Skip to main content

AWS Deployment

Deploy the FailZero agent on AWS using EC2 or ECS/Fargate.

EC2

1. Create IAM Role

2. Attach IAM Policies

Scope permissions to specific resources in production. These examples use wildcards for simplicity.

3. Create Instance Profile

4. Launch EC2 Instance

ECS/Fargate

1. Create Task Execution Role

2. Create Task Definition

Register the task definition:

3. Create ECS Service

Replace subnet-xxx and sg-xxx with your actual VPC subnet and security group IDs. The security group must allow outbound HTTPS.

IAM Permissions

Minimum Required

ServiceActionsPurpose
RDSrds:PromoteReadReplica, rds:DescribeDBInstancesPromote replicas
Route53route53:ChangeResourceRecordSetsUpdate DNS records

Optional (Based on DR Plan)

ServiceActionsPurpose
Auto Scalingautoscaling:UpdateAutoScalingGroupScale compute
ECSecs:UpdateServiceScale containers
Secrets Managersecretsmanager:GetSecretValueRead secrets
S3s3:GetObject, s3:PutObjectBackup operations
SNSsns:PublishNotifications

Verify Deployment

EC2

ECS

Expected output:

Troubleshooting

Permission denied errors:
  • Verify IAM role/policy is attached correctly
  • Check task role (not execution role) has DR permissions
  • Ensure Secrets Manager permissions for token retrieval
Cannot reach API:
  • Verify security group allows outbound HTTPS (port 443)
  • Check NAT gateway if running in private subnet
  • Ensure VPC endpoints or internet gateway is configured
Task keeps restarting:
  • Check CloudWatch logs for error messages
  • Verify Secrets Manager secret exists and is accessible
  • Confirm AWS_ACCOUNT_ID and AWS_REGION are correct

Next Steps

Example Plans

AWS-specific DR configurations

Multi-Cloud

Fail over between AWS and GCP