Amazon Elastic Compute Cloud
User Guide for Linux Instances

Amazon Linux

Amazon Linux is provided by Amazon Web Services (AWS). It is designed to provide a stable, secure, and high-performance execution environment for applications running on Amazon EC2. It also includes packages that enable easy integration with AWS, including launch configuration tools and many popular AWS libraries and tools. AWS provides ongoing security and maintenance updates to all instances running Amazon Linux.


The Amazon Linux AMI repository structure is configured to deliver a continuous flow of updates that allow you to roll from one version of the Amazon Linux AMI to the next. To lock existing instances to their current version, see Repository Configuration.

To launch an Amazon Linux instance, use an Amazon Linux AMI. AWS provides Amazon Linux AMIs to Amazon EC2 users at no additional cost.

Finding the Amazon Linux AMI

For a list of the latest Amazon Linux AMIs, see Amazon Linux AMIs.

Launching and Connecting to an Amazon Linux Instance

After locating your desired AMI, note the AMI ID. You can use the AMI ID to launch and then connect to your instance.

Amazon Linux does not allow remote root SSH by default. Also, password authentication is disabled to prevent brute-force password attacks. To enable SSH logins to an Amazon Linux instance, you must provide your key pair to the instance at launch. You must also set the security group used to launch your instance to allow SSH access. By default, the only account that can log in remotely using SSH is ec2-user; this account also has sudo privileges. If you want to enable remote root log in, please be aware that it is less secure than relying on key pairs and a secondary user.

For information about launching and using your Amazon Linux instance, see Launch Your Instance. For information about connecting to your Amazon Linux instance, see Connecting to Your Linux Instance.

Identifying Amazon Linux AMI Images

Each image contains a unique /etc/image-id that identifies the AMI. This file contains information about the image.

The following is an example of the /etc/image-id file:

[ec2-user ~]$ cat /etc/image-id image_name="amzn-ami-hvm" image_version="2017.03" image_arch="x86_64" image_file="amzn-ami-hvm-2017.03.0.20170401-x86_64.ext4.gpt" image_stamp="26a3-ed31" image_date="20170402053945" recipe_name="amzn ami" recipe_id="47cfa924-413c-d460-f4f2-2af7-feb6-9e37-7c9f1d2b"

The image_name, image_version, and image_arch items come from the build recipe that Amazon used to construct the image. The image_stamp is simply a unique random hex value generated during image creation. The image_date item is in YYYYMMDDhhmmss format, and is the UTC time of image creation. The recipe_name and recipe_id refer to the name and ID of the build recipe Amazon used to construct the image, which identifies the current running version of Amazon Linux. This file will not change as you install updates from the yum repository.

Amazon Linux contains an /etc/system-release file that specifies the current release that is installed. This file is updated through yum and is part of the system-release RPM.

The following is an example of an /etc/system-release file:

[ec2-user ~]$ cat /etc/system-release Amazon Linux AMI release 2017.03

Amazon Linux also contains a machine readable version of the /etc/system-release file found in /etc/system-release-cpe and follows the CPE specification from MITRE (CPE).

Included AWS Command Line Tools

The following popular command line tools for AWS integration and usage have been included in Amazon Linux or in the default repositories:

  • aws-amitools-ec2

  • aws-apitools-as

  • aws-apitools-cfn

  • aws-apitools-ec2

  • aws-apitools-elb

  • aws-apitools-iam

  • aws-apitools-mon

  • aws-apitools-rds

  • aws-cfn-bootstrap

  • aws-cli

  • aws-scripts-ses

The minimal versions of Amazon Linux (amzn-ami-minimal-*) do not contain the above packages; however, they are available in the default yum repositories, and you can install them with the following command:

[ec2-user ~]$ sudo yum install -y package_name

For instances launched using IAM roles, a simple script has been included to prepare AWS_CREDENTIAL_FILE, JAVA_HOME, AWS_PATH, PATH, and product-specific environment variables after a credential file has been installed to simplify the configuration of these tools.

Also, to allow the installation of multiple versions of the API and AMI tools, we have placed symbolic links to the desired versions of these tools in /opt/aws, as described here:


Symbolic links to /bin directories in each of the installed tools directories.


Products are installed in directories of the form name-version and a symbolic link name that is attached to the most recently installed version.


Used by /etc/profile.d/ to set product-specific environment variables, such as EC2_HOME.


The cloud-init package is an open source application built by Canonical that is used to bootstrap Linux images in a cloud computing environment, such as Amazon EC2. Amazon Linux contains a customized version of cloud-init. It enables you to specify actions that should happen to your instance at boot time. You can pass desired actions to cloud-init through the user data fields when launching an instance. This means you can use common AMIs for many use cases and configure them dynamically at startup. Amazon Linux also uses cloud-init to perform initial configuration of the ec2-user account.

For more information about cloud-init, see

Amazon Linux uses the cloud-init actions found in /etc/cloud/cloud.cfg.d and /etc/cloud/cloud.cfg. You can create your own cloud-init action files in /etc/cloud/cloud.cfg.d. All files in this directory are read by cloud-init. They are read in lexical order, and later files overwrite values in earlier files.

The cloud-init package performs these (and other) common configuration tasks for instances at boot:

  • Set the default locale

  • Set the hostname

  • Parse and handle user data

  • Generate host private SSH keys

  • Add a user's public SSH keys to .ssh/authorized_keys for easy login and administration

  • Prepare the yum repositories for package management

  • Handle package actions defined in user data

  • Execute user scripts found in user data

  • Mount instance store volumes if applicable

    • By default, the ephemeral0 instance store volume is mounted at /media/ephemeral0 if it is present and contains a valid file system; otherwise, it is not mounted.

    • By default, any swap volumes associated with the instance are mounted (only for m1.small and c1.medium instance types).

    • You can override the default instance store volume mount with the following cloud-init directive:

      #cloud-config mounts: - [ ephemeral0 ]

      For more control over mounts, see Mounts in the cloud-init documentation.

    • Instance store volumes that support TRIM are not formatted when an instance launches, so you must partition and format them before you can mount them. For more information, see Instance Store Volume TRIM Support. You can use the cloud-init disk_setup module to partition and format your instance store volumes at boot. For more information, see Disk Setup in the cloud-init documentation.

Supported User-Data Formats

The cloud-init package supports user-data handling of a variety of formats:

  • Gzip

    • If user-data is gzip compressed, cloud-init decompresses the data and handles it appropriately.

  • MIME multipart

    • Using a MIME multipart file, you can specify more than one type of data. For example, you could specify both a user-data script and a cloud-config type. Each part of the multipart file can be handled by cloud-init if it is one of the supported formats.

  • Base64 decoding

    • If user-data is base64-encoded, cloud-init determines if it can understand the decoded data as one of the supported types. If it understands the decoded data, it decodes the data and handles it appropriately. If not, it returns the base64 data intact.

  • User-Data script

    • Begins with #! or Content-Type: text/x-shellscript.

    • The script is executed by /etc/init.d/cloud-init-user-scripts during the first boot cycle. This occurs late in the boot process (after the initial configuration actions are performed).

  • Include file

    • Begins with #include or Content-Type: text/x-include-url.

    • This content is an include file. The file contains a list of URLs, one per line. Each of the URLs is read, and their content passed through this same set of rules. The content read from the URL can be gzipped, MIME-multi-part, or plain text.

  • Cloud Config Data

    • Begins with #cloud-config or Content-Type: text/cloud-config.

    • This content is cloud-config data. See the examples for a commented example of supported configuration formats.

  • Cloud Boothook

    • Begins with #cloud-boothook or Content-Type: text/cloud-boothook.

    • This content is boothook data. It is stored in a file under /var/lib/cloud and then executed immediately.

    • This is the earliest "hook" available. Note that there is no mechanism provided for running it only one time. The boothook must take care of this itself. It is provided with the instance ID in the environment variable INSTANCE_ID. Use this variable to provide a once-per-instance set of boothook data.

Repository Configuration

Beginning with the 2011.09 release of Amazon Linux, Amazon Linux AMIs are treated as snapshots in time, with a repository and update structure that always gives you the latest packages when you run yum update -y.

The repository structure is configured to deliver a continuous flow of updates that allow you to roll from one version of Amazon Linux to the next. For example, if you launch an instance from an older version of the Amazon Linux AMI (such as 2016.09 or earlier) and run yum update -y, you end up with the latest packages.

You can disable rolling updates for Amazon Linux by enabling the lock-on-launch feature. The lock-on-launch feature locks your newly launched instance to receive updates only from the specified release of the AMI. For example, you can launch a 2016.09 AMI and have it receive only the updates that were released prior to the 2017.03 AMI, until you are ready to migrate to the 2017.03 AMI. To enable lock-on-launch in new instances, launch it with the following user data passed to cloud-init, using either the Amazon EC2 console or the ec2-run-instances command with the -f flag.


If you lock your AMI to a version of the repositories that is not latest, you will not receive any further updates. The only way to receive a continuous flow of updates for the Amazon Linux AMI is to be using the latest AMI, or to be consistently updating your old AMI with the repositories pointed to latest.

#cloud-config repo_releasever: 2016.09

To lock existing instances to their current AMI release version

  1. Edit /etc/yum.conf.

  2. Comment out releasever=latest.

  3. Run yum clean all to clear the cache.

Adding Packages

Amazon Linux is designed to be used with online package repositories hosted in each Amazon EC2 region. These repositories provide ongoing updates to packages in the Amazon Linux AMI, as well as access to hundreds of additional common open source server applications. The repositories are available in all regions and are accessed using yum update tools, as well as on the Amazon Linux AMI packages site. Hosting repositories in each region enables us to deploy updates quickly and without any data transfer charges. The packages can be installed by issuing yum commands, such as the following example:

[ec2-user ~]$ sudo yum install httpd

Access to the Extra Packages for Enterprise Linux (EPEL) repository is configured, but it is not enabled by default. EPEL provides third-party packages in addition to those that are in the Amazon Linux repositories. The third-party packages are not supported by AWS.

If you find that Amazon Linux does not contain an application you need, you can simply install the application directly on your Amazon Linux instance. Amazon Linux uses RPMs and yum for package management, and that is likely the simplest way to install new applications. You should always check to see if an application is available in our central Amazon Linux repository first, because many applications are available there. These applications can easily be added to your Amazon Linux instance.

To upload your applications onto a running Amazon Linux instance, use scp or sftp and then configure the application by logging on to your instance. Your applications can also be uploaded during the instance launch by using the PACKAGE_SETUP action from the built-in cloud-init package. For more information, see cloud-init.


If your instance is running in a virtual private cloud (VPC), you must attach an Internet Gateway to the VPC in order to contact the yum repository. For more information, see Internet Gateways in the Amazon VPC User Guide.

Accessing Source Packages for Reference

You can view the source of packages you have installed on your instance for reference purposes by using tools provided in Amazon Linux. Source packages are available for all of the packages included in Amazon Linux and the online package repository. Simply determine the package name for the source package you want to install and use the get_reference_source command to view source within your running instance. For example:

[ec2-user ~]$ get_reference_source -p bash

The following is a sample response:

Requested package: bash
Found package from local RPM database: bash-4.2.46-20.36.amzn1.x86_64
Corresponding source RPM to found package : bash-4.2.46-20.36.amzn1.src.rpm

Are these parameters correct? Please type 'yes' to continue: yes
Source RPM downloaded to: /usr/src/srpm/debug/bash-4.2.46-20.36.amzn1.src.rpm

The source RPM is placed in the /usr/src/srpm/debug directory of your instance. From there, it can be unpacked, and, for reference, you can view the source tree using standard RPM tools. After you finish debugging, the package is available for use.


If your instance is running in a virtual private cloud (VPC), you must attach an Internet Gateway to the VPC in order to contact the yum repository. For more information, see Internet Gateways in the Amazon VPC User Guide.

Developing Applications

A full set of Linux development tools is provided in the yum repository for Amazon Linux. To develop applications on Amazon Linux, select the development tools you need with yum. Alternatively, many applications developed on CentOS and other similar distributions should run on Amazon Linux.

Instance Store Access

The instance store drive ephemeral0 is mounted in /media/ephemeral0 only on Amazon instance store-backed AMIs. This is different than many other images that mount the instance store drive under /mnt.

Product Life Cycle

The Amazon Linux AMI is updated regularly with security and feature enhancements. If you do not need to preserve data or customizations on your Amazon Linux instances, you can simply relaunch new instances with the latest Amazon Linux AMI. If you need to preserve data or customizations for your Amazon Linux instances, you can maintain those instances through the Amazon Linux yum repositories. The yum repositories contain all the updated packages. You can choose to apply these updates to your running instances.

Older versions of the AMI and update packages will continue to be available for use, even as new versions are released. In some cases, if you're seeking support for an older version of Amazon Linux; through AWS Support, we might ask you to move to newer versions as part of the support process.

Security Updates

Security updates are provided via the Amazon Linux AMI yum repositories as well as via updated Amazon Linux AMIs. Security alerts are published in the Amazon Linux AMI Security Center. For more information on AWS security policies or to report a security problem, go to the AWS Security Center.

Amazon Linux AMIs are configured to download and install security updates at launch time. This is controlled via a cloud-init setting called repo_upgrade. The following snippet of cloud-init configuration shows how you can change the settings in the user data text you pass to your instance initialization:

#cloud-config repo_upgrade: security

The possible values for the repo_upgrade setting are as follows:


Apply outstanding updates that Amazon marks as security updates.


Apply updates that Amazon marks as bug fixes. Bug fixes are a larger set of updates, which include security updates and fixes for various other minor bugs.


Apply all applicable available updates, regardless of their classification.


Do not apply any updates to the instance on startup.

The default setting for repo_upgrade is security. That is, if you don't specify a different value in your user data, by default, the Amazon Linux AMI performs the security upgrades at launch for any packages installed at that time. The Amazon Linux AMI also notifies you of any updates to the installed packages by listing the number of available updates upon login using the /etc/motd file. To install these updates, you need to run sudo yum upgrade on the instance.


If your instance is running in a virtual private cloud (VPC), you must attach an Internet Gateway to the VPC in order to contact the yum repository. For more information, see Internet Gateways in the Amazon VPC User Guide.


Support for installation and use of the base Amazon Linux AMI is included through subscriptions to AWS Support. For more information, see AWS Support.

We encourage you to post any questions you have about Amazon Linux to the Amazon EC2 forum.