Skip to main content
Red Canary help

Building an AWS AMI

  • Updated .

Instructions for creating an AMI

The following instructions assume you’re using Amazon Linux 2, but can be adapted generically for other AMI-compatible distributions.

  • Start EC2 Instance in whatever configuration you choose
  • Install dependent packages, for example
    • yum install -y redhat-lsb-core
  • Install the package, for example:
    • rpm -i canary_forwarder-0.4.8-1.x86_64.rpm
  • Stop the cfsvcd service, for example:
    • sudo systemctl stop cfsvcd or initctl stop cfsvcd
  • Copy over the config.json file to /opt/redcanary/
    • Do not perform this step any earlier
  • Confirm there is no state.json file in /opt/redcanary/. If there is, delete it.
  • Shutdown the VM instance.
  • Create the AMI from the VM instance.
  • Launch as many VM’s as needed using the AMI created in the previous steps.

FAQ

Q: Why does the endpoint launched from an AMI have two different hostnames listed in the Red Canary Portal?

A: Because AMI’s are clones of an EC2 Instance, some data may be cached for that VM. On startup, the agent aggressively uploads information about the endpoint to notify the platform of its installation. Agent startup and hostname resolution on startup of the EC2 instance encounter a race condition where the agent may upload data before the hostname has been updated to the most recent one. This results in no material impact on the service we provide you.

Q: What happens if I forget to stop the cfsvcd service before copying over the config file?

A: You can reset the agent's unique identifier by deleting the /opt/redcanary/state.json file.