# Install and manage agents for EC2 instances
Follow the steps in this section to install Network Flow Monitor agents for workloads on Amazon EC2 instances. You can install agents by using SSM or by downloading and installing prebuilt packages for the Network Flow Monitor agent by using the command line.
Regardless of the method that you use to install agents on EC2 instances, you must configure permissions for the agents to enable them to send performance metrics to the Network Flow Monitor backend.
**Topics**
+ [
# Configure permissions for agents
](CloudWatch-NetworkFlowMonitor-agents-ec2-permissions.md)
+ [EC2 instance agents with SSM](CloudWatch-NetworkFlowMonitor-agents-ec2-install-ssm.md)
+ [Download and install the agent](CloudWatch-NetworkFlowMonitor-agents-download-agent-commandline.md)
# Configure permissions for agents
To enable agents to send metrics to the Network Flow Monitor ingestion backend, the EC2 instances that the agents run in must use a role that has a policy attached with the correct permissions. To provide the required permissions, use a role that has the following AWS managed policy attached: [CloudWatchNetworkFlowMonitorAgentPublishPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorAgentPublishPolicy.html). Attach this policy to the IAM roles of the EC2 instances where you plan to install Network Flow Monitor agents.
We recommend that you add the permissions before you install agents on the EC2 instances. You can choose to wait until after you install agents, but the agents won't be able to send metrics to the service until the permissions are in place.
**To add permissions for Network Flow Monitor agents**
1. In the AWS Management Console, in the Amazon EC2 console, locate the EC2 instances that you plan to install Network Flow Monitor agents on.
1. Attach the [CloudWatchNetworkFlowMonitorAgentPublishPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorAgentPublishPolicy.html) to the IAM role for each instance.
If an instance doesn't have an IAM role attached, choose a role by doing the following:
1. Under **Actions**, choose **Security**.
1. Choose **Modify IAM role**, or create a new role by choosing **Create new IAM role**.
1. Choose a role for the instance, and attach the [CloudWatchNetworkFlowMonitorAgentPublishPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorAgentPublishPolicy.html) policy.
# Install agents on EC2 instances with SSM
Network Flow Monitor agents provide performance metrics about network flows. Follow the steps in this section to install and work with Network Flow Monitor agents on EC2 instances, by using AWS Systems Manager. If you use Kubernetes, skip to the next sections for information about installing agents with Amazon EKS clusters or self-managed Kubernetes clusters.
Network Flow Monitor provides a Distributor package for you in Systems Manager to use to install or uninstall agents. In addition, Network Flow Monitor provides a document to activate or deactivate agents, by using the Document Type command. Use standard Systems Manager procedures to use the package and the document, or follow the steps provided here for detailed guidance.
For more information in general about using Systems Manager, see the following documentation:
+ [AWS Systems Manager Run Command](https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html)
+ [AWS Systems Manager Distributor](https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor.html)
Complete the steps in the following sections to configure permissions, install, and work with Network Flow Monitor agents.
**Contents**
+ [Install or uninstall agents](#CloudWatch-NetworkFlowMonitor-agents-ec2-install)
+ [Activate or deactivate agents](#CloudWatch-NetworkFlowMonitor-agents-ec2-manage)
## Install or uninstall agents by using Systems Manager
Network Flow Monitor provides a distributor package in AWS Systems Manager for you to install Network Flow Monitor agents: **AmazonCloudWatchNetworkFlowMonitorAgent**. To access and run the package to install agents, follow the steps provided here.
**To install agents in EC2 instances**
1. In the AWS Management Console, in AWS Systems Manager, under **Node Tools**, choose **Distributor**.
1. Under **Owned by Amazon**, locate the Network Flow Monitor package, **AmazonCloudWatchNetworkFlowMonitorAgent**, and select it.
1. In the **Run command** flow, choose **Install one time** or **Install on schedule**.
1. In the **Target selection** section, choose how you want to select your EC2 instances to install agents on. You can select instances based on tags, choose instances manually, or base the choice on resource groups.
1. In the **Commmand parameters** section, under **Action**, choose **Install**.
1. Scroll down, if necessary, and then choose **Run** to start the installation.
If the installation is successful and the instances have permissions to access Network Flow Monitor endpoints, the agent will start collecting metrics and send reports to the Network Flow Monitor backend.
Agents that are active (sending metrics data) incur billing costs. For more information about Network Flow Monitor and Amazon CloudWatch pricing, see Network Monitoring on the [Amazon CloudWatch pricing](https://aws.amazon.com//cloudwatch/pricing/) page. If you don't need metrics data temporarily, you can deactivate an agent. For more information, see [Activate or deactivate agents](#CloudWatch-NetworkFlowMonitor-agents-ec2-manage). If you no longer need Network Flow Monitor agents, you can uninstall them from the EC2 instances.
**To uninstall agents from EC2 instances**
1. In the AWS Management Console, in AWS Systems Manager, under **Node Tools**, choose **Distributor**.
1. Under **Owned by Amazon**, locate the Network Flow Monitor package, **AmazonCloudWatchNetworkFlowMonitorAgent**, and select it.
1. In the **Commmand parameters** section, under **Action**, choose **Uninstall**.
1. Select the EC2 instances to uninstall agents from.
1. Scroll down, if necessary, and then choose **Run** to start the installation.
## Activate or deactivate agents by using Systems Manager
After you install a Network Flow Monitor agent with SSM, you must activate it to receive network flow metrics from the instance where it's installed. Agents that are active (sending metrics data) incur billing costs. For more information about Network Flow Monitor and Amazon CloudWatch pricing, see Network Monitoring on the [Amazon CloudWatch pricing](https://aws.amazon.com//cloudwatch/pricing/) page. If you don't need metrics data temporarily, you can deactivate an agent to prevent ongoing billing for the agent.
Network Flow Monitor provides a document in AWS Systems Manager that you can use activate or deactivate agents that you've installed on your EC2 instances. By running this document to manage the agents, you can activate them to begin receiving performance metrics. Or, you can deactivate them to temporarily stop metrics from being sent,without uninstalling the agents.
The document in SSM that you can use to activate or deactivate agents is called **AmazonCloudWatch-NetworkFlowMonitorManageAgent**. To access and run the document, follow the steps in the procedure.
**To activate or deactivate Network Flow Monitor agents**
1. In the AWS Management Console, in AWS Systems Manager, under **Change Management Tools**, choose **Documents**.
1. Under **Owned by Amazon**, locate the Network Flow Monitor document, **AmazonCloudWatch-NetworkFlowMonitorManageAgent**, and select the document.
1. In the **Target selection** section, choose how you want to select your EC2 instances to install agents on. You can select instances based on tags, choose instances manually, or base the choice on resource groups.
1. In the **Command parameters** section, under **Action**, choose **Activate** or **Deactivate**, depending on the action that you want to take for the agents.
1. Scroll down, if necessary, and then choose **Run** to start the installation.
# Download prebuilt packages of the Network Flow Monitor agent by using the command line
You can use the command line to install the Network Flow Monitor agent as a package in Amazon Linux 2023, or download and install prebuilt packages of the Network Flow Monitor agent.
Before or after you download a prebuilt package, you can optionally verify the package signature. For more information, see [ Verify the signature of the Network Flow Monitor agent package](#CloudWatch-NetworkFlowMonitor-agents-download-agent-commandline-verify-sig).
Choose from the following instructions, depending on the Linux operating system that you're using and the type of installation that you want.
**Amazon Linux AMIs**
The Network Flow Monitor agent is available as a package in Amazon Linux 2023. If you're using this operating system, you can install the package by entering the following command:
`sudo yum install network-flow-monitor-agent`
You must also make sure that the IAM role attached to the instance has the [CloudWatchNetworkFlowMonitorAgentPublishPolicy](security-iam-awsmanpol-network-flow-monitor.md#security-iam-awsmanpol-CloudWatchNetworkFlowMonitorAgentPublishPolicy) policy attached. For more information, see [Configure permissions for agents](CloudWatch-NetworkFlowMonitor-agents-ec2-permissions.md).
**Amazon Linux 2023**
Install the package for your architecture by using one of the following commands:
+ **x86\$164**: `sudo yum install https://networkflowmonitoragent.awsstatic.com/latest/x86_64/network-flow-monitor-agent.rpm`
+ **ARM64 (Graviton)**: `sudo yum install https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.rpm`
Verify that Network Flow Monitor agent is successfully installed by running the following command and verifying that the response shows that the agent is enabled and active:
```
service network-flow-monitor status
network-flow-monitor.service - Network Flow Monitor Agent
Loaded: loaded (/usr/lib/systemd/system/network-flow-monitor.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-04-23 19:17:16 UTC; 1min 9s ago
```
**DEB-based distributions (Debian, Ubuntu)**
Install the package for your architecture by using one of the following commands:
+ **x86\$164**: `wget https://networkflowmonitoragent.awsstatic.com/latest/x86_64/network-flow-monitor-agent.deb`
+ **ARM64 (Graviton)**: `wget https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.deb`
Install the package by using the following command: `$ sudo apt-get install ./network-flow-monitor-agent.deb`
Verify that Network Flow Monitor agent is successfully installed by running the following command and verifying that the response shows that the agent is enabled and active:
```
service network-flow-monitor status
network-flow-monitor.service - Network Flow Monitor Agent
Loaded: loaded (/usr/lib/systemd/system/network-flow-monitor.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-04-23 19:17:16 UTC; 1min 9s ago
```
## Verify the signature of the Network Flow Monitor agent package
The Network Flow Monitor agent rpm and deb installer packages for Linux instances are cryptographically signed. You can use a public key to verify that the agent package is original and unmodified. If the files are damaged or have been altered, the verification fails. You can verify the signature of the installer package using either RPM or GPG. The following information is for Network Flow Monitor agent versions 0.1.3 or later.
To find the correct signature file for each architecture and operating system, use the following table.
| Architecture | Platform | Download link | Signature file link |
| --- | --- | --- | --- |
| x86-64 | Amazon Linux 2023 | https://networkflowmonitoragent.awsstatic.com/latest/x86\$164/network-flow-monitor-agent.rpm | https://networkflowmonitoragent.awsstatic.com/latest/x86\$164/network-flow-monitor-agent.rpm.sig |
| ARM64 | Amazon Linux 2023 | https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.rpm | https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.rpm.sig |
| x86-64 | Debian/Ubuntu | https://networkflowmonitoragent.awsstatic.com/latest/x86\$164/network-flow-monitor-agent.deb | https://networkflowmonitoragent.awsstatic.com/latest/x86\$164/network-flow-monitor-agent.deb.sig |
| ARM64 | Debian/Ubuntu | https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.deb | https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.deb.sig |
Follow the steps here to verify the signature of the Network Flow Monitor agent.
**To verify the signature of the Network Flow Monitor agent for Amazon S3 package**
1. Install GnuPG so that you can run the gpg command. GnuPG is required to verify the authenticity and integrity of a downloaded Network Flow Monitor agent for an Amazon S3 package. GnuPG is installed by default on Amazon Linux Amazon Machine Images (AMIs).
1. Copy the following public key and save it to a file named `nfm-agent.gpg`.
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGf0b5IBEAC6YQc0aYrTbcHNWWMbLuqsqfspzWrtCvoU0yQ62ld7nvCGBha9
lu4lbhtiwoDawC3h6Xsxc3Pmm6kbMQfZdbo4Gda4ahf6zDOVI5zVHs3Yu2VXC2AU
5BpKQJmYddTb7dMI3GBgEodJY05NHQhq1Qd2ptdh03rsX+96Fvi4A6t+jsGzMLJU
I+hGEKGif69pJVyptJSibK5bWCDXh3eS/+vB/CbXumAKi0sq4rXv/VPiIhn6bsCI
A2lmzFd3vMJQUM/T7m7skrqetZ4mWHr1LPDFPK/H/81s8TJawx7MACsK6kIRUxu+
oicW8Icmg9S+BpIgONT2+Io5P1tYO5a9AyVF7X7gU0VgHUA1RoLnjHQHXbCmnFtW
cYEuwhUuENMl+tLQCZ+fk0kKjOlIKqeS9AVwhks92oETh8wpTwTE+DTBvUBP9aHo
S39RTiJCnUmA6ZCehepgpwW9AYCc1lHv/xcahD418E0UHV22qIw943EwAkzMDA4Q
damdRm0Nud0OmilCjo9oogEB+NUoy//5XgQMH1hhfsHquVLU/tneYexXYMfo/Iu5
TKyWL2KdkjKKP/dMR4lMAXYi0RjTJJ5tg5w/VrHhrHePFfKdYsgN6pihWwj2Px/M
ids3W1Ce50LOEBc2MOKXYXGd9OZWyR8l15ZGkySvLqVlRGwDwKGMC/nS2wARAQAB
tEJOZXR3b3JrIEZsb3cgTW9uaXRvciBBZ2VudCA8bmV0d29yay1mbG93LW1vbml0
b3ItYWdlbnRAYW1hem9uLmNvbT6JAlcEEwEIAEEWIQR2c2ypl63T6dJ3JqjvvaTM
vJX60QUCZ/RvkgIbAwUJBaOagAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAK
CRDvvaTMvJX60euSD/9cIu2BDL4+MFFHhyHmG3/se8+3ibW0g8SyP3hsnq7qN+bm
ZzLAhll7DVoveNmEHI1VC7Qjwb30exgLcyK2Ld6uN6lwjjK0qiGGz943t230pJ3z
u7V2fVtAN+vgDVmD7agE6iqrRCWu3WfcgzFlEkE/7nkhtbWzlaK+NkdEBzNZ+W7/
FmLClzIbMjIBW2M8LdeZdQX0SWljy18x7NGNukWeNTJxmkDsjAeKl+zkXYk9h7ay
n3AVl1KrLZ5P9vQ5XsV5e4T6qfQ3XNY1lm54cpa+eD7NyYcTGRDK+vIxO4xD8i2M
yl1iNf2+84Tt6/SAgR/P9SJ5tbKD0iU9n4g1eBJVGmHDuXTtDR4H/Ur7xRSxtuMl
yZP/sLWm8p7+Ic7aQJ5OVw36MC7Oa7/K/zQEnLFFPmgBwGGiNiw5cUSyCBHNvmtv
FK0Q2XMXtBEBU9f44FMyzNJqVdPywg8Y6xE4wc/68uy7G6PyqoxDSP2ye/p+i7oi
OoA+OgifchZfDVhe5Ie0zKR0/nMEKTBV0ecjglb/WhVezEJgUFsQcjfOXNUBesJW
a9kDGcs3jIAchzxhzp/ViUBmTg6SoGKh3t+3uG/RK2ougRObJMW3G+DI7xWyY+3f
7YsLm0eDd3dAZG3PdltMGp0hKTdslvpws9qoY8kyR0Fau4l222JvYP27BK44qg==
=INr5
-----END PGP PUBLIC KEY BLOCK-----
```
1. Import the public key into your keyring and note the returned value.
```
PS> rpm --import nfm-agent.gpg
gpg: key 3B789C72: public key "Network Flow Monitor Agent" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
```
Make a note of the key value because you need it in the next step. In this example, the key value is `3B789C72`.
1. Verify the fingerprint by running the following command. Be sure to replace *key-value* with the value from the preceding step. We recommend that you use GPG to verify the fingerprint even if you use RPM to verify the installer package.
```
PS> gpg --fingerprint key-value
pub rsa4096 2025-04-08 [SC] [expires: 2028-04-07]
7673 6CA9 97AD D3E9 D277 26A8 EFBD A4CC BC95 FAD1
uid Network Flow Monitor Agent
```
The fingerprint string should be equal to the following:
`7673 6CA9 97AD D3E9 D277 26A8 EFBD A4CC BC95 FAD1`
If the fingerprint string doesn't match, don't install the agent. Contact Amazon Web Services.
After you have verified the fingerprint, you can use it to verify the signature of the Network Flow Monitor agent package.
1. Download the package signature file, if you haven't already done so, based on your instance's architecture and operating system.
1. Verify the installer package signature. Be sure to replace the `signature-filename` and `agent-download-filename` with the values that you specified when you downloaded the signature file and agent, as shown in the table earlier in this topic.
```
PS> gpg --verify sig-filename agent-download-filename
gpg: Signature made Tue Apr 8 00:40:02 2025 UTC
gpg: using RSA key 77777777EXAMPLEKEY
gpg: issuer "network-flow-monitor-agent@amazon.com"
gpg: Good signature from "Network Flow Monitor Agent " [unknown]
gpg: WARNING: Using untrusted key!
```
If the output includes the phrase `BAD signature`, check to make sure that you performed the procedure correctly. If you continue to get this response, contact [AWS Support](https://aws.amazon.com/premiumsupport/) and avoid using the downloaded file.
Note the warning about trust. A key is trusted only if you or someone who you trust has signed it. This doesn't mean that the signature is invalid, only that you have not verified the public key.
Next, follow the steps here to verify the RPM package.
**To verify the signature of the RPM package**
1. Copy the following public key and save it to a file named `nfm-agent.gpg`.
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGf0b5IBEAC6YQc0aYrTbcHNWWMbLuqsqfspzWrtCvoU0yQ62ld7nvCGBha9
lu4lbhtiwoDawC3h6Xsxc3Pmm6kbMQfZdbo4Gda4ahf6zDOVI5zVHs3Yu2VXC2AU
5BpKQJmYddTb7dMI3GBgEodJY05NHQhq1Qd2ptdh03rsX+96Fvi4A6t+jsGzMLJU
I+hGEKGif69pJVyptJSibK5bWCDXh3eS/+vB/CbXumAKi0sq4rXv/VPiIhn6bsCI
A2lmzFd3vMJQUM/T7m7skrqetZ4mWHr1LPDFPK/H/81s8TJawx7MACsK6kIRUxu+
oicW8Icmg9S+BpIgONT2+Io5P1tYO5a9AyVF7X7gU0VgHUA1RoLnjHQHXbCmnFtW
cYEuwhUuENMl+tLQCZ+fk0kKjOlIKqeS9AVwhks92oETh8wpTwTE+DTBvUBP9aHo
S39RTiJCnUmA6ZCehepgpwW9AYCc1lHv/xcahD418E0UHV22qIw943EwAkzMDA4Q
damdRm0Nud0OmilCjo9oogEB+NUoy//5XgQMH1hhfsHquVLU/tneYexXYMfo/Iu5
TKyWL2KdkjKKP/dMR4lMAXYi0RjTJJ5tg5w/VrHhrHePFfKdYsgN6pihWwj2Px/M
ids3W1Ce50LOEBc2MOKXYXGd9OZWyR8l15ZGkySvLqVlRGwDwKGMC/nS2wARAQAB
tEJOZXR3b3JrIEZsb3cgTW9uaXRvciBBZ2VudCA8bmV0d29yay1mbG93LW1vbml0
b3ItYWdlbnRAYW1hem9uLmNvbT6JAlcEEwEIAEEWIQR2c2ypl63T6dJ3JqjvvaTM
vJX60QUCZ/RvkgIbAwUJBaOagAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAK
CRDvvaTMvJX60euSD/9cIu2BDL4+MFFHhyHmG3/se8+3ibW0g8SyP3hsnq7qN+bm
ZzLAhll7DVoveNmEHI1VC7Qjwb30exgLcyK2Ld6uN6lwjjK0qiGGz943t230pJ3z
u7V2fVtAN+vgDVmD7agE6iqrRCWu3WfcgzFlEkE/7nkhtbWzlaK+NkdEBzNZ+W7/
FmLClzIbMjIBW2M8LdeZdQX0SWljy18x7NGNukWeNTJxmkDsjAeKl+zkXYk9h7ay
n3AVl1KrLZ5P9vQ5XsV5e4T6qfQ3XNY1lm54cpa+eD7NyYcTGRDK+vIxO4xD8i2M
yl1iNf2+84Tt6/SAgR/P9SJ5tbKD0iU9n4g1eBJVGmHDuXTtDR4H/Ur7xRSxtuMl
yZP/sLWm8p7+Ic7aQJ5OVw36MC7Oa7/K/zQEnLFFPmgBwGGiNiw5cUSyCBHNvmtv
FK0Q2XMXtBEBU9f44FMyzNJqVdPywg8Y6xE4wc/68uy7G6PyqoxDSP2ye/p+i7oi
OoA+OgifchZfDVhe5Ie0zKR0/nMEKTBV0ecjglb/WhVezEJgUFsQcjfOXNUBesJW
a9kDGcs3jIAchzxhzp/ViUBmTg6SoGKh3t+3uG/RK2ougRObJMW3G+DI7xWyY+3f
7YsLm0eDd3dAZG3PdltMGp0hKTdslvpws9qoY8kyR0Fau4l222JvYP27BK44qg==
=INr5
-----END PGP PUBLIC KEY BLOCK-----
```
1. Import the public key into your keyring.
```
PS> rpm --import nfm-agent.gpg
```
1. Verify the installer package signature. Be sure to replace the `agent-download-filename` with the value that you specified when you downloaded the agent, as shown in the table earlier in this topic.
```
PS> rpm --checksig agent-download-filename
```
For example, for the x86\$164 architecture on Amazon Linux 2023, use the following command:
```
PS> rpm --checksig network-flow-monitor-agent.rpm
```
This command returns output similar to the following.
```
network-flow-monitor-agent.rpm: digests signatures OK
```
If the output contains the phrase `NOT OK (MISSING KEYS: (MD5) key-id)`, check to make sure that you performed the procedure correctly. If you continue to get this response, contact [AWS Support](https://aws.amazon.com/premiumsupport/) and don't install the agent.