AL2 on Amazon EC2
Note
AL2 is no longer the current version of Amazon Linux. AL2023 is the successor to AL2. For more information, see Comparing AL2 and AL2023 and the list of Package changes in AL2023 in the AL2023 User Guide.
Topics
- Launch Amazon EC2 instance with AL2 AMI
- Find the latest AL2 AMI using Systems Manager
- Connect to an Amazon EC2 instance
- AL2 AMI boot mode
- Package repository
- Using cloud-init on AL2
- Configure AL2 instances
- User provided kernels
- AL2 AMI release notifications
- Configure the AL2 MATE desktop connection
- AL2 Tutorials
Launch Amazon EC2 instance with AL2 AMI
You can launch an Amazon EC2 instance with the AL2 AMI. For more information, see Step 1: Launch an instance.
Find the latest AL2 AMI using Systems Manager
Amazon EC2 provides Amazon Systems Manager public parameters for public AMIs maintained by Amazon that you can
use when launching instances. For example, the EC2-provided parameter
/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
is
available in all Regions and always points to the latest version of the AL2 AMI in
a given Region.
To find the latest AL2023 AMI using Amazon Systems Manager, see Get started with AL2023.
The Amazon EC2 AMI public parameters are available from the following path:
/aws/service/ami-amazon-linux-latest
You can view a list of all Amazon Linux AMIs in the current Amazon Region by running the following Amazon CLI command.
aws ssm get-parameters-by-path --path /aws/service/ami-amazon-linux-latest --query "Parameters[].Name"
To launch an instance using a public parameter
The following example uses the EC2-provided public parameter to launch an
m5.xlarge
instance using the latest AL2 AMI.
To specify the parameter in the command, use the following syntax:
resolve:ssm:
, where
public-parameter
resolve:ssm
is the standard prefix and public-parameter
is
the path and name of the public parameter.
In this example, the --count
and --security-group
parameters
are not included. For --count
, the default is 1. If you have a default VPC
and a default security group, they are used.
aws ec2 run-instances
--image-id resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
--instance-type m5.xlarge
--key-name MyKeyPair
For more information, see Using public parameters in the Amazon Systems Manager User Guide
and Query for the latest Amazon Linux AMI IDs Using Amazon Systems Manager Parameter Store
Connect to an Amazon EC2 instance
There are several ways to connect to your Amazon Linux instance, including SSH, Amazon Systems Manager Session Manager, and EC2 Instance Connect. For more information, see Connect to your Linux instance in the Amazon EC2 User Guide.
SSH users and sudo
Amazon Linux does not allow remote root
secure shell (SSH) by default. Also,
password authentication is disabled to prevent brute force attacks. To enable SSH logins to
an Amazon Linux instance, you must provide your key pair to the instance at launch. You must also
set the security group used to launch your instance to allow SSH access. By default, the
only account that can log in remotely using SSH is ec2-user
. This account also
has sudo privileges. If you enable remote root
login, be
aware that it is less secure than relying on key pairs and a secondary user.
AL2 AMI boot mode
AL2 AMIs don't have a boot mode parameter set. Instances launched from AL2 AMIs follow the default boot mode value of the instance type. For more information, see Boot modes in the Amazon EC2 User Guide.
Package repository
This information applies to AL2 and AL1. For information about AL2023, see Managing packages and operating system updates in the AL2023 User Guide.
AL2 and AL1 are designed to be used with online package repositories hosted in each Amazon EC2 Amazon Region. The repositories are available in all Regions and are accessed using yum update tools. Hosting repositories in each Region enables us to deploy updates quickly and without any data transfer charges.
Important
The last version of AL1 reached EOL on December 31, 2023 and will not receive any security updates or bug fixes starting January 1, 2024. For more information, see
Amazon Linux AMI end-of-life
If you don't need to preserve data or customizations for your instances, you can launch new instances using the current AL2 AMI. If you do need to preserve data or customizations for your instances, you can maintain those instances through the Amazon Linux package repositories. These repositories contain all the updated packages. You can choose to apply these updates to your running instances. Earlier versions of the AMI and update packages continue to be available for use, even as new versions are released.
Note
To update and install packages without internet access on an Amazon EC2 instance, see
How can I update yum or install packages without internet access on
my Amazon EC2 instances running AL1, AL2, or AL2023?
To install packages, use the following command:
[ec2-user ~]$
sudo yum install
package
If you find that Amazon Linux doesn't contain an application that you need, you can install the application directly on your Amazon Linux instance. Amazon Linux uses RPMs and yum for package management, and that is likely the most direct way to install new applications. You should check to see if an application is available in our central Amazon Linux repository first, because many applications are available there. From there, you can add these applications to your Amazon Linux instance.
To upload your applications onto a running Amazon Linux instance, use scp or sftp and then configure the application by logging in to your instance. Your applications can also be uploaded during the instance launch by using the PACKAGE_SETUP action from the built-in cloud-init package. For more information, see Using cloud-init on AL2.
Security updates
Security updates are provided using the package repositories.
Both security updates and updated AMI security alerts are published in the Amazon Linux Security Center
AL1 and AL2 are configured to download and install critical or important security updates at launch time. Kernel updates are not included in this configuration.
In AL2023, this configuration has changed compared to AL1 and AL2. For more information about security updates for AL2023, see Security updates and features in the AL2023 User Guide.
We recommend that you make the necessary updates for your use case after launch. For
example, you might want to apply all updates (not just security updates) at launch, or
evaluate each update and apply only the ones applicable to your system. This is
controlled using the following cloud-init setting:
repo_upgrade
. The following snippet of cloud-init configuration
shows how you can change the settings in the user data text you pass to your
instance initialization:
#cloud-config
repo_upgrade: security
The possible values for repo_upgrade
are as follows:
critical
-
Apply outstanding critical security updates.
important
-
Apply outstanding critical and important security updates.
medium
-
Apply outstanding critical, important, and medium security updates.
low
-
Apply all outstanding security updates, including low-severity security updates.
security
-
Apply outstanding critical or important updates that Amazon marks as security updates.
bugfix
-
Apply updates that Amazon marks as bug fixes. Bug fixes are a larger set of updates, which include security updates and fixes for various other minor bugs.
all
-
Apply all applicable available updates, regardless of their classification.
none
-
Don't apply any updates to the instance on start up.
Note
Amazon Linux does not mark any updates as bugfix
. To apply non-security related updates from Amazon Linux use repo_upgrade: all
.
The default setting for repo_upgrade
is security. That is, if you don't
specify a different value in your user data, by default, Amazon Linux performs the
security upgrades at launch for any packages installed at that time. Amazon Linux also
notifies you of any updates to the installed packages by listing the number of available
updates upon login using the /etc/motd
file. To install these
updates, you need to run sudo yum upgrade on the instance.
Repository configuration
For AL1 and AL2, AMIs are a snapshot of the packages available at the time the AMI was created, with the exception of security updates. Any packages not on the original AMI, but installed at runtime, will be the latest version available. To get the latest packages available for AL2, run yum update -y.
Troubleshooting tip
If you get a cannot allocate memory
error running yum update on nano instance types, such as t3.nano
, you might need to allocate swap space to enable the update.
For AL2023, the repository configuration has changed compared to AL1 and AL2. For more information about the AL2023 repository, see Managing packages and operating system updates.
Versions up to AL2023 were configured to deliver a continuous flow of updates to roll from one minor version of Amazon Linux to the next version, also called rolling releases. As a best practice, we recommend you update your AMI to the latest available AMI rather than launching old AMIs and applying updates.
In-place upgrades are not supported between major Amazon Linux versions, such as from AL1 to AL2 or from AL2 to AL2023. For more information, see Amazon Linux availability.