Posted On: Jun 29, 2020
Kernel Live Patching enables customers to patch security vulnerabilities and bugs in the Linux kernel without reboots or disruptions to running applications. As a result, Amazon Linux 2 customers benefit from improved service availability and a better security posture. This feature is now generally available to all Amazon Linux 2 customers, free of charge.
Many AWS customers introduce security updates by rolling out patched machine images (AMI) or by in-place patching instances followed by rolling restarts. This process is usually time consuming and may result in disruptions to running applications. Kernel Live Patching in Amazon Linux provides a way to reduce disruption and accelerate a rollout by applying a fix in the running kernel, without the need for an immediate reboot.
Amazon now releases live patches for the Amazon Linux 2 kernel to address critical and important security vulnerabilities as well as critical bugs. The existing Amazon Linux 2 repositories serve kernel live patches for users to install. Customers install a ‘yum’ plugin to enable Kernel Live Patching. Once enabled, customers use the existing ‘yum update’ workflows to apply available kernel live patches. Patches take effect without having to boot into a new kernel.
Now, customers can also use AWS Systems Manager (SSM) Patch Manager to automate the process of patching Amazon Linux 2 instances with critical updates. Using Patch Manager, customers can scan Amazon Linux instances to generate a patch compliance report that identifies missing patches, or they can scan and automatically install all missing kernel patches without requiring an immediate reboot.
Visit Amazon Linux 2 Kernel Live Patching documentation for details and the Amazon Linux Security Center for a list of available kernel live patches. To learn how to enable and use Kernel Live Patching using AWS SSM, visit the Systems Manager documentation.