How can I update yum or install packages without internet access on my EC2 instances running Amazon Linux 1 or Amazon Linux 2?

Short description

Amazon Linux repositories are hosted in Amazon Simple Storage Service (Amazon S3) buckets. To update and install packages on your instance without an internet connection, create an S3 Amazon Virtual Private Cloud (Amazon VPC) gateway endpoint. Next, in the S3 VPC gateway endpoint, include a policy that allows access to the repositories buckets. Then, associate the VPC endpoint with the routing table of your instance subnet.

Note: To turn on third-party repositories, such as EPEL, your EC2 instance must have internet access through one of the following:

• NAT gateway
• NAT instance
• Internet gateway
• VPN/Direct Connect connection to your data center that routes the yum request through the public internet.

Resolution

Note: Keep the following in mind when using this resolution:

• Make sure that the security group attached to your EC2 instance allows outbound HTTP traffic.
• Make sure that the security group attached to your S3 VPC endpoint allows inbound HTTP traffic from your EC2 instance's subnet.
• Make sure that the network ACLs associated with your EC2 instance's subnet allow the following:

• Egress on port 80 (HTTP) and 443 (HTTPS) to the Regional S3 service.
• Ingress on ephemeral TCP ports from the Regional S3 service. Ephemeral ports are 1024-65535.
• The Regional S3 service is the public IP CIDR for the S3 service. Network ACLs don't support prefix lists. To add the S3 CIDR to your network ACL, use 0.0.0.0/0 as the S3 CIDR. You can also add the actual S3 CIDRs into the ACL. However, keep in mind that the S3 CIDRs can change at any time.

1.    Open the Amazon EC2 console, and then select your instance.

2.    On the Networking tab, note the VPC ID and Subnet ID.

3.    Open the Amazon VPC console, choose Subnets, and then select your Subnet ID.

4.    Choose the Route Table tab, and then note the Route Table ID.

5.    Choose Endpoints, and then choose Create Endpoint.

6.    Create the gateway endpoint using the following information:

If you're creating an endpoint in us-east-1, select com.amazonaws.us-east-1.s3. If you're creating an endpoint in other Regions, select the corresponding Region code. For a full list of Region codes, see Available Regions.

For VPC, select the VPC ID for your instance.

For Configure route tables, select the Route Table ID for your instance.

7.    Choose either Full Access or Custom for Policy.

If you choose Full Access, then your endpoint policy allows full access to Amazon S3.

If you choose Custom, then you must allow the API call s3:GetObject on the Amazon Linux repositories buckets:

Amazon Linux 2

The S3 buckets arn:aws:s3:::amazonlinux.[region].amazonaws.com and arn:aws:s3:::amazonlinux-2-repos-[region]/* host the repositories. The following is an example policy that allows the s3:GetObject API call. The following example policies have endpoints in us-east-1. If your endpoint is in a different Region, replace [region] with your AWS Region.

{
  "Statement": [
    {
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::amazonlinux.us-east-1.amazonaws.com/*",
        "arn:aws:s3:::amazonlinux-2-repos-us-east-1/*"
      ]
    }
  ]
}

Amazon Linux 1

{
  "Statement": [
    {
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::packages.us-east-1.amazonaws.com/*",
        "arn:aws:s3:::repo.us-east-1.amazonaws.com/*"
      ]
    }
  ]
}

Note: Replace the Region in the Resource ARN with your instance's Region. For more information, see Gateway endpoints for Amazon S3.

8.    Choose Create endpoint.

After creating the S3 VPC endpoint, you can install and update packages in your Amazon Linux instance.

---

Related information

Why am I receiving errors when using yum on my EC2 instance running Amazon Linux 1 or Amazon Linux 2?