My Amazon EC2 instance system clock drifts. How do I correct system clock drift for my EC2 instance running Ubuntu?

Time drift can occur for a number of reasons not specific to only AWS or EC2 instances, and it can affect a number of processes and systems:

  • Cloud-based resources are subject to a variety of factors that can cause this time drift and influence the severity of the issue.
  • A consistent and accurate time reference is crucial for many server tasks and processes. Most system logs include a time stamp that you can use to determine when problems occur and in what order the events take place.
  • If you use the AWS CLI or an AWS SDK to make requests from your instance, these tools sign requests on your behalf. If your instance's date and time are not set correctly, the request can be rejected if the date in the signature does not match the date of the request.
  • Network Time Protocol (NTP) is configured by default on Amazon Linux instances, and the system time is synchronized with a load-balanced pool of public servers on the Internet and set to the UTC time zone. For more information, see Setting the Time for Your Linux Instance.

The Ubuntu images found in the AWS Quick Start menu don't have NTP running by default; see Time Synchronization with NTP.

Perform the following as sudoer/root:

# apt-get update
# apt-get install ntp -y

During installation, the ntp daemon (ntpd) should start. To ensure it is running:

# service ntp status
# ntpq –pcrv

Note: If you use ntpq alone, you will get stuck at a different command line. Type 'exit' to escape.

Check the ntp service and ensure it is set to run at boot

When the NTP service is installed, Ubuntu automatically starts the service and sets it to run at boot. However, to see if it is running at startup on Ubuntu 14.x, you can use the standard ls /etc/rc?.d command:

# ls /etc/rc?.d |grep ntp

Then you can update the rc.d script to ensure ntp runs at startup:

# update-rc.d ntp enable

Enable/disable NTP

For Ubuntu 16.x, you can use the systemctl function to check on ntp and then enable or disable it:

# systemctl is-enabled ntp

# systemctl enable ntp

# systemctl disable ntp

An additional option is to install the Ubuntu version of the chkconfig package, sysv-rc-conf, on either Ubuntu 14x or 16x:

# apt-get install sysv-rc-conf
# sysv-rc-conf (or # sysv-rc-conf --list)

Time servers

Typically, Ubuntu uses NTP to connect to Ubuntu time servers. To check this in Ubuntu 14.x:

$ grep "^server" /etc/ntp.conf

To check this in Ubuntu 16.x:

$ grep "^pool" /etc/ntp.conf

If you want to use public time servers load balanced for NTP traffic from AWS, you can do this by editing the /etc/ntp.conf file to read the server information as follows in Ubuntu 14.x:

server 0.amazon.pool.ntp.org
server 1.amazon.pool.ntp.org
server 2.amazon.pool.ntp.org
server 3.amazon.pool.ntp.org

Ubuntu 16.x server configuration would be as follows:

pool 0.amazon.pool.ntp.org
pool 1.amazon.pool.ntp.org
pool 2.amazon.pool.ntp.org
pool 3.amazon.pool.ntp.org

Note: The n.amazon.pool.ntp.org DNS records are intended to load balance NTP traffic from AWS. However, these are public NTP servers in the pool.ntp.org project, and they are not owned or managed by AWS. There is no guarantee that they are geographically located near your instances, or even within the AWS network. For more information, see http://www.pool.ntp.org/en/.

If you choose to change the /etc/ntp.conf file, be sure to reload the ntp daemon:

$ sudo service ntp restart

You can see the specific system time and time config by using the timedatectl command, which has replaced ntpdate as of Ubuntu 16.04[1]: 

$ timedatectl

When ntpd is running, ntpdate does not function properly. In Ubuntu 14.04, ntpdate is installed by default and can be run just before installing and configuring ntp, because ntpd has been known to malfunction if the system time drift is too large.

Firewall/ACL considerations

Firewalls and ACLs can affect time synchronization:

  • Avoid specifically blocking UDP port 123 in your security groups, nACLs, or iptables.
  • The stateful nature of security groups enables NTP to work as long as egress is allowed over UDP Port 123.
  • As long as you don't specifically block it on egress, NTP will work (by default, egress security groups allow this traffic).
  • ACLs are stateless, so you must allow UDP Port 123 for both egress and ingress.
  • Default AWS nACLs allow all for both ingress and egress.

EC2, EC2 Instance, EC2 Linux, Ubuntu, time drift, system clock


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-03-23