Installing Linux Security Updates
Linux operating system providers supply regular updates, most of which are operating system security patches but can also include updates to installed packages. You should ensure that your instances' operating systems are current with the latest security patches.
By default, AWS OpsWorks Stacks automatically installs the latest updates during setup, after an instance finishes booting. AWS OpsWorks Stacks does not automatically install updates after an instance is online, to avoid interruptions such as restarting application servers. Instead, you manage updates to your online instances yourself, so you can minimize any disruptions.
We recommend that you use one of the following to update your online instances.
Create and start new instances to replace your current online instances. Then delete the current instances.
The new instances will have the latest set of security patches installed during setup.
On Linux-based instances in Chef 11.10 or older stacks, run the Update Dependencies stack command, which installs the current set of security patches and other updates on the specified instances.
For both of these approaches, AWS OpsWorks Stacks performs the update by running
for Amazon Linux and Red Hat Enterprise Linux (RHEL) or
apt-get update for Ubuntu.
Each distribution handles updates somewhat differently, so you should examine the information in
the associated links to understand exactly how an update will affect your instances:
Amazon Linux – Amazon Linux updates install security patches and might also install feature updates, including package updates.
For more information, see Amazon Linux AMI FAQs.
Ubuntu – Ubuntu updates are largely limited to installing security patches, but might also install package updates for a limited number of critical fixes.
For more information, see LTS - Ubuntu Wiki.
CentOS – CentOS updates generally maintain binary compatibility with earlier versions.
For more information, see CentOS Product Specifications.
RHEL – RHEL updates generally maintain binary compatibility with earlier versions.
For more information, see Red Hat Enterprise Linux Life Cycle.
If you want more control over updates, such as specifying particular package versions, you
can disable automatic updates by using the CreateInstance, UpdateInstance, CreateLayer, or UpdateLayer actions—or the equivalent AWS SDK methods or AWS CLI commands—to set the
InstallUpdatesOnBoot parameter to
false. The following example
shows how to use the AWS CLI to disable
InstallUpdatesOnBoot as the default
setting for an existing layer.
aws opsworks update-layer --layer-id
You must then manage updates yourself. For example, you could employ one of these strategies:
Implement a custom recipe that runs the appropriate shell command to install your preferred updates.
Because system updates don't map naturally to a lifecycle event, include the recipe in your custom cookbooks but execute it manually. For package updates, you can also use the yum_package (Amazon Linux) or apt_package (Ubuntu) resources instead of a shell command.
Log in to each instance with SSH and run the appropriate commands manually.