Amazon Machine Images (AMI)

Wazuh provides a pre-built Amazon Machine Image (AMI). An AMI is a pre-configured template that is ready to use for creating a virtual computing environment within the Amazon Elastic Compute Cloud (Amazon EC2). The latest Wazuh AMI packages together Amazon Linux 2 with the following central components for your Wazuh server:

  • Wazuh manager 4.3.0

  • Filebeat-OSS 7.10.2

  • Wazuh indexer 4.3.0

  • Wazuh dashboard 4.3.0

Deployment alternatives

There are two alternatives for deploying a Wazuh instance. You can launch the Wazuh All-In-One Deployment AMI directly from the AWS Marketplace or you can configure and deploy an instance using the AWS Management Console.

Note

Our Wazuh Consulting Service is also available in the AWS Marketplace. Check the Professional Service packages that Wazuh has to offer.

Launch an instance from the AWS Marketplace

  1. Go to Wazuh All-In-One Deployment in the AWS Marketplace, then click Continue to Subscribe.

  2. Review the information and accept the terms for the software. Click Continue to Configuration to confirm subscribing to our Server product.

  3. Select a Software Version and the Region where the instance is going to be deployed. Then, click Continue to Launch.

  4. Review your configuration making sure that all settings are correct before launching the software. Adapt the default configuration values to your needs.

    1. When selecting the EC2 Instance Type, we recommend that you use an instance type c5a.xlarge.

    2. When selecting the Security Group, it must be one with the appropriate settings for your Wazuh instance to guarantee the correct operation. You can create a new security group by choosing Create new based on seller settings. This new group will have the appropriate settings by default.

  5. Click Launch to generate the instance.

Once your instance is successfully launched and a few minutes have elapsed, you can access the Wazuh dashboard.

Deploy an instance using the AWS Management Console

  1. Select Launch instance from your AWS Management Console dashboard.

  2. Find Wazuh All-In-One Deployment by Wazuh Inc., and click Select to subscribe.

  3. Review the Server product characteristics, then click Continue. This allows subscribing to our Server product.

  4. Select the instance type according to your needs, then click Next: Configure Instance Details. We recommend that you use an instance type c5a.xlarge.

  5. Configure your instance as needed, then click Next: Add Storage.

  6. Set the storage capacity of your instance under the Size (GiB) column, then click Next: Add Tags. We recommend 100 GiB GP3 or more.

  7. Add as many tags as you need, then click Next: Configure Security Group.

  8. Check that the ports and protocols are the ports and protocols for Wazuh. Check the security measures for your instance. This will establish the Security Group (SG). Then, click Review and Launch.

  9. Review the instance configuration and click Launch.

  10. Select one of three configuration alternatives available regarding the key pair settings: Choose an existing key pair, Create a new key pair, Proceed without a key pair. You need to choose an existing key pair or create a new one to access the instance with SSH.

  11. Click Launch instances to complete the process and deploy your instance.

Once your instance is fully configured and ready after a few minutes since launch, you can access the Wazuh dashboard.

Configuration files

All components included in this AMI are configured to work out-of-the-box without the need to modify any settings. However, all components can be fully customized. The configuration files locations are the following.

  • Wazuh manager: /var/ossec/etc/ossec.conf

  • Wazuh indexer: /etc/wazuh-indexer/opensearch.yml

  • Filebeat-OSS: /etc/filebeat/filebeat.yml

  • Wazuh dashboard:

    • /etc/wazuh-dashboard/opensearch_dashboards.yml

    • /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

To learn more about configuring Wazuh, see the User manual.

Access the Wazuh dashboard

When the instance is launched, the passwords of the users are automatically changed to the ID of the instance. In this way, access to the interface is guaranteed only to the creator of it. This process can take an average of five minutes depending on the type of instance. Both the SSH access and the Wazuh dashboard access are disabled during this process.

Once the instance is running and the process to initialize passwords is complete, you can access the Wazuh dashboard with your credentials.

  • URL: https://<YOUR_INSTANCE_IP>

  • Username: admin

  • Password: <YOUR_INSTANCE_ID>

Warning

It is highly recommended to change the default users passwords in the first SSH access. To perform this action, see the Change the Wazuh indexer passwords section.

Security considerations about SSH

  • The root user cannot be identified by SSH and the instance can only be accessed through the user: wazuh-user.

  • SSH authentication through passwords is disabled and the instance can only be accessed through a key pair. This means that only the user with the key pair has access to the instance.

  • To access the instance with a key pair, you need to download the key generated or stored in AWS. Then, run the following command to connect with the instance.

    # ssh -i "<KEY_PAIR_NAME>" wazuh-user@<YOUR_INSTANCE_IP>
    
  • Access during the initial password change process is disabled to prevent potential problems. This process may take a few minutes to complete. Any access attempt before completion will show wazuh-user@<INSTANCE_IP>: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Next steps

The Wazuh AMI is now ready and you can proceed with deploying the Wazuh agents on the systems to be monitored.

Upgrading the Wazuh server

The Wazuh server in the instance can be upgraded as a traditional installation.