Amazon Machine Images (AMI)

Wazuh provides a pre-built Amazon Machine Image (AMI). An AMI is a ready-to-use template for creating virtual computing environments in Amazon Elastic Compute Cloud (Amazon EC2). The latest Wazuh AMI includes Amazon Linux 2023 and the Wazuh central components.

  • Wazuh manager 4.13.1

  • Filebeat-OSS 7.10.2

  • Wazuh indexer 4.13.1

  • Wazuh dashboard 4.13.1

Packages list

Distribution

Architecture

VM Format

Latest version

Product page

Amazon Linux 2023

64-bit

AWS AMI

4.13.1

Wazuh All-In-One Deployment

Deployment alternatives

You can deploy a Wazuh instance in two ways. Launch the Wazuh All-In-One Deployment AMI directly from the AWS Marketplace or configure and deploy an instance using the AWS Management Console.

Note

Our Wazuh Consulting Service is also available in the AWS Marketplace. Check the Professional Service packages that Wazuh has to offer.

Launch an instance from the AWS Marketplace

  1. Go to Wazuh All-In-One Deployment in the AWS Marketplace, then click View purchase options.

  2. Review the information and the terms for the software. Click Subscribe to confirm subscribing to our product. You will receive an email notification that your offer has been accepted.

  3. Click Launch your software to continue your setup.

  4. Select the service Amazon EC2, Launch from EC2 console, and a Region.

  5. Click Launch from EC2 to take you to the AWS Management Console.

  6. Review your configuration, ensuring all settings are correct, before launching the software. Adapt the default configuration to your needs.

    1. When selecting the EC2 Instance Type, we recommend c5a.xlarge because it offers an ideal balance of high compute performance and cost-efficiency.

    2. To guarantee the correct operation, the Security Group must have the appropriate settings for your Wazuh instance. You can create a new security group by choosing Create security group. This new group will have the appropriate settings by default.

  7. Click Launch to generate the instance.

Once your instance is successfully launched and a few minutes have elapsed, you can access the Wazuh dashboard.

Deploy an instance using the AWS Management Console

  1. Select EC2 from your AWS Management Console dashboard.

  2. Click Launch instance.

  3. Click on Browse more AMIs.

  4. Search Wazuh All-In-One Deployment by Wazuh Inc under the AWS Marketplace AMIs tab, and click Select. This brings up a description of the Wazuh All-In-One Deployment with the option to either Subscribe on instance launch or Subscribe now.

  5. Select the instance type that best fits your needs. We recommend c5a.xlarge.

    You can use either of these three configuration alternatives available regarding the key pair settings:

    • Choose an existing key pair

    • Create a new key pair

    • Proceed without a key pair (Not recommended)

    You need to choose an existing key pair or create a new one to access the instance with SSH.

  6. When selecting the Security Group, ensure it has the appropriate settings for your Wazuh instance to guarantee correct operation. You can create a new security group by choosing Create security group. This new group will have the appropriate settings by default. Check that the ports and protocols are the ports and protocols for Wazuh. Check the security measures for your instance. This will establish the Security Group (SG).

  7. Under the Size (GiB) column, set your instance's storage capacity, then click Next: Add Tags. We recommend 100 GiB gp3 or more.

  8. Review the instance configuration and click Launch instance.

After a few minutes, the instance will be ready. You can access the Wazuh dashboard.

Configuration files

All components included in this AMI are configured to work out-of-the-box without the need to modify any settings. However, all components can be fully customized. These are the configuration file locations:

  • Wazuh manager: /var/ossec/etc/ossec.conf

  • Wazuh indexer: /etc/wazuh-indexer/opensearch.yml

  • Filebeat-OSS: /etc/filebeat/filebeat.yml

  • Wazuh dashboard:

    • /etc/wazuh-dashboard/opensearch_dashboards.yml

    • /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

To learn more about configuring Wazuh, see the User manual.

Access the Wazuh dashboard

When the instance is launched, the user passwords are automatically changed to the instance ID with the first letter capitalized. For example: I-07f25f6afe4789342. This ensures that only the creator has access to the interface. This process can take an average of five minutes, depending on the type of instance. During this time, SSH access and Wazuh dashboard access are disabled.

Once the instance runs and the process to initialize passwords is complete, you can access the Wazuh dashboard with your credentials.

  • URL: https://<YOUR_INSTANCE_IP>

  • Username: admin

  • Password: <YOUR_INSTANCE_ID>

Note

The password is the instance ID with the first letter capitalized. For example, if the instance ID is: i-07f25f6afe4789342, the default password will be I-07f25f6afe4789342.

Warning

The passwords for the Wazuh server API users wazuh and wazuh-wui are the same as those for the admin user. We highly recommend changing the default passwords on the first SSH access. To perform this action, refer to the Password management section.

Security considerations about SSH

  • The root user cannot be identified by SSH, and the instance can only be accessed through the user: wazuh-user.

  • The instance can only be accessed through a key pair, which is provided to the user with the key pair.

  • You must download the key generated or stored in AWS to access the instance with a key pair. Then, run the following command to connect with the instance.

    # ssh -i "<KEY_PAIR_NAME>" wazuh-user@<YOUR_INSTANCE_IP>
    
  • Access during the initial password change is disabled to prevent potential problems. This process might take a few minutes to complete. Any access attempt before completion shows: wazuh-user@<INSTANCE_IP>: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Next steps

The Wazuh AMI is now ready and you can proceed with deploying the Wazuh agents on the systems to be monitored.

Upgrading the AMI

Follow the instructions on how to upgrade the Wazuh central components.