When that friendly, slightly intimidating message about a newer Amazon Linux release pops up, you face the sysadmin’s fundamental dilemma: Speed and simplicity (in-place update) versus absolute certainty (migration).
Zero-Downtime or Zero-Risk? Your EC2 Update Strategy
I run my services using a mix of AWS managed services and also EC2. For EC2, breaking a running stack to apply a patch is a massive failure. So, here are the two strategies to handle EC2 updates.
Option 1: The Zero-Risk Strategy (Migration)
This is the gold standard for any major OS version change, and the safest strategy for any update if your uptime requirements are near 100%. The premise is simple: We build a perfect new server, test it, and then swap the traffic.
1. Prep & Backup
Before you touch anything on the old server, create a complete recovery point.
- Create an AMI: In the EC2 Console, select your instance → Actions → Image and templates → Create Image. This is your instant, guaranteed rollback.
- Backup Data: Use
scporaws s3 syncto copy your application, data and config files to a separate location.
2. Build & Configure The New Instance
Launch a new EC2 instance using the latest Amazon Linux 2023 AMI.
- Match Settings: Use the same Instance Type, VPC, and Security Group as the old server.
- Install Packages: SSH into the new instance and install your stack:
sudo dnf update -y sudo dnf install nginx certbot python3-certbot-nginx -y # and your specific packages - Configure & Migrate: Copy your Nginx configuration files, Certbot files, and application code/data from the old server to the new one. Ensure file permissions are correct.
3. Testing
This step ensures the new server is flawless before the public sees it.
- Local Host File Trick: Temporarily edit your local machine’s
hostsfile to point your domain names to the new instance’s Public IP. Or set up new certs in ACM / certbot and routes in AWS Route 53 if preferred. - Test Everything: Browse both your sites. Check all features, forms, and database interactions. Once satisfied, remove the entries from your hosts file.
4. Cutover (The Switch)
When you are 100% confident, update your DNS records to point the domain names to the new instance’s Public IP (or Elastic IP). Wait for the DNS TTL to expire. Traffic is now safely serving from the updated server.
You could likely make another AMI image at this point or during the process so you have it as a recovery point.
Option 2: The High-Speed Strategy (In-Place Upgrade)
If your upgrade is a minor version bump within the same OS (like AL2023.6 to AL2023.9), an in-place upgrade is faster. This is how I handle routine patching, but you must follow the safety protocol.
1. First Step (Mandatory)
Just like the migration, your AMI backup is non-negotiable.
Action: Create an AMI (Amazon Machine Image) now. Do not skip this.
2. 🔎 Risk Assessment: What Could Break
Since Nginx relies on OpenSSL and the kernel, these are your potential failure points. Breaking changes are rare in minor AL2023 updates, but they do happen via dependency bumps.
| Component | Primary Risk | Mitigation |
|---|---|---|
| OpenSSL 3.x Update | Nginx may fail to start if it uses deprecated SSL/TLS directives. | Check config before rebooting: sudo nginx -t |
| Kernel Update | System fails to boot after restart. | The AMI backup is your safeguard. |
Now we update.
3. The Targeted Update
AL2023 uses versioned repositories. We need to specifically target the latest version (e.g., 2023.9.20251117) to pull all patches.
SSH in and run these commands sequentially:
# 1. Preview the changes (see which packages will be touched)
sudo dnf check-update --releasever=2023.9.20251117
# 2. Execute the upgrade command
sudo dnf upgrade --releasever=2023.9.20251117 -y
4. Final Checks And Verification
The new packages are installed, but the old kernel and services may still be running.
- Verify Nginx Config: Run this immediately after the upgrade:
sudo nginx -t - Reboot: If the kernel was updated, you must reboot.
sudo reboot - Final Check: Once back up, ensure Nginx is running and your sites are online:
sudo systemctl status nginx
Closing thoughts
For major OS version changes (e.g., AL2 to AL2023), Migrate.
For minor patches within AL2023, the In-Place Upgrade is quick and efficient—as long as you have that fresh AMI backup.
24+ years experience in solving business problems and maximising opportunities through technology in a variety of industries, public and private sector internationally. I founded architectFWD™ to provide knowledge and trusted advice in the areas of strategy, technology, cloud and digital to enable organisations to become Digital Leaders.