Automate an Instance Update Strategy

[ScriptAutomate]

It would be ideal if there was tooling around EC2-instance-level updating, at least for a minimum of security updates.

Something like the AWS Systems Manager Patch Manager seems like overkill.

It would mean needing to add something like this as a minimum to the configuration:

sudo yum install yum-cron

# Edit the following to target only security updates
# /etc/yum/yum-cron.conf

# Enable yum-cron service
systemctl enable yum-cron

Otherwise, merely create a cronjob for something like:

• yum update --security -y

There may also need to be automation in place to handle instance restarts in the event of kernel-level updates.

NOTE: Need to verify that the yum-security package is installed by default on Amazon Linux 2. I believe it is since documentation claims that latest security updates are applied at the launch of a new Amazon Linux 2 instance, so the plugin is likely required to achieve this.

Also, if #1 is resolved, it could even mean using something like an ASG to scale-up and scale-down, allowing for deploying a new instance and destroying the old. It depends on the level of complexity we'd want to add to the deployment.