more about the Wazuh configuration options for its components, see the User manual.

Access the Wazuh web interface

Once the instance is running, you can access the web interface with your credentials.

  • URL: https://<instance_ip>

  • Username: wazuh

  • Password: <your_instance_id>

Keep in mind that after launching the instance, the passwords of the users are changed to the ID of the instance created from the AMI. In this way, access to the interface is guaranteed only to the creator of it. This process can take an average of 5 minutes depending on the type of instance and both the SSH access and the Kibana web interface are disabled during the process.


It is highly recommended to change the default passwords of Elasticsearch for the users’ passwords in the first SSH access. To perform this action, see the Elasticsearch tuning section.

Security considerations about SSH

  • The root user cannot be identified by SSH and the instance can only be accessed through the user: wazuh-user.

  • SSH authentication through passwords is disabled and the instance can only be accessed through a key pair. This means that only the user with the key pair has access to the instance.

  • To access the instance with a key pair, you need to download the key generated or stored in AWS. Then, run the following command to connect with the instance.

    # ssh -i "key_pair_name" wazuh-user@instance_ip

Next steps

The Wazuh AMI is now ready and you can proceed with deploying the Wazuh agents on the systems to be monitored.

Upgrading the Wazuh server

The Wazuh server in the instance can be upgraded as a traditional installation.