AWS AMI Deployment Guide

Deployment Guides

The ThreatX WAF Sensor AMI can be used to quickly and easily add application security to applications

deployed in AWS VPCs. The AMI can be found by launching an instance and searching for “ThreatX WAF” when choosing an AMI.


The AMI has the following attributes:

  • Based on the latest (at the time of publishing) CentOS AMI
  • Pulls the latest version of the txWAF Sensor container from Docker Hub at instance launch and on service restart
  • Restarts the txWAF docker container if it stops
  • Can be orchestrated via User-Data

Minimum Requirements

Instance size of t3.micro or larger to satisfy the minimum requirements of 2 CPU cores and 1 GB RAM.

Disk size should be a minimum of 20 GB.

Launching the AMI

In the simplest deployment, the AMI can be launched with the following User-Data information:



 - path: /etc/txconf

   content: |





Note: This example is provided yml format. Spaces must be used when formatting this data, and not tabs or other whitespace characters/indentation methods.

You can set the SENSOR_TAGS variable to a comma delimited list of tags that can help you filter the sensors within the ThreatX Dashboard UI or API.


The AMI is based on a CentOS build and the centos user can be used to login. Make sure to reference your private ssh key when connecting: $ ssh -i sshkey.pem centos@

Once logged in, you can sudo su to get root access.

sudo su

To see the AMI version, run this command on either the CentOS host or within the ThreatX WAF container.


To follow the CentOS system log, run

journalctl -f

To see the ThreatX WAF docker container, run

docker ps

To get a shell into the ThreatX WAF container, run

docker exec -it txwaf bash

Last Updated 2023-03-09

On this page

Additional Resources