How do I make sure that my Amazon EC2 Linux instance is updated with the latest patches and security updates?

5 minute read
0

I want to make sure that my Amazon Elastic Compute Cloud (Amazon EC2) Linux instances are updated and secure from vulnerabilities.

Resolution

Check for available updates

Note: Amazon Linux 2 uses the yum command and Amazon Linux 2023 uses the dnf command.

To check for available package updates for your Linux instance, including security patches and bug fixes, run the following command:

Amazon Linux 2:

sudo yum check-update

Amazon Linux 2023:

sudo dnf check-update

In the command's output, review the list for security-related updates or updates for critical system packages, such as kernel, OpenSSL, or other core libraries.

Note: Amazon Linux 2023 uses versioned repositories. By default, each Amazon Linux 2023 Amazon Machine Image (AMI) is locked to a specific repository version. If there's a later release of Amazon Linux, then run the yum check-update command for information about the available versions to upgrade.

To receive the latest patches and updates for Amazon Linux 2023, upgrade to a later version.

To view your current release version for Amazon Linux 2023, run the following command:

sudo dnf list installed | grep system-release

To view all available release versions, run the following command:

sudo dnf --showduplicates list system-release --releasever=latest

To check for available updates with a specific release version, run the following command:

sudo dnf --releasever=release_version_number check-update

Note: Replace release_version_number with the release version that you want to check for updates.

To check for available updates with the latest release version, run the following command:

sudo dnf --releasever=latest check-update

To upgrade to a specific release version, run the following command:

sudo dnf upgrade --releasever=release_version_number

Note: Replace release_version_number with the release version that you want to upgrade to.

To upgrade to the latest release version, run the following command:

sudo dnf upgrade --releasever=latest

List security updates

Amazon Linux 2

To list all available security updates, run the following command:

sudo yum updateinfo list --security

For a list of the currently installed security updates, run the following command:

sudo yum updateinfo list --security installed

Amazon Linux 2023

Run the following command to list all available security updates from a specific release version:

sudo dnf updateinfo list --security --releasever=release_version_number

Note: Replace release_version_number with the release version that you want for security updates.

Run the following command to list all available security updates from the latest release version:

sudo dnf updateinfo list --security --releasever=latest

Apply security updates

Amazon Linux 2

To install only security-related updates, run the following command:

sudo yum update --security

Amazon Linux 2023

To install only the security updates from a specific release version, run the following command:

sudo dnf update --security --releasever=release_version_number

Note: Replace release_version_number with the release version that you want to use for security updates.

To install only the security updates from the latest release version, run the following command:

sudo dnf update --security --releasever=latest

Find and patch Amazon EC2 Linux instances for CVEs

Amazon publishes security advisories for the Common Vulnerabilities and Exposures (CVE) that affect Amazon Linux 2 and Amazon Linux 2023 in the Amazon Linux Security Center.

To find and patch your instance based on a security advisory, complete the following steps:

  1. Open the Amazon Linux 2 or Amazon Linux 2023 CVE.
  2. Check whether the Amazon Linux version that you use is affected.
  3. Choose the advisory for the AWS resource or service. Find detailed information about the CVE, affected packages, resolution, and list of the new packages and their package versions.
  4. Note the advisory. To check whether the patch is already installed, run the following command:
    sudo yum updateinfo list --security installed | grep 'ALAS2-2024-2607'
    Note: Replace ALAS2-2024-2607 with the Security Advisory identifier that you want to check. If the output shows the Security Advisory entry, then the patch for that vulnerability is installed.

View Amazon EKS and Elastic Beanstalk version or repository locks

Amazon Elastic Kubernetes Service (Amazon EKS) and AWS Elastic Beanstalk AMIs lock critical packages or entire repositories to specific versions for optimal performance. This helps prevent unintentional changes that alter the compatibility of the environment.

Amazon Linux 2

To view the version-locked packages for Amazon EKS, run the following command:

sudo yum versionlock list

For more information about version-locked EKS AMIs, see Version-locked packages on the GitHub website.

To view the version-locked packages for Elastic Beanstalk, run the following command:

sudo /opt/elasticbeanstalk/bin/pkg-repo status

For more information about the Elastic Beanstalk repository lock, see Platform script tools for your Elastic Beanstalk environments.

Amazon Linux 2023

Amazon Linux 2023 AMIs are locked to a specific repository version. For more information about how to manage repositories and updates on Amazon Linux 2023, see Manage package and operating system updates in AL2023.

Migrate to later version to get software support

In some cases, you must migrate to a later version of Amazon Linux to get support for the latest software versions. Or, use a later version to continue to receive security updates after an earlier version is no longer supported.

The following are examples of use cases that require upgrades to later versions for support:

Important: Before you upgrade to a later release version or a different version of Amazon EC2 Linux, test your applications and services for compatibility.

Related information

Amazon Linux 2 FAQs

Amazon Linux 2023 FAQs

Deterministic upgrades through versioned repositories on AL2023

AWS OFFICIAL
AWS OFFICIALUpdated a month ago