Install OX Runtime Sensor on AWS EC2

Install the OX Runtime Sensor as a systemd service on an AWS EC2 instance. Setting OX_DEPLOYMENT_TYPE=ec2 enables automatic instance ID enrichment via the EC2 Instance Metadata Service (IMDSv2).

Prerequisites

EC2 instance with Linux kernel v5.10 and later and BTF enabled (/sys/kernel/btf/vmlinux must exist).
Docker or containerd installed and running.
sudo access on the instance.
Outbound HTTPS access to api.cloud.ox.security
IMDSv2 reachable from the instance (default on standard EC2).
An OX API key.

Step 1: Install the sensor

curl -s https://charts.cloud.ox.security/install.sh | \
  sudo OX_API_KEY=<API_KEY> \
       OX_DEPLOYMENT_TYPE=ec2 \
       OX_CLUSTER_NAME=<CLUSTER_NAME> \
       OX_CLOUD_REGION=<AWS_REGION> \
       OX_CLOUD_ACCOUNT_ID=<AWS_ACCOUNT_ID> \
       bash

Example:

curl -s https://charts.cloud.ox.security/install.sh | \
  sudo OX_API_KEY=oxkey-abc123 \
       OX_DEPLOYMENT_TYPE=ec2 \
       OX_CLUSTER_NAME=prod-workers \
       OX_CLOUD_REGION=us-east-1 \
       OX_CLOUD_ACCOUNT_ID=123456789012 \
       bash

The script auto-detects your container runtime, stores the API key securely in /root/ox-runtime-sensor/env (mode 0600), and starts the ox-runtime-sensor systemd service.

Step 2: Verify

curl -s https://charts.cloud.ox.security/install.sh | sudo bash -s -- --status
sudo journalctl -u ox-runtime-sensor -f

The sensor appears in the OX UI grouped by OX_CLUSTER_NAME, with cloud account and region metadata on each event. The instanceId field is automatically populated from IMDSv2.

Step 3: Connect to OX Runtime Sensor

Configuration reference

Variable

Required

Default

Description

OX_API_KEY

yes

—

API key from the OX Security dashboard

OX_DEPLOYMENT_TYPE

yes

local

Must be ec2 to enable IMDSv2 instance ID enrichment

OX_CLUSTER_NAME

system hostname

Cluster or host-group name shown in the OX UI

OX_CLOUD_PROVIDER

aws when OX_DEPLOYMENT_TYPE=ec2

Cloud provider. Defaults to aws automatically for EC2 deployments

OX_CLOUD_REGION

—

AWS region (for example, us-east-1). Injected into every event

OX_CLOUD_ACCOUNT_ID

—

AWS account ID (for example, 123456789012). Injected into every event

OX_API_ENDPOINT

https://api.cloud.ox.security/api/agent-service

OX backend endpoint (do not change unless instructed)

Uninstall

curl -s https://charts.cloud.ox.security/install.sh | sudo bash -s -- --uninstall

Last updated 9 days ago

hashtagPrerequisites

hashtagStep 1: Install the sensor

hashtagStep 2: Verify

hashtagStep 3: Connect to OX Runtime Sensor

hashtagConfiguration reference

hashtagUninstall