How do I make sure that my Amazon EC2 Linux instance is updated with the latest patches and security updates?
I want to make sure that my Amazon Elastic Compute Cloud (Amazon EC2) Linux instances are updated and secure from vulnerabilities.
Resolution
Check for available updates
Note: Amazon Linux 2 uses the yum command and Amazon Linux 2023 uses the dnf command.
To check for available package updates for your Linux instance, including security patches and bug fixes, run the following command:
Amazon Linux 2:
sudo yum check-update
Amazon Linux 2023:
sudo dnf check-update
In the command's output, review the list for security-related updates or updates for critical system packages, such as kernel, OpenSSL, or other core libraries.
Note: Amazon Linux 2023 uses versioned repositories. By default, each Amazon Linux 2023 Amazon Machine Image (AMI) is locked to a specific repository version. If there's a later release of Amazon Linux, then run the yum check-update command for information about the available versions to upgrade.
To receive the latest patches and updates for Amazon Linux 2023, upgrade to a later version.
To view your current release version for Amazon Linux 2023, run the following command:
sudo dnf list installed | grep system-release
To view all available release versions, run the following command:
sudo dnf --showduplicates list system-release --releasever=latest
To check for available updates with a specific release version, run the following command:
sudo dnf --releasever=release_version_number check-update
Note: Replace release_version_number with the release version that you want to check for updates.
To check for available updates with the latest release version, run the following command:
sudo dnf --releasever=latest check-update
To upgrade to a specific release version, run the following command:
sudo dnf upgrade --releasever=release_version_number
Note: Replace release_version_number with the release version that you want to upgrade to.
To upgrade to the latest release version, run the following command:
sudo dnf upgrade --releasever=latest
List security updates
Amazon Linux 2
To list all available security updates, run the following command:
sudo yum updateinfo list --security
For a list of the currently installed security updates, run the following command:
sudo yum updateinfo list --security installed
Amazon Linux 2023
Run the following command to list all available security updates from a specific release version:
sudo dnf updateinfo list --security --releasever=release_version_number
Note: Replace release_version_number with the release version that you want for security updates.
Run the following command to list all available security updates from the latest release version:
sudo dnf updateinfo list --security --releasever=latest
Apply security updates
Amazon Linux 2
To install only security-related updates, run the following command:
sudo yum update --security
Amazon Linux 2023
To install only the security updates from a specific release version, run the following command:
sudo dnf update --security --releasever=release_version_number
Note: Replace release_version_number with the release version that you want to use for security updates.
To install only the security updates from the latest release version, run the following command:
sudo dnf update --security --releasever=latest
Find and patch Amazon EC2 Linux instances for CVEs
Amazon publishes security advisories for the Common Vulnerabilities and Exposures (CVE) that affect Amazon Linux 2 and Amazon Linux 2023 in the Amazon Linux Security Center.
To find and patch your instance based on a security advisory, complete the following steps:
- Open the Amazon Linux 2 or Amazon Linux 2023 CVE.
- Check whether the Amazon Linux version that you use is affected.
- Choose the advisory for the AWS resource or service. Find detailed information about the CVE, affected packages, resolution, and list of the new packages and their package versions.
- Note the advisory. To check whether the patch is already installed, run the following command:
Note: Replace ALAS2-2024-2607 with the Security Advisory identifier that you want to check. If the output shows the Security Advisory entry, then the patch for that vulnerability is installed.sudo yum updateinfo list --security installed | grep 'ALAS2-2024-2607'
View Amazon EKS and Elastic Beanstalk version or repository locks
Amazon Elastic Kubernetes Service (Amazon EKS) and AWS Elastic Beanstalk AMIs lock critical packages or entire repositories to specific versions for optimal performance. This helps prevent unintentional changes that alter the compatibility of the environment.
Amazon Linux 2
To view the version-locked packages for Amazon EKS, run the following command:
sudo yum versionlock list
For more information about version-locked EKS AMIs, see Version-locked packages on the GitHub website.
To view the version-locked packages for Elastic Beanstalk, run the following command:
sudo /opt/elasticbeanstalk/bin/pkg-repo status
For more information about the Elastic Beanstalk repository lock, see Platform script tools for your Elastic Beanstalk environments.
Amazon Linux 2023
Amazon Linux 2023 AMIs are locked to a specific repository version. For more information about how to manage repositories and updates on Amazon Linux 2023, see Manage package and operating system updates in AL2023.
Migrate to later version to get software support
In some cases, you must migrate to a later version of Amazon Linux to get support for the latest software versions. Or, use a later version to continue to receive security updates after an earlier version is no longer supported.
The following are examples of use cases that require upgrades to later versions for support:
- Node.js 20 requires a later version of the glibc library. To use Node.js 20, you must upgrade from Amazon Linux 2 to Amazon Linux 2023.
- Amazon Linux 2 will reach its end of life on June 30, 2025. You must upgrade to a supported version.
Important: Before you upgrade to a later release version or a different version of Amazon EC2 Linux, test your applications and services for compatibility.
Related information
Deterministic upgrades through versioned repositories on AL2023
Relevant content
- asked 3 years agolg...
- asked 3 years agolg...
- Accepted Answerasked 4 years agolg...
- asked 3 years agolg...
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago