By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Amazon Linux Patching

0

What are your patching startegies for amazon linux, do you patch critical /important security only or full yum update to update everything. How often do you patch

asked 3 years ago2.5K views
3 Answers
1

Hello! Images with the latest updates are usually released at least once a month, sometimes more. For example, you can visit this link https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#Images:visibility=public-images;v=3;description=Amazon%20Linux%202%20Kernel%205.10 and it will show you all the current images (called AMIs) of Amazon Linux 2 for the us-east-1 region.

Regarding the packages that you download from yum, they are patched continuously with both security and feature enhancements. You can view more details about patching in this link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html#package-repository .

Amazon Linux is configured to download and install critical or important security updates at launch time. However, you can also apply all updates (not just security updates) at launch with just a configuration setting, which is explained on the previous link.

Finally, if you want to read the security bulletins that AWS publishes for Amazon Linux you can view them here https://alas.aws.amazon.com/alas2.html

AWS
SUPPORT ENGINEER
answered 3 years ago
  • Note that AL2023 changes this behavior in favor of determinism. We have found that making updates and launches deterministic it enables customers to better qualify OS updates. This means that all new OS updates can easily flow through your CI/CD system to ensure that everything continues to work together.

    In fact, a few of us in the Amazon Linux team have started using the saying "If you have a pager, you use deterministic updates".

    See https://docs.aws.amazon.com/linux/al2023/ug/deterministic-upgrades.html for more information.

0

In our environment we would want to manually patch, not just security but everything(yum update) how often would you suggest?

answered 3 years ago
  • you can change the value of the repo_upgrade cloud-config variable as explained in https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html#package-repository . you can also add any compatible repos on the instance, same as with any other Linux distributions. Amazon Linux 2 even supports the Extras library. Please note that for stability reasons, Amazon Linux 2 might not have the latest versions of packages. The new Amazon Linux 2022 (available in public preview) targets the Fedora Linux distribution and it would provide the latest versions of packages available.

0

I believe AWS Systems Manager Patch Manager (with Patch baselines) can help you test and choose the best strategy easily . Take a look at this https://aws.amazon.com/blogs/security/how-to-patch-linux-workloads-on-aws/ .

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions