Systems Manager was built to solve for this - look into Patch Manager and Compliance features. You'll need to make sure the ssm-agent is installed and running and that your instances have an IAM role allowing for SSM actions. An alternate approach is to re-roll your AMIs frequently, but that's a bit different and has its own complexities. Answer from natrapsmai on reddit.com
🌐
AWS re:Post
repost.aws › knowledge-center › ec2-linux-update-security-patches
Update EC2 Linux with the latest updates | AWS re:Post
3 weeks ago - To check whether the patch is already installed, run the following command: sudo dnf updateinfo list --security installed --releasever=latest | grep 'advisory-ID Note: Replace the advisory-ID with the advisory ID.
Discussions

How do you keep your EC2's updated? (Amazon Linux 2)
Systems Manager was built to solve for this - look into Patch Manager and Compliance features. You'll need to make sure the ssm-agent is installed and running and that your instances have an IAM role allowing for SSM actions. An alternate approach is to re-roll your AMIs frequently, but that's a bit different and has its own complexities. More on reddit.com
🌐 r/aws
5
1
February 17, 2023
How do install security updates on an Amazon Linux AMI EC2 instance? - Stack Overflow
If you're creating/destroying instances with an auto-scaling group, etc, the command should be something like "sudo yum update --security -y" in user data. 2018-09-03T02:36:31.203Z+00:00 ... Amazon Linux 2 has switched to systemd, so the command is now systemctl enable yum-cron 2018-12-19T... More on stackoverflow.com
🌐 stackoverflow.com
Amazon Linux 2 - Yum Update -Y hangs?
Does your instance have a route out? That is, do you have a working internet connection out? More on reddit.com
🌐 r/aws
7
4
July 9, 2018
For those using Amazon Linux in production, how do you deal with updates?
(We tried to post this a few days ago, but it seems like it may have gotten stuck in some sort of moderation or spam filter, because this is a newly created account.) Greetings from the Amazon Linux AMI team. As you rightly point out, the Amazon Linux AMI is been built and maintained as a rolling release. We encourage users to think of the Amazon Linux AMI as a single river of packages, of which the AMI images themselves are just snapshots in time. We try to make those snapshots – the actual AMIs – predictable by doing releases in March and September of each year. Providing a rolling release ensures that our Amazon Linux AMIs and our customer instances based on those AMIs support the latest features of EC2 and AWS as they are launched. In this way, the Amazon Linux AMI also serves as a reference point for other Linux AMI producers (both 3rd party and downstream of the Amazon Linux AMI) so that they can support these features as well. We do all of this while doing our absolute best to not introduce breaking changes as part of our update process. The upshot is that our customers are more likely to be running with the latest security, performance, and feature enhancements, which mitigates a broad range of problems they could encounter. The trade-off is that our customers do have to undertake the effort to integrate a new version on a more frequent basis than they may have in the past. That being said, we often respond to high-severity security events by releasing AMIs outside of our regular schedule, and we do provide backported security patches. Most recently (on January 29, 2015), we released the 2014.09.2 Amazon Linux AMI so that customers would be able to launch AMIs that had the patches for “Ghost”, as discussed in https://alas.aws.amazon.com/ALAS-2015-473.html While we did not initially produce older packages for Heartbleed, we have since made a habit of doing so for high-visibility security issues, including Shellshock, Poodle, and Ghost. Shellshock -- https://alas.aws.amazon.com/ALAS-2014-419.html Poodle -- https://alas.aws.amazon.com/ALAS-2014-426.html (which includes Heartbleed patches) Ghost -- https://alas.aws.amazon.com/ALAS-2015-473.html Finally, while we are always open to suggestions around the Amazon Linux AMI, we also have a great ecosystem of partners producing AMIs for EC2. Part of the value of that ecosystem is that you can usually find a solution that matches your preferences. While we love it when Amazon Linux AMI fits the bill, we are excited to see adoption of our partner AMIs grow as well. We encourage you to use whichever AMI best meets your needs, whether that is the Amazon Linux AMI or a partner AMI. More on reddit.com
🌐 r/aws
22
5
February 18, 2015
🌐
Amazon Web Services
aws.amazon.com › compute › amazon linux 2 › faqs
Amazon Linux 2 FAQs
2 weeks ago - Kernel Live Patching in Amazon ... Linux Kernel are delivered to the existing package repositories for Amazon Linux 2, and can be applied using regular yum commands such as ‘yum update —security’ when the feature has been activated....
🌐
AWS
docs.aws.amazon.com › amazon linux › user guide › updating al2023
Updating AL2023 - Amazon Linux 2023
May 22, 2026 - Checking for, getting notified of, and managing package and OS updates in AL2023.
🌐
GitHub
github.com › awsdocs › amazon-ec2-user-guide › blob › master › doc_source › install-updates.md
amazon-ec2-user-guide/doc_source/install-updates.md at master · awsdocs/amazon-ec2-user-guide
To update a single package on an Amazon Linux instance · Use this procedure to update a single package (and its dependencies) and not the entire system. Run the yum update command with the name of the package to update.
Author   awsdocs
🌐
Reddit
reddit.com › r/aws › how do you keep your ec2's updated? (amazon linux 2)
r/aws on Reddit: How do you keep your EC2's updated? (Amazon Linux 2)
February 17, 2023 -

Hi all, i wonder how you keep your production ec2's updated with minimal downtime.

This is what i get on my ec2:

[ec2-user@ec2~]$ yum updateinfo
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Security: kernel-5.10.165-143.735.amzn2.x86_64 is an installed security update
Security: kernel-5.10.130-118.517.amzn2.x86_64 is the currently running version
updateinfo summary done

We used to get lots of information from our ubuntu ec2's - and i was wondering how we can get the same output with Amazon Linux 2

Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.13.0-1031-aws x86_64) 
88 updates can be applied immediately.
15 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update

🌐
AWS
docs.aws.amazon.com › amazon linux 2 › release notes › amazon linux 2 release notes › amazon linux 2 release notes for 2020 and earlier › amazon linux 2 release notes
Amazon Linux 2 release notes - Amazon Linux 2
Each topic contains all the ... Amazon Linux 2. The following is the Extras command to list the available topics. ... The following is the Extras command to install a topic. ... In the following example, the Extras command installs the rust1 topic. ... The extras channel provides an AWS curated list of rapidly evolving technologies. These technologies might be updated more frequently ...
Find elsewhere
🌐
Medium
gmusumeci.medium.com › how-to-update-an-ec2-machine-with-amazon-linux-2-dd490c3f8ef8
How To Update an EC2 Machine with Amazon Linux 2 | by Guillermo Musumeci | Medium
March 28, 2022 - Note: Kernel Live Patching is not supported in Amazon Linux 2 instances with 64-bit ARM. We will SSH the EC2 instance using ec-user@[machine-name] and then we will start updating Amazon Linux packages:
🌐
nixCraft
cyberciti.biz › nixcraft › howto › amazon cloud computing › amazon linux ami update installed packages for security
Amazon Linux AMI update installed packages for security - nixCraft
September 7, 2022 - Open up a terminal application or log in using ssh. Run the yum command to upgrade all installed packages on Amazon Linux cloud server: $ sudo yum update One can only apply security related updates to the machines, run: $ sudo yum --security update
Top answer
1 of 2
1

You can use the amazon-linux-extras repository to upgrade the kernel

First, run this command to get all available kernel versions sudo amazon-linux-extras |grep kernel

you will see a response similar to this

  _  kernel-5.4               available    [ =stable ]
 55  kernel-5.10=latest       enabled      [ =stable ]
 62  kernel-5.15              available    [ =stable ]

the kernel version marked as enabled is the one installed on your machine

to upgrade to the newer version (for example kernel-5.15), just run this command sudo amazon-linux-extras install kernel-5.15 -y

Now, you need to reboot the server with sudo reboot

After rebooting, run the command uname -r to make sure that the newer version is successfully installed

for more information, please refer to this link

2 of 2
1

Kernel live patches are available for Amazon Linux 2 with kernel version 4.14.165-131.185 or later. To check your kernel version, run the following command.

[root@actsupport ~]#  yum list kernel

If you already have a supported kernel version, skip this step. If you do not have a supported kernel version, run the following commands to update the kernel to the latest version and to reboot the instance.

[root@actsupport ~]#  sudo yum install -y kernel
[root@actsupport ~]#  reboot

Install the yum plugin for Kernel Live Patching.

[root@actsupport ~]#  yum install -y yum-plugin-kernel-livepatch

Enable the yum plugin for Kernel Live Patching.

[root@actsupport ~]#  yum kernel-livepatch enable -y

This command also installs the latest version of the kernel live patch RPM from the configured repositories.

To confirm that the yum plugin for kernel live patching has installed successfully, run the following command.

[root@actsupport ~]#  rpm -qa | grep kernel-livepatch

When you enable Kernel Live Patching, an empty kernel live patch RPM is automatically applied. If Kernel Live Patching was successfully enabled, this command returns a list that includes the initial empty kernel live patch RPM.

Update and start the kpatch service. This service loads all of the kernel live patches upon initialization or at boot.

[root@actsupport ~]#  yum update kpatch-runtime
[root@actsupport ~]#  systemctl enable kpatch.service

Configure the Amazon Linux 2 Kernel Live Patching repository, which contains the kernel live patches.

[root@actsupport ~]#  amazon-linux-extras enable livepatch
Top answer
1 of 3
70

As outlined in section Security Updates within Amazon Linux AMI Basics, Amazon Linux AMIs are configured to download and install security updates at launch time, i.e. If you do not need to preserve data or customizations on your running Amazon Linux AMI instances, you can simply relaunch new instances with the latest updated Amazon Linux AMI (see section Product Life Cycle for details).

This currently includes only Critical or Important security updates though, see the AWS team's response to Best practices for Amazon Linux image security updates:

The default on Amazon Linux AMI is to install any Critical or Important security updates on launch. This is a function of cloud-init and be modified in cloud.cfg on the box or by passing in user-data. This is why you see some security updates still available at launch.

Consequently, if you want to install all security updates or indeed need to preserve data or customizations on your running Amazon Linux AMI instances, you can maintain those instances through the Amazon Linux AMI yum repositories, i.e. you need to facilitate the regular Yum update mechanism as outlined for the yum-security plugin:

# yum update --security
2 of 3
29

Please note: This does not work if only security updates are selected, due to the fact that security updates are not properly flagged in centos and amazon linux. This may be a matter of Redhat making security a paid feature which, if I'm being frank, is bullshit. For this to work you must update the yum-cron config file to install all updates. This makes security updates less likely to run reliably which makes everyone less secure.

update_cmd = default

Amazon Linux runs updates when the host boots for the first time. If you plan to have hosts up long-term you may also want to enable automatic security updates. I recommend using yum-cron:

sudo yum install yum-cron

The config file is here: (you probably want to just run security updates)

/etc/yum/yum-cron.conf

You can then enable yum-cron like so:

sudo service yum-cron start

edit from a useful comment below: "If you're creating/destroying instances with an auto-scaling group, etc, the command should be something like "sudo yum update -y" in user data."

🌐
Amazon Web Services
docs.aws.amazon.com › aws command line interface › user guide for version 2 › getting started with the aws cli › installing or updating to the latest version of the aws cli
Installing or updating to the latest version of the AWS CLI - AWS Command Line Interface
If you previously installed AWS ... version 2. ... For installation and update instructions, expand the section for your operating system. You must be able to extract or "unzip" the downloaded package. If your operating system doesn't have the built-in unzip command, use an equivalent. The AWS CLI uses glibc, groff, and less. These are included by default in most major distributions of Linux...
🌐
AWS
docs.aws.amazon.com › amazon linux › user guide › updating al2023 › manage package and operating system updates in al2023
Manage package and operating system updates in AL2023 - Amazon Linux 2023
To provide you with Amazon Linux specific information about these different packages, the DNF supportinfo plugin provides metadata about a package. In the following example, the dnf supportinfo command returns metadata for the glibc package. $ sudo dnf supportinfo --pkg glibc Last metadata expiration check: 0:07:56 ago on Wed Mar 1 23:21:49 2023. Name : glibc Version : 2...
🌐
GitHub
gist.github.com › roommen › 18cd78d07b0fbc962de4e79c1d468f92
OpenSSH Update Script - Amazon Linux 2 · GitHub
... @krlinus You likely need to restart your SSH service for the changes to take effect. Try running sudo systemctl restart sshd on your server and then you can try your sftp command again.
🌐
ManageEngine
manageengine.com › patch-management › amazon-linux-patching.html
Amazon Linux Security Patch Updates | Manual and automated Linux patching.
Open a Terminal window on your Amazon Linux system. Update the package list by running the following command: sudo dnf makecache
🌐
GitHub
github.com › awsdocs › amazon-ec2-user-guide › blob › master › doc_source › amazon-linux-ami-basics.md
amazon-ec2-user-guide/doc_source/amazon-linux-ami-basics.md at master · awsdocs/amazon-ec2-user-guide
June 16, 2022 - With Amazon Linux 2, you can use the Extras Library to install application and software updates on your instances. These software updates are known as topics. You can install a specific version of a topic or omit the version information to use the most recent version. To list the available topics, use the following command:
Author   awsdocs
🌐
AWS re:Post
repost.aws › knowledge-center › amazon-linux-2-kernel-upgrade
Upgrade Amazon Linux 2 kernel version | AWS re:Post
August 13, 2024 - Note: To upgrade the Amazon Linux 2 kernel from 5.10.x to Amazon Linux Extra 5.15.x, follow the same steps that are detailed in this article. Replace 5.10 with 5.15 in the example commands used in this article.
🌐
AWS
docs.aws.amazon.com › amazon linux › user guide › al2 kernel › kernel live patching on al2
Kernel Live Patching on AL2 - Amazon Linux 2
The Amazon Linux Security Center might not list kernel live patches that address bugs. You can also discover the available kernel live patches for advisories and CVEs using the command line. Use the following command. ... The following shows example output. Loaded plugins: extras_suggestions, kernel-livepatch, langpacks, priorities, update...