Server Security: Applying Security Updates to Your EC2 Instance

Enhance the server security of a Red Hat Enterprise Linux EC2 instance by monitoring and applying system updates.

This is the first part of our Server Security on AWS series. In this series, we will explore some ways to enhance the security of a Red Hat Enterprise Linux EC2 instance. We may also touch on Amazon Linux where appropriate. This will by no means be an exhaustive list of the things you can do to harden and enhance the security posture of your cluster of EC2 instances, but it should be sufficient to get you moving in the right direction.

In this article, we will look at installing security updates and how, by default, Amazon Linux and Red Hat Enterprise Linux differ.

Server Security: monitoring system notices

When you launch an Amazon Linux instance for the first time, you will see the message of the day (MOTD). Amazon Linux will install both the critical and important security updates at launch time by default.

       __|  __|_  )
       _|  (     /   Amazon Linux AMI

If (right after the release notes link) your MOTD message indicates that you have additional security updates to install, they tend to be of a lower severity, but you should still install them as soon as you can.

# yum update --security

Right now there are no security updates I need to install myself. If there were, they would be generated by the 70-available-updates script:

# cat /etc/update-motd.d/70-available-updates | head -5
# Possible summaries include:
# No packages needed for security; %d packages available
# %d package(s) needed[ (+%d related)] for security, out of %d available
# There are [[%d security update(s)[ out of ]%d total update(s)]] available

On Red Hat Enterprise Linux, you have to install the security updates yourself. RHEL does not install any critical or important security updates automatically. Using yum update, I’m shown a handful of packages that I should update in my newly launched instance:

# yum update --security | egrep -e '^(I|U).*\)$'
Install   1 Package  (+1 Dependent package)
Upgrade  23 Packages (+4 Dependent packages)

Server Security: applying updates

Running yum update --security lets you apply all the available security updates and ignore any other non-security updates. This is to ensure that you do not introduce additional – and unnecessary – changes to your EC2 instance, especially if stability is a priority.

To keep up with the security updates you may have to apply on Amazon Linux, you can watch the security bulletins as they are published at the Amazon Linux AMI Security Centre.

If you have a specific RHEL CVE (Common Vulnerabilities and Exposures) ID you would like to explore, you can query it using Red Hat’s CVE Database.

This was just a quick start to whet your appetite for more. In our next article, we will explore using firewall-cmd to configure firewall rules in your Red Hat Enterprise Linux 7 EC2 instance. You might also like to take Cloud Academy’s Introduction to Security Best Practices and Linux Security courses.

Any thoughts? Why not share them in the comments below.

Cloud Academy