# AWS Marketplace

The AWS Marketplace offering requires AWS MSK (Managed Apache Kafka) to be available. Optionally, AWS RDS (or any other PostgreSQL-compatible database) can be configured for Lenses to store its state.

The following AWS resources are created:

* An EC2 instance that runs Lenses;
* A SecurityGroup to allow network access to the Lenses UI;
* A SecurityGroupIngress for Lenses to connect to MSK;
* A CloudWatch LogGroup where Lenses stores its logs;
* An IAM Role to allow the EC2 instance to store logs;
* An IAM InstanceProfile to pass the role to the EC2 instance;
* Optionally if enabled during deployment: an IAM Policy to allow the EC2 instance to emit CloudWatch metrics.

Deployment takes approximately three minutes.

## AWS Marketplace Installation <a href="#aws-marketplace-installation" id="aws-marketplace-installation"></a>

Select **CloudFormation Template**, **Lenses EC2** and your region.

<figure><img src="/files/XdD3noLF3I301K6ixhiN" alt=""><figcaption><p>Cloud formation</p></figcaption></figure>

Choose **Launch CloudFormation.**

<figure><img src="/files/5rJnqo3mN0KOO248ypoW" alt=""><figcaption><p>Launch</p></figcaption></figure>

Continue with the default options for creating the stack in the AWS wizard.

Fill in the parameters at *Specify stack details*.

* **Deployment** Here the EC2 instance size and password for the Lenses admin user are set. A t2.large instance size is recommended;
* **Network Configuration** This section controls the network settings of the Lenses EC2 instance. The ingress allows access to the Lenses UI only from particular IP addresses;
* **MSK** Set the Security Group ID to that of your MSK cluster. A rule will be added to it so that Lenses can communicate with your cluster. You can find the ID by navigating in the AWS console to your MSK cluster and then under *Properties -> Networking settings*;
* **Monitoring** Optionally produce the Lenses logs to CloudWatch;
* **Storage** Lenses stores its state in a database locally on the EC2 instance’s disk or in a PostgreSQL database. Local storage is a development/quickstart option and is **not** suitable for production use. It is advised to use a Postgres database for smoother upgrades.

Review the stack.

<figure><img src="/files/02pgyl2TiRKh51pcN0nB" alt=""><figcaption><p>Review</p></figcaption></figure>

Accept the terms and conditions and create the stack.

<figure><img src="/files/jfBsqt3aaWN797m3UGnM" alt=""><figcaption><p>T&#x26;C</p></figcaption></figure>

Once the stack has deployed, go to the Output tab and click on the FQDN link. If there are no outputs listed you might need to press the refresh button.

<figure><img src="/files/NqG53p2uvvH1YJeMMSFa" alt=""><figcaption><p>Output</p></figcaption></figure>

Login to Lenses with *admin* and the password value you have submitted for the parameter `LensesAdminPassword.`

## IAM Support <a href="#iam-support" id="iam-support"></a>

Lenses supports connection to MSK brokers via IAM. If Lenses is deployed on an EC2 instance it will use the default credential chain loader to authenticate and connect to MSK.

## Supported Regions <a href="#supported-regions" id="supported-regions"></a>

The following Regions are supported:

* `us-east-1`;
* `us-east-2`;
* `us-west-1`;
* `us-west-2`;
* `ca-central-1`;
* `eu-central-1`;
* `eu-west-1`;
* `eu-west-2`;
* `eu-west-3`;
* `ap-southeast-1`;
* `ap-southeast-2`;
* `ap-south-1`;
* `ap-northeast-1`;
* `ap-northeast-2`;
* `sa-east-1`.

## Security Recommendations <a href="#security-recommendations" id="security-recommendations"></a>

Please:

* Do not use your AWS root user for deployment or operations;
* Follow the least privileges principle when granting access to individual IAM user accounts;
* Avoid allowing traffic to the Lenses UI from a broad CIDR block where a more specific block could be used.

## Pricing <a href="#pricing" id="pricing"></a>

AWS billing applies for the EC2 instance, CloudWatch logs and optionally CloudWatch metrics.

For the hourly billed version additional hourly charges apply, which depend on the instance size. For the Bring Your Own License (BYOL) you can get a free trial license [here](https://lenses.io/downloads/lenses-enterprise/).

## Troubleshooting <a href="#troubleshooting" id="troubleshooting"></a>

In case you run into problems, e.g. you cannot connect to Lenses, then the logs could provide more information. The easiest route to do this is to go to CloudWatch in the AWS console. Here, find the log group corresponding to your deployment (it has the same name as the deployment) and pick a log stream. The stream with the `/lenses.log` suffix contains all log lines regardless of the log level; the stream with the `/lenses-warn.log` suffix only contains warning-level logs.

If the above fails, for example, because the logs integration is broken, you can SSH into the EC2 instance. Lenses is installed into `/opt/lenses`, the logs can be found under `/opt/lenses/logs` for further inspection


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.lenses.io/latest/devx/5.5/deployment/installation/aws-marketplace.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.