Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
FreeBSD 11 on AWS EC2, with CloudWatch Logs and EC2 Metrics


This is how you would create a livable FreeBSD instance on EC2 by hand. The smart thing to do is to automate most of these actions. But I do it this way so you can see and understand all the different techniques. I want to create FreeBSD instances in EC2 and I want some of the management benefits that come from native AWS technologies like CloudWatch. It can be done, but it takes a bit of extra work because FreeBSD isn't Linux, and AWS doesn't directly support FreeBSD.

Prepping in AWS land

Before we go far, we will want some things setup in AWS IAM and VPC. I assume you have already created a VPC, decided what network numbers you're going to use, created a subnet and so on. If you haven't done those basic things, you need to go do them. I also assume you've created an ssh key and uploaded it to your AWS account.

Instance Role

I use the AWS-managed policy CloudWatchAgentServerPolicy. The right way to do this is to assign a role to the instance, then assign the policies to the role.

Security Group

We will want a security group that allows access to the right IP addresses (e.g., on-prem, your house, your office, etc.)

Launch the instance

Go to the EC2 console. Pick AWS Marketplace. Pick the one created by Colin Percival on the FreeBSD team. Choose security group, role, storage, etc.

Login for the first time

Go to the EC2 console and lookup the IP address of the instance you just launched. Assuming that IP address is you'd login like this:

ssh ec2-user@

Become root so you can update this thing a bit.

su - root

Install typical stuff. These are some of the packages I install:

  • bash
  • tmux
  • curl
  • python2
  • python3
  • git
  • sudo

So I just do:

pkg install bash tmux curl python2 python3 git sudo

Add user for myself. Just run adduser and manually answer the questions. When it asks Invite user into other groups I type wheel so that my unprivileged login ID is in the wheel group.

Edit the sudoers file so that I can sudo from my unprivileged account. Use visudo. Find the commented out rule that allows wheel to run any command. Uncomment it. Save and exit.

Update the passwd file

Run vipw. Edit the line that has root. The second field is null, which is why root had no password when you logged in. Put a * or some other garbage in there, so it looks like this:

root:*:0:0::0:0:Charlie &:/root:/bin/csh

I remove the toor user. I don't think it has any purpose in a cloud environment.

Edit /etc/ssh/sshd_config

Let's prevent it from allowing passwords at all.

  • set ChallengeResponseAuthentication no
  • Then run service sshd restart


Ok at this point the system is pretty usable. Before you give up your root privileges, ssh into your instance as your unprivileged user. Make sure you can sudo and such. If that works, we can finally get on to the AWS-specific stuff.

Enable AWS Monitoring

In prior versions of this doc, I recommended installing the cwlogs agent and the EC2 monitoring agent. Both of those have been deprecated by AWS in favour of their unified CloudWatch Agent. That agent, however, is only distributed in binary form and the only binaries they ship are Linux and Windows binaries.

I now use Telegraf and configure it to send its output to CloudWatch metrics.

  1. sudo pkg install telegraf (No dependencies! Whee!)
  2. Here's the telegraf.conf file that I use.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment