search

Deploy with AWS EC2 User-Data

This guide provides a complete EC2 user-data script that installs and enrolls LinuxGuard at instance launch. Credentials are retrieved from AWS Secrets Manager at runtime — no API keys or tenant IDs are hardcoded in the script.

hashtag
Prerequisites

  • AWS CLI installed locally for the one-time setup steps

  • An EC2 instance role (instance profile) attached to your target instances

  • A LinuxGuard API key and tenant ID (from the LinuxGuard console)

hashtag
Step 1: Store credentials in Secrets Manager

Run this command once from your local machine or CI/CD pipeline to create the secret:

aws secretsmanager create-secret \
  --name linuxguard/credentials \
  --secret-string '{"api_key":"<API_KEY>","tenant_id":"<TENANT_ID>"}' \
  --region <AWS_REGION>

Note the ARN in the command output — you will reference it when scoping the IAM policy in the next step.

hashtag
Step 2: Attach an IAM policy to your instance role

The EC2 instance needs permission to read the specific secret created above. Attach the following least-privilege inline or managed policy to the IAM role assigned to your EC2 instances (via the instance profile):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:<AWS_REGION>:<ACCOUNT_ID>:secret:linuxguard/credentials-*"
    }
  ]
}

Note: The -* suffix in the resource ARN matches the random suffix that AWS appends to secret ARNs. Omitting it causes AccessDeniedException when the instance attempts to read the secret. Replace <AWS_REGION> and <ACCOUNT_ID> with your values.

hashtag
Step 3: Configure and launch with user-data

Note: EC2 user-data scripts run once on first instance launch by default. Re-enrollment on subsequent reboots is not a concern — the script does not run again unless you explicitly reconfigure the instance to do so.

Paste the script below into the User data field when launching your EC2 instance (via the console, CLI, Launch Template, or CloudFormation). Replace the two values in the # Configuration section:

Note: For operators who want explicit visibility into whether enrollment was skipped, replace the enroll step with a conditional check:

This approach skips enrollment if the service is already running. See Automated Deployment Overview for details on the agent's built-in idempotency guard.

After launch, enrolled servers appear in the LinuxGuard console under Infrastructure within a few minutes.

Related: Automated Deployment Overview | Installation | Configuration

PreviousDeploy with AnsibleNextDeploy with GCP Startup Script

Last updated

Was this helpful?