Skip to content

Deploying the SenseOn Universal Sensor on AWS EC2

This guide walks you through deploying the SenseOn Universal Sensor on an EC2 instance in AWS, enabling visibility into host activity, Docker containers, and Kubernetes workloads (e.g., EKS).

Prerequisites

💡 Install command: Your tenant-specific install command and installer key are available from Settings > Universal Sensor in the SenseOn platform.

  • SenseOn account with access to Settings > Universal Sensor (to retrieve your install command and installer key)
  • AWS permissions to:
  • Launch and manage EC2 instances
  • Connect via EC2 Instance Connect or Systems Manager (SSM)
  • Manage EKS clusters and EC2 node groups
  • A supported EC2 AMI (e.g., Amazon Linux 2, Ubuntu 20.04+, RHEL 7+)
  • Outbound HTTPS access from the EC2 instance to your tenant's SenseOn domain

Option A: Install at Launch via User Data

For new instances, the simplest deployment method is to embed the SenseOn install command in the instance user data. The agent installs automatically the first time the instance boots.

  1. Go to AWS Console > EC2 > Launch Instance.
  2. Configure your AMI, instance type, key pair, networking and IAM role as usual.

  3. Expand Advanced details and paste the following into User data, substituting your tenant hostname and installer key:

    #!/bin/bash
curl -fsSL https://<your-tenant>.senseon.io/install.sh \
  | SENSEON_INSTALLER_KEY="<your-installer-key>" bash

  4. Launch the instance.

The Universal Sensor will install during first boot. Verify the host appears in Digital Estate > Devices within a few minutes.

💡 Auto Scaling groups: Add the same user data block to your launch template so every scaled-out instance installs the sensor automatically.

Option B: Install on a Running Instance

For instances that are already running:

  1. Connect to the instance via EC2 Instance Connect, AWS Systems Manager Session Manager, or SSH.

  2. Run the install command copied from Settings > Universal Sensor:

    curl -fsSL https://<your-tenant>.senseon.io/install.sh \
  | sudo SENSEON_INSTALLER_KEY="<your-installer-key>" bash

The installer detects whether the host uses apt or rpm and installs the appropriate package.

🛡 Optional: Verify the install script checksum

If your security policy requires checksum verification before executing remote scripts, download the script first, verify the checksum, then run it:

# Step 1: Download the script
curl -fsSL https://<your-tenant>.senseon.io/install.sh -o install.sh
# Step 2: Verify the checksum (compare against the value shown in Settings > Universal Sensor)
sha256sum install.sh
# Step 3: Run the script
sudo SENSEON_INSTALLER_KEY="<your-installer-key>" bash install.sh

Option C: Install via Systems Manager (Run Command)

For fleet-wide deployment to existing instances:

  1. In AWS Systems Manager, open Run Command and choose the AWS-RunShellScript document.

  2. Set the command to:

    curl -fsSL https://<your-tenant>.senseon.io/install.sh \
  | SENSEON_INSTALLER_KEY="<your-installer-key>" bash

  3. Select your target instances (by tag, resource group, or instance IDs).

  4. Run the command.

SSM reports per-instance status as the install completes on each host.

Verify in the SenseOn Portal

  1. Log in to the SenseOn web portal.
  2. Navigate to Digital Estate > Devices.
  3. Look for the new EC2 host(s) with a recent Last Seen timestamp.

Additional Notes

  • The Universal Sensor must be installed on the host OS to observe containers and pods correctly.
  • In EKS or ECS environments, deploy the sensor directly on EC2 nodes — not inside a pod or container.
  • The host needs outbound HTTPS access to your tenant's SenseOn domain. If a strict egress policy is in place, allow-list *.senseon.io and *.snson.net.
  • Use systemctl status senseon-seed.service to check agent status.

Troubleshooting

Install command fails to download the script

  • Verify the instance has outbound HTTPS access to your tenant's SenseOn domain.
  • If TLS interception is in place, ensure *.snson.net and *.senseon.io are excluded.

Agent not reporting

  • Verify the host appears in Digital Estate > Devices.

  • Check the service status:

    sudo systemctl status senseon-seed.service

  • Restart the service or reboot the instance if the above does not resolve the issue.

  • For further help, see Troubleshooting or contact support@senseon.io.