How do install security updates on an Amazon Linux AMI EC2 instance?

Question

I see the following notices displayed on login:

   __|  __|_  )
   _|  (     /   Amazon Linux AMI
  ___|\___|___|

  See /usr/share/doc/system-release/ for latest release notes.
  There are 30 security update(s) out of 39 total update(s) available

How do I install these updates on my machine?

Answer 1

Please note: This does not work if only security updates are selected, due to the fact that security updates are not properly flagged in centos and amazon linux. This may be a matter of Redhat making security a paid feature which, if I'm being frank, is bullshit. For this to work you must update the yum-cron config file to install all updates. This makes security updates less likely to run reliably which makes everyone less secure.

update_cmd = default

Amazon Linux runs updates when the host boots for the first time. If you plan to have hosts up long-term you may also want to enable automatic security updates. I recommend using yum-cron:

sudo yum install yum-cron

The config file is here: (you probably want to just run security updates)

/etc/yum/yum-cron.conf

You can then enable yum-cron like so:

sudo service yum-cron start

edit from a useful comment below: "If you're creating/destroying instances with an auto-scaling group, etc, the command should be something like "sudo yum update -y" in user data."

Answer 2

The answer above is correct, here are the 4 commands you can copy and paste to run:

# Install the package yum-cron
sudo yum install yum-cron -y
# Change the config file /etc/yum/yum-cron.conf and modify the line apply_updates from no to yes
sudo sed -i "s/apply_updates = no/apply_updates = yes/" /etc/yum/yum-cron.conf
# Enable the yum-cron service to start automatically upon system boot
sudo systemctl enable yum-cron
# Start the yum-cron service now
sudo systemctl start yum-cron

These commands also work on Red Hat 7, CentOS 7

If you are running as the root user you can simply run the commands without sudo:

yum install yum-cron -y
sed -i "s/apply_updates = no/apply_updates = yes/" /etc/yum/yum-cron.conf
systemctl enable yum-cron
systemctl start yum-cron

For more information see https://linuxize.com/post/configure-automatic-updates-with-yum-cron-on-centos-7/ https://www.howtoforge.com/tutorial/how-to-setup-automatic-security-updates-on-centos-7/

Answer 3

As outlined in section Security Updates within Amazon Linux AMI Basics, Amazon Linux AMIs are configured to download and install security updates at launch time, i.e. If you do not need to preserve data or customizations on your running Amazon Linux AMI instances, you can simply relaunch new instances with the latest updated Amazon Linux AMI (see section Product Life Cycle for details).

This currently includes only Critical or Important security updates though, see the AWS team's response to Best practices for Amazon Linux image security updates:

The default on Amazon Linux AMI is to install any Critical or Important security updates on launch. This is a function of cloud-init and be modified in cloud.cfg on the box or by passing in user-data. This is why you see some security updates still available at launch.

Consequently, if you want to install all security updates or indeed need to preserve data or customizations on your running Amazon Linux AMI instances, you can maintain those instances through the Amazon Linux AMI yum repositories, i.e. you need to facilitate the regular Yum update mechanism as outlined for the yum-security plugin:

# yum update --security