How can I update yum or install packages without internet access on my EC2 instances running Amazon Linux 1 or Amazon Linux 2?

Last updated: 2020-10-17

I'm running Amazon Linux 1 or Amazon Linux 2 on my Amazon Elastic Compute Cloud (Amazon EC2) instance. How can I update yum or install packages if my instance doesn't have internet access?

Short description

Amazon Linux repositories are hosted in Amazon Simple Storage Service (Amazon S3) buckets. To update and install packages on your instance without an internet connection, create an S3 VPC endpoint with a policy allowing access to the repositories buckets. Associate the VPC endpoint with the routing table of your instance subnet.

Note: To enable third party repositories, such as EPEL, your EC2 instance must have internet access through one of the following

Resolution

1.    Open the Amazon EC2 console, and then select your instance.

2.    On the Description tab, note the VPC ID and Subnet ID.

3.    Open the Amazon VPC console, choose Subnets, and then select your Subnet ID.

4.    Choose the Route Table tab, and then note the Route Table ID.

5.    Choose Endpoints, and then choose Create Endpoint.

6.    Create the endpoint using the following information:

For Service name, select com.amazonaws.[region].s3. Choose the Region where your resources are located. For example, com.amazonaws.us-east-1.s3. For a full list of Region codes, see Available Regions.

For VPC, select the VPC ID for your instance.

For Configure route tables, select the Route Table ID for your instance.

7.    Choose either Full Access or Custom for Policy.

If you choose Full Access, your endpoint policy allows full access to Amazon S3.

If you choose Custom, you must allow the API call s3:GetObject on the Amazon Linux repositories buckets:

Amazon Linux 1

The repositories are hosted in the bucket arn:aws:s3:::amazonlinux.region.amazonaws.com. The following is an example policy allowing the s3:GetObject API call.

{
    "Statement": [
        {
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::amazonlinux.us-east-1.amazonaws.com/*"
            ]
        }
    ]
}

Amazon Linux 2

The S3 buckets arn:aws:s3:::packages.region.amazonaws.com and arn:aws:s3:::repo.region.amazonaws.com host the repositories. The following is an example policy allowing the s3:GetObject API call access.

{
    "Statement": [
        {
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::packages.us-east-1.amazonaws.com/*",
                "arn:aws:s3:::repo.us-east-1.amazonaws.com/*"
            ]
        }
    ]
}

Note: Replace the Region in the Resource ARN with your instance's Region. For more information see Using endpoint policies for Amazon S3.

8.    Choose Create endpoint.

After creating the S3 VPC endpoint, you can install and update packages in your Amazon Linux instance.