Skip to main content

Search

How do I create an AWS EC2 Cloud Canary?

Description: Canaries aren't just hardware devices. You can run Canaries inside your EC2 Cloud infrastructure, using the same Console as the rest of your Canary fleet.

Note: Like other Cloud Canaries, a registered, but offline, Cloud Canary will still occupy a license. If you've terminated a bird on EC2, don't forget to decommission it on your Canary Console too. See guide here to decommission a Canary.

To get the running costs of a Canary in AWS - click here

To jump to the necessary permissions to launch a Canary instance, click here.

If we've already shared the AMI over to you, and you can't find it, click here.

Follow the steps below to create your EC2 Cloud Canary:

Step 1:

Log in to your Console.

Console Login.png

Step 2:

1- Click the + Add icon.

2- Click Add New Canary.

Step 2 - Hyper V.png

Step 3:

Click Add EC2 Canary.

CleanShot 2024-07-18 at 13.43.27@2x.png

Step 4:

Click Launch on the AWS region you want to deploy your Canary into.

Note: If the account/region is not available on your Console, please see our guide here.

launch.png

Step 5:

You will be taken to your AWS account where you will need to Sign In.

login.png

Step 6:

Name your Canary.

Note: We've named our Canary OWA-SRV-03.

Step 7:

We will automatically configure the Application and OS image, Instance type and storage.

Note: We give you some additional details on the AMI we've shared with your AWS account/region.

 

Step 8:

The t3.micro instance size is automatically selected.

Note : The AWS Canary is super lightweight and the t3.micro instance size is all we need.

 

Step 9:

Select Proceed without a key pair from the drop down.

Note: We select to proceed without a key pair here as there is no way to log in and remotely manage this Canary from within AWS - All configuration is done from your Canary Console once the Canary is online.

 

Step 10:

1- Select the network you want to run your Canary on.
2 - Select the subnet you want to run your Canary on.
3 - Disable public IP - Exposing your instance to the public internet will produce a lot of noise.
4 - Set up the security accordingly - The security group you select should allow traffic for the specific services you intend to run on your Canary.

Note:

  • The security group you select should allow traffic between the bird and the networks you want to monitor.
  • Exposing your instance to the public internet will produce lots of noise. We recommend not opening up ports to 0.0.0.0/0.

Step 11:

Click on Launch instance.

 

Step 12:

Your instance has been launched.

Note: If the launch process returns an error regarding accepting terms, this page describes the steps you need to take.

Step 13:

Your instance is busy Initializing.

Note : The initialization process of the VM will normally take around 2-3 minutes and then you should see it pop up in your Console to be commissioned - as seen in step 14 below.

Step 14:

On your Console you should see a pop up to confirm your new Canary.

Click Add Canary.

Step 15:

Your EC2 Canary will boot and connect back to your Console.

Note : Your Canary will connect to your Console running a Windows 2019 configuration with default services on it - you can reconfigure the Canary using the remote management - Guide found here.

You're done! ;-)

 

Costs per EC2 Cloud Canary


The AWS Birds run on a t3.micro and depending on the regions, the estimated cost would be $5 to $8 per month.

Simply head over to this link here and follow the below steps:
  1. Set Location Type to AWS Regions
  2. Set Region to the region your running your Canary in - note we've selected US East (Ohio)
  3. Set Operating system to Linux - note this should be the default 
  4. Type t3.micro in the search bar to quickly find the running costs 
  5. The hourly costs is shown here and can be multiply by 730 hours in a month.
i.e 730 x 0.0116 = $7.59 per month

AWS - Cost.png
 

EC2 Cloud Canary permissions:

We have crafted the EC2 Bird launch experience to be as seamless as possible.

For environments looking to setup a service account with least privilege to deploy EC2 Canary’s, the below permissions are required to launch an instance.

Permissions required: 

AuthorizeSecurityGroupIngress
CreateSecurityGroup
DescribeAccountAttributes
DescribeAvailabilityZones
DescribeCapacityReservations
DescribeHosts
DescribeImages
DescribeInstanceAttribute
DescribeInstanceCreditSpecifications
DescribeInstances
DescribeInstanceStatus
DescribeInstanceTypes
DescribeKeyPairs
DescribeLaunchTemplates
DescribeNetworkInterfaces
DescribePlacementGroups
DescribeSecurityGroups
DescribeSnapshots
DescribeSpotPriceHistory
DescribeSubnets
DescribeTags
DescribeVolumes
DescribeVolumesModifications
DescribeVolumeStatus
DescribeVpcs
GetDefaultCreditSpecification
GetEbsEncryptionByDefault
RunInstances

I can't find my shared AMI:

The Canary AMI's are unique per region and per account / AWS ID.

This means that we'll need to share the AMI's with you, in order for you to access and launch them.

Your AMI can be found be either following the link from your Console UI as shown below:

Alternatively, you can head over to your AMI Catalogue here, and navigate to AMI's shared with you.

If the AMI is still not visible to you, and you're receiving the "AMI X is not valid" error, you may be in the incorrect region, or a different AWS ID than what we've previously shared with you.

If you are using a new AWS account ID which we haven't shared to just yet, feel free to reach out to support@canary.tools to gain access to the AMI.

Was this article helpful?
8 out of 9 found this helpful
Return to top