In this article, we'll cover the key updates in Amazon Linux 2023, discuss how these features contribute to a secure architecture, and explore how Mondoo can help maintain best security practices when managing your AWS infrastructure.
Amazon Linux 2023: Notable Changes and Updates
Amazon Linux 2023 presents a reimagined version of Amazon Linux with enhanced security and performance features. Major changes include new upstream definitions, default-enabled security features, a predictable release cadence, and "version locking" for package repositories.
New upstream definitions
Amazon Linux 2023 has shifted to a new upstream source. While Amazon Linux 2 was based on Red Hat Enterprise Linux (RHEL) 7, each major release of Amazon Linux 2023 will use a combination of Fedora Linux and CentOS Stream. Amazon will then replace specific packages from other upstream sources as needed. The initial release of Amazon Linux 2023 incorporates parts of Fedora 34, 35, 36, and CentOS 9 Stream. Amazon sources kernels directly from kernel.org's LTS releases, independent of the Fedora release they're based on.
SELinux enforced by default
Long-time Linux systems administrators might have experienced a slight cringe upon reading "SELinux enforcing by default." In the past, a crucial first troubleshooting step when addressing Linux issues involved asking, "Did someone accidentally enable SELinux?"
However, Amazon has emphasized that Amazon Linux 2023 will have SELinux enabled and enforced by default. They further explain, "SELinux is a security module providing access control policies. It is widely used in the industry to secure Linux servers and protect against malicious activity."
While this is accurate, understanding its implications for daily use requires more context. SELinux offers various modes of operation and policy types it can enforce. The crucial question is: which specific SELinux components are enforced by default?
Upon investigating, we discovered that Amazon Linux 2023 installs two SELinux policy packages by default:
selinux-policy
selinux-policy-targeted
Both originate from the shared repository found here: https://github.com/fedora-selinux/selinux-policy/tree/rawhide/policy
But what is the targeted policy bundle?
First, let's define an SELinux domain. In simple terms, a domain is an object that represents a set of permissions, with every process being assigned a domain.
Citing the documentation: “When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. For example, by default, logged-in users run in the unconfined_t
domain, and system processes started by init run in the initrc_t
domain; both of these domains are unconfined.”
Processes running in an unconfined domain can allocate writable memory and execute it.
Conversely, almost all processes listening on the network run in confined domains, as do those that execute as root on a user's behalf, like passwd
. For example, the sshd
process runs in the sshd_t
domain, the httpd
process runs in the httpd_t
domain.
As a result, if an attacker breaches a process confined by a domain, their system access should remain limited. For instance, even with a loosely configured httpd, SELinux will still prevent attackers from accessing files belonging to Samba.
When Amazon states that Amazon Linux enforces SELinux by default, they mean that the targeted policy is enabled and enforced by default.
Consistent release cadence
In the past, Amazon Linux did not maintain a regular release schedule. The initial Amazon Linux launched in September 2010 and offered a ten-year support cycle that concluded in December 2020. Its successor, Amazon Linux 2, was introduced in December 2017 and will be supported until June 2025. This inconsistent release pattern made it challenging for administrators to plan EC2 infrastructure upgrades.
However, this changes with Amazon Linux 2023. Emulating Ubuntu's approach, Amazon has adopted a biennial release cycle for LTS distributions. Each LTS release will benefit from two years of standard support and a subsequent three-year maintenance period.
Amazon intends to issue quarterly updates encompassing security enhancements, bug fixes, new features, and packages throughout the standard support window. Furthermore, Amazon commits to releasing security patches and crucial bug fixes during the maintenance phase.
To illustrate this in practice, Amazon provides the following chart:
By embracing a more consistent lifecycle for Amazon Linux, Amazon has streamlined the process for cloud administrators to plan long-term upgrade and maintenance cycles.
Find and fix the security risks that pose the biggest threat to your business.
Version locking explained
Version locking is a feature that requires some background to explain.
Contemporary Linux distributions support a wide range of software and use cases, as well as various programming languages. The same Linux version can be used for machine learning tools, graphical rendering farms, bitcoin mining, hosting online gaming sessions, or even automating home lighting systems. Additionally, the same Linux distribution can operate on small embedded systems, cloud environments, laptops, or large servers.
However, it isn't practical to install machine learning tools on a small embedded system that controls a garage door opener. To ensure systems only contain necessary features without unnecessary extras taking up disk space, modern Linux distributions rely on package repositories. A package repository is a collection of software installers on the internet designed for a specific Linux distribution. Most modern Linux installations come with a minimal software set.
Administrators use automation tools to search and install new software on their systems from the repository. The packages in vendor-provided repositories are approved by the vendor, and support for the packages is included in the LTS support agreement.
In Amazon Linux 2, a rolling-update model was used to handle feature and security upgrades to the packages in their repository. Essentially, Amazon maintained a single, canonical repository of approved packages for Amazon Linux 2 and updated the packages as needed.
For instance, launching an older Amazon Linux AMI version, such as 2017.09 or earlier, and running yum update -y
will upgrade packages to the latest available versions. In practice, this means that EC2 instances created from the same base image at different times may have different package sets, depending on when they were last updated.
Managing dozens, hundreds, or thousands of instances becomes challenging with rolling package updates. How can one determine which OpenSSL version is installed on all the different EC2 instances?
Version locking is the solution! Starting with Amazon Linux 2023, each release will be locked to a corresponding package repository. As a result, system administrators can be sure that running dnf upgrade
on instances created from the same Amazon Linux AMI will have the same package set, even if the upgrades occur months or years apart.
Amazon will release security updates for every supported Amazon Linux 2022 version but will reserve feature upgrades for the next quarterly release. This ensures a predictable outcome when running dnf upgrade
on any Amazon Linux 2022.0 system, regardless of when the command is executed.
Additionally, upgrading a long-lived instance from Amazon Linux 2023.0 to Amazon Linux 2023.1 is as simple as pointing it at the Amazon Linux 2023.1 package repository using the dnf
package manager and executing a few commands.
For administrators who prefer the older, rolling model of system updates, they can choose the "latest" version, which will always point to the most recent Amazon Linux 2023 repositories.
Mondoo compatibility with Amazon Linux 2023
Mondoo is fully capable of scanning Amazon Linux 2023 instances for vulnerabilities and security misconfigurations, regardless of whether they're running on traditional x86 architecture, ARM-based Graviton architecture, or even in a local development environment or container on your laptop. Thanks to Mondoo's integration of the advisory and vulnerability feeds for Amazon Linux 2023, you can use Mondoo to check your systems for vulnerabilities immediately.
Furthermore, once the Center for Internet Security releases their Amazon Linux 2023 benchmark, Mondoo will incorporate this essential compliance policy by default. Mondoo serves as a crucial tool for many customers who are already planning their upgrades to the latest Amazon Linux release.
In conclusion
Amazon Linux 2023 marks a significant transformation in Amazon's approach to delivering their Linux platform, setting a robust course for the future. Featuring new upstream definitions, default SELinux targeting, version locking, and a predictable release cadence, users who depend on Amazon Linux for their infrastructure have much to anticipate. Mondoo is eager to assist in transitioning to a more secure and efficient future.