Amazon Linux 2023 FAQs

General

Amazon Linux 2023 (AL2023) is a general-purpose rpm-based Linux distribution and a successor to Amazon Linux 2. AL2023 simplifies planning for operating system upgrades. Amazon Linux 2023 integrates with AWS services and is designed to be deployed at scale in the cloud. By default, AL2023 AMIs and container images lock to a specific version of the package repository, ensuring deterministic behavior and simplifying integrating OS updates into continuous integration and deployment environments.

You can use the Amazon Linux 2023 GitHub page or work with your account team to report a bug or issue.

The release schedule for Amazon Linux is available here: https://docs.thinkwithwp.com/linux/al2023/ug/release-cadence.html.

Major versions of Amazon Linux will include new features and security and performance improvements across the stack, including the kernel, toolchain, glibc, openssl and all other system libraries and utilities. Major releases of Amazon Linux will be based in part on the current version of the upstream Fedora Linux distribution, though Amazon may choose to add or replace specific packages from other non-Fedora upstreams (e.g. Linux kernel is sourced from kernel.org’s Long Term Support choices and is maintained specifically for Amazon’s Linux products). You should expect major release updates for packages in the repository that are sometimes not backwards compatible. We will provide a full list of changes between major releases. Quarterly minor releases will include security updates, bug fixes, and new features and packages. Examples of changes in the minor releases include latest language runtimes, like PHP and other popular software packages such as Ansible and Docker. During the maintenance phase, a release receives only security updates and critical bug fixes that will be published as soon as they are available.

Updates are provided via a combination of new AMI (Amazon Machine Image) releases and corresponding new repositories. By default, a new AMI and the repository to which it points are coupled, but you can point your running Amazon EC2 instances to newer repository versions over time in order to consume updates on running instances. You can also update by launching new instances of the latest AMIs.

Every time we release a new version (major version, minor version or a security release), we will also release a new Linux Amazon Machine Image (AMI).

AL2023 locks to a specific version of your repository (this can be any major or minor version). The AL2023 AMI exposed through our SSM parameters will always be the latest and have the most up to date packages and updates, including critical and important security updates. If you launch an EC2 instance using the AL2023 AMI via the launch wizard, you will always have the latest updates. However, if you launch an instance from an older AMI, no updates will automatically be applied and any additional packages that are installed as part of your provisioning will map to the repository version from which the older AMI was built. This enables you to ensure there is consistency of package versions and updates across your environment, especially if you are launching multiple instances from the same AMI. You can apply updates based on the schedule that works for you. You can also apply a specific set of updates on launch, as these too can be locked to a specific repository version. Please refer to the documentation for more details.

When we publish a new version of the AL2023 repositories, all previous versions will still be available. By default, the plugin for managing repository versions will lock to the same version that was used to build the AMI. If you need to control package updates, you can discover available repository versions to update to by running “dnf check-release-update”, and select a version by running the listed command, “dnf —releasever=version update”. At that point, “dnf install” or “dnf upgrade“ will only choose packages from the selected repository version. If you do not need to control package updates, you can select the “latest” version, which will always point to the most recent version of the AL2023 repositories. If you currently use Amazon Linux 2, this restores the legacy behavior for package updates that you and existing patch workflows might expect.

Not in a default configuration. By default, the plugin for managing repository versions will lock to the same version that was used to build the AMI, and no security updates will be applied. You can always change the default configuration to automatically receive package updates. You can also specify to receive only security updates. Please refer to the documentation for more details.

AWS provides an Amazon Machine Image (AMI) for Amazon Linux 2023 that you can use to launch an instance from the Amazon EC2 console, AWS SDK, and CLI. Refer to Amazon Linux 2023 documentation for more details.

No, there is no additional charge for running Amazon Linux 2023. Standard Amazon EC2 and AWS charges apply for running Amazon EC2 instances and other services.

AL2023 images can be used outside of AWS, however, these images are not covered by AWS Support Plans when used outside of AWS.

AL2023 is a great option if you are looking for a general-purpose Linux operating system to use on AWS. AL2023 is optimized for Amazon EC2, well integrated with latest AWS features, and offers an integrated experience with many of AWS-specific tools (AWS Systems Manager and AWS CLI). If you currently use Amazon Linux AMI (AL1) or Amazon Linux 2 (AL2), you should consider trying out AL2023 as it combines the benefits of both. Besides offering frequent updates and long-term support, Amazon Linux 2023 provides a predictable release cadence, flexibility and control over new software updates, and eliminates the operational overhead that comes with creating custom policies to meet standard compliance requirements.

No, AL2023 does not have extras. For higher-level software packages like language runtimes, we will use the quarterly release where we will add major/minor updates to packages as separate namespaced packages in addition to the default package provided in the repository. For example, default Python version in Amazon Linux 2023 may be 3.8, but we will add Python 3.9 (python39) as a separate namespaced package whenever it is made available. These additional packages will closely follow their upstream release cadence and support model and their support policies can be accessed by the package manager for compliance and security use cases. Default packages will continue to be supported throughout the life of AL2023.

Feedback on Amazon Linux 2023 can be provided through your designated AWS representative, Amazon Linux Discussion Forums or Amazon Linux 2023 GitHub page

Updates policy

Major releases will include new features security and performance improvements across the stack, including the kernel, toolchain, glibc, openssl and all other system libraries and utilities. Major releases of AL2023 will be based in part on the current version of the upstream Fedora Linux distribution, though Amazon may choose to add or replace specific packages from other non-Fedora upstreams (e.g. Linux kernel is sourced from kernel.org’s Long Term Support choices and is maintained specifically for Amazon’s Linux products). You should expect major release updates for packages in the repository that are sometimes not backwards compatible. We will provide a full list of changes between major releases and you will be able to perform in-place upgrade on a package level.

Quarterly minor releases (1.1, 1.2) will include security updates, bug fixes, and new features and packages. Examples of minor releases include latest language runtimes, like PHP and other popular software packages such as Ansible and Docker. Minor releases do not bring changes that break application compatibility. For example, the default versions of language runtimes will stay stable while the newer version of language runtimes are provided into the repository as new packages.

Updates are provided via a combination of new AMI (Amazon Machine Image) releases and corresponding new repositories. By default, a new AMI and the repository to which it points are coupled, but you can point your running Amazon EC2 instances to newer repository versions over time in order to consume updates on running instances. You can also update by launching new instances of the latest AMIs.

When we publish a new version of the AL2023 repositories, all previous versions will still be available. By default, the plugin for managing repository versions will lock to the same version that was used to build the AMI. If you need to control package updates, you can discover available repository versions to update to by running “dnf check-release-update”, and select a version by running the listed command, “dnf —releasever=version update”. At that point, “dnf install” or “dnf upgrade“ will only choose packages from the selected repository version. If you do not need to control package updates, you can select the “latest” version, which will always point to the most recent version of the AL2023 repositories. This restores the legacy behavior for package updates that you and existing patch workflows might expect.

AL2023 locks to a specific version of your repository. The AL2023 AMI shown in the EC2 launch wizard will always be the latest and have the most up to date packages and updates, including critical and important security updates. If you launch an EC2 instance using the AL2023 AMI via the launch wizard, you will always have the latest updates (same as the current experience with AL2). However, if you launch an instance from an older AMI, no updates will automatically be applied and any additional packages that are installed as part of your provisioning will map to the repository version from which the older AMI was built. This enables you to ensure there is consistency of package versions and updates across your environment, especially if you are launching multiple instances from the same AMI. You can apply updates based on the schedule that works for you.

Security

Yes. SELinux is a security module providing access control policies. It is widely used in the industry to lock down Linux servers and to protect against malicious activity. Major applications within AL2023 come with pre-configured SELinux policies to help you meet your compliance needs.

AL2023 will have SELinux in permissive mode by default. You can change SELinux settings to enforced mode via command line by executing ‘setenforce’ or by running this command on launch from cloud-init userdata. When the instance is rebooted, it will remember and use the SELinux setting that was specified the first time unless you change it. Please refer to the AL2023 documentation for more details.

Please see the Amazon Linux 2023 Release Notes for full details. Examples of changes coming between Release Candidate and GA include the Hibernation Agent, and AMIs being registered to launch with IMDSv2 only (i.e. disabling IMDSv1) by default.

Amazon Linux, like most Linux distributions, routinely backports security fixes to stable package versions vended in its repositories. When these packages are updated with a backport, the Amazon Linux security bulletin for the particular issue will list the specific package version(s) in which the issue is fixed for Amazon Linux. Security scanners that rely on versioning from a project’s authors sometimes won’t pick up that a given CVE fix has been applied in an older version. Customers can refer to Amazon Linux Security Center (ALAS) for updates regarding security issues and fixes.

AL2023 FIPS FAQ

The Federal Information Processing Standard (FIPS) Publication 140-3, contains standards and guidelines for data protection and encryption for federal computer systems. It was developed by the National Institute of Standards and Technology (NIST), Canadian Centre for Cyber Security (CCCS), and industry working groups to validate the effectiveness of cryptographic modules. FIPS 140-3 aligns with the ISO/IEC 19790 standard and introduces new enhancements to the security requirements relative to the now retired FIPS 140-2 standard.

To enable FIPS mode on AL2023, download the required packages on your Amazon EC2 instance and connect to it to turn on FIPS mode. For detailed instructions, see our Enable FIPS Mode.

Amazon Linux 2023 cryptographic modules (OpenSSL, NSS, Libgcrypt, Kernel, GnuTLS) have been submitted for FIPS 140-3 validation. Please visit Cryptographic Module Validation Program (CMVP) website for AL2023 cryptographic modules FIPS status.

Customers may be able to use AL2023 cryptographic modules while the modules are in MIP list. AWS recommends that customers consult their compliance team to ascertain if using AL2023 cryptographic modules for their FIPS-required workloads is acceptable and to obtain approvals when required. 

Cryptographic Module Name Associated Packages Validation Status
Amazon Linux 2023 OpenSSL Cryptographic Module OpenSSL 3.0.8 Modules In Process List
Amazon Linux 2023 NSS Cryptographic Module NSS 3.88 Modules In Process List
Amazon Linux 2023 Libgcrypt Cryptographic Module Libgcrypt 1.10.2 Modules In Process List
Amazon Linux 2023 Kernel Crypto API Cryptographic Module Kernel 6.1.41 FIPS Validation
Amazon Linux 2023 GnuTLS Cryptographic Module GnuTLS 3.8.0 Modules In Process List

AL2023 OpenSSL, NSS, Libgcyprt, Kernel and GnuTLS were tested on Intel, AMD and Graviton. The details will be listed on the final certificates.

Long Term Support

AL2023 provides updates for its packages and will maintain compatibility within a major version for customer applications built on AL2023. Core packages, such as glibc, openssl, openssh, and the dnf package manager, receive support for the lifetime of the major AL2023 release. Packages that are not part of the core packages will receive support defined by their upstream sources. You can view the specific support status and dates of individual packages by running the ‘dnf supportinfo packagename’ command. The full list of core packages will be finalized during preview. If you would like to see more packages included as core packages, please tell us, and we will evaluate as we are collecting feedback. Feedback on Amazon Linux 2023 can be provided through your designated AWS representative, Amazon Linux Discussion Forum or Amazon Linux 2023 GitHub page