- Newest
- Most votes
- Most comments
Hello! Images with the latest updates are usually released at least once a month, sometimes more. For example, you can visit this link https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#Images:visibility=public-images;v=3;description=Amazon%20Linux%202%20Kernel%205.10 and it will show you all the current images (called AMIs) of Amazon Linux 2 for the us-east-1 region.
Regarding the packages that you download from yum, they are patched continuously with both security and feature enhancements. You can view more details about patching in this link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html#package-repository .
Amazon Linux is configured to download and install critical or important security updates at launch time. However, you can also apply all updates (not just security updates) at launch with just a configuration setting, which is explained on the previous link.
Finally, if you want to read the security bulletins that AWS publishes for Amazon Linux you can view them here https://alas.aws.amazon.com/alas2.html
In our environment we would want to manually patch, not just security but everything(yum update) how often would you suggest?
you can change the value of the repo_upgrade cloud-config variable as explained in https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html#package-repository . you can also add any compatible repos on the instance, same as with any other Linux distributions. Amazon Linux 2 even supports the Extras library. Please note that for stability reasons, Amazon Linux 2 might not have the latest versions of packages. The new Amazon Linux 2022 (available in public preview) targets the Fedora Linux distribution and it would provide the latest versions of packages available.
I believe AWS Systems Manager Patch Manager (with Patch baselines) can help you test and choose the best strategy easily . Take a look at this https://aws.amazon.com/blogs/security/how-to-patch-linux-workloads-on-aws/ .
Relevant content
- asked 2 years ago
- Accepted Answerasked a year ago
- asked 5 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
Note that AL2023 changes this behavior in favor of determinism. We have found that making updates and launches deterministic it enables customers to better qualify OS updates. This means that all new OS updates can easily flow through your CI/CD system to ensure that everything continues to work together.
In fact, a few of us in the Amazon Linux team have started using the saying "If you have a pager, you use deterministic updates".
See https://docs.aws.amazon.com/linux/al2023/ug/deterministic-upgrades.html for more information.