Configuring a Newly Created Amazon Lightsail Instance That Runs Amazon Linux

Figure showing icons of a Lightsail instance, a screwdriver and a spanner.

Last updated: October 5, 2019

Amazon Lightsail offers a simple way to host Virtual Private Servers (VPS) for a low, predictable price. In a few mouse clicks, you can create a Lightsail instance with pre-installed software, for example, with WordPress Content Management System (CMS), Nginx web server or Microsoft SQL Server Express database.

If you do not want to run images (blueprints) with pre-installed software, you can create instances with OS only (Unix or Windows).

This blog post describes the OS level configuration tasks that you may want to do on a newly created Lightsail instance that runs the Amazon Machine Image (AMI) Amazon Linux 2018.03.0. Each configuration task is presented as a separate procedure (how-to). The procedures are also applicable to Amazon EC2 instances that run the Amazon Linux AMI.

How to Update RPM Packages

When you create a Lightsail instance running the Amazon Linux 2018.03.0 AMI, cloud-init initializes this instance and installs security updates with severity important and critical (excluding kernel).
After the initialization of the instance is completed, you may want to update all packages or install only security updates, including kernel. To do it, follow these steps:

  1. Update RPM packages.
    • To update all packages, execute the following command:
      yum update -y
    • To install only security updates (including kernel):
      yum update -y --security
  2. Check if a system reboot is required.
    needs-restarting -r
    Then, if a system reboot is required, reboot the instance.

How to Disable IPv6

Internet Protocol version 6 (IPv6) is enabled by default on the OS level on newly initialized Lightsail instances running the Amazon Linux 2018.03.0 AMI. At the time of the last update of this post, the Amazon Lightsail service itself had no IPv6 support. Thus, you may want to disable IPv6 support on the OS level as well by following the steps in this procedure. The changes that you make in this procedure are persistent across system reboots.

  1. Set the kernel parameters.
    sysctl -w net.ipv6.conf.all.disable_ipv6=1
    sysctl -w net.ipv6.conf.default.disable_ipv6=1
  2. Make the new kernel parameters active at runtime.
    sysctl -p
  3. Stop and disable the IPv6 packet filter.
    service ip6tables stop
    chkconfig ip6tables off

How to Enable SELinux

Security Enhanced Linux (SELinux) is by default disabled on Amazon Lightsail instances running the Amazon Linux 2018.03.0 AMI (you can check it using the sestatus command). SELinux provides an additional layer of system security, so you may want to enable it by following these steps:

  1. Install the required RPM packages.
    yum install -y policycoreutils selinux-policy-targeted policycoreutils-python
  2. In GRUB configuration, activate SELinux in kernel boot parameters.
    sed --in-place=_bak --follow-symlinks \
    's/selinux=0/security=selinux selinux=1 enforcing=1/g' /etc/grub.conf
  3. Force the system to label the entire filesystem with SELinux contexts at the next boot.
    touch /.autorelabel
  4. Reboot the instance.
    • SELinux relabeling can take a long time. But in most cases, the instance should be up again in no more than 5 minutes.

How to Configure the IP Packet Filter

A Lightsail instance running the Amazon Linux 2018.03.0 AMI has by default the network ports TCP 22 and 80 open to the public. You can change these settings in the Amazon Lightsail console in the Networking tab of your instance.

You may want to implement an additional layer of security by configuring Internet Protocol version 4 (IPv4) packet filter rules on the OS level. At the time of the last update of this post, Amazon Lightsail service had no Internet Protocol version 6 (IPv6) support, so you would not need to configure IPv6 packet filter rules.

For example, to allow SSH access to your Lightsail instance only from the peered Virtual Private Cloud (VPC) and your home IP, perform the following steps:

  1. Add the IPv4 packet filter rules for SSH access.
    iptables -A INPUT  -i eth0 -p tcp -s $DEFAULT_VPC_CIDR,$HOME_IP/32  --dport 22 \
    -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT  -i eth0 -p tcp --dport 22 -j DROP
    iptables -A OUTPUT -o eth0 -p tcp -d $DEFAULT_VPC_CIDR,$HOME_IP/32  --sport 22 \
    -m conntrack --ctstate ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j DROP
    • On newly created Lightsail instances that run Amazon Linux the default policy for built-in chains is ACCEPT. So, with these rules you only drop SSH traffic that is not originated from the peered VPC or your home IP, while all the rest traffic is still accepted.
  2. Save the configuration.
    service iptables save

How to Add Swap Space

Lightsail servers have SSD-based block storage. From many sources, you still can learn that it is not recommended to place swap partitions or swap files on SSD drives because it would shorten the lifespan of these drives.

If your Lightsail instance does not have enough system memory, you should upgrade your instance plan. But you still may want to enable swap space on your Lightsail instance as a safety measure to prevent data loss in cases when your applications unpredictably consume all available memory. This procedure describes how to do it on a Linux-based Lightsail instance.

  1. Create a new swap file of size 2048Mb.
    dd if=/dev/zero of=/swapfile bs=1M count=2048
  2. Set up and enable swap space on the system.
    mkswap /swapfile
    chmod 600 /swapfile
    swapon /swapfile
  3. Verify swap availability and usage.
    swapon -s
  4. Make swap space persistent across system reboots.
    cp -p /etc/fstab /etc/fstab_bak
    echo '/swapfile   none        swap    defaults        0   0' >> /etc/fstab

How to Disable Unused System Services

You may want to stop and disable system services that you do not plan to use on your Lightsail instance running the Amazon Linux 2018.03.0 AMI.

  • You may want to stop and disable the sendmail daemon.
    service sendmail stop
    chkconfig sendmail off
  • You may want to stop and disable the system services related to the Network File System (NFS) and Remote Procedure Call (RPC).
    service nfslock stop
    chkconfig nfslock off
    service rpcbind stop
    chkconfig rpcbind off

How to Configure SSM Agent

AWS Systems Manager Agent (SSM Agent) is pre-installed, by default, on Amazon Linux AMIs dated 2017.09 and later. If you want to manage your Lightsail instance remotely using the Systems Manager service, you have to perform additional configuration steps. For further details, see Configuring SSM Agent on an Amazon Lightsail Instance.

How to Limit the Network Bandwidth

To avoid unpredictable charges that can happen if you exceed the monthly data transfer allowance, you may want to limit the outbound network bandwidth of your Linux-based Lightsail instance. For further details, see Limiting the Network Bandwidth of a Linux-Based Amazon Lightsail or EC2 Instance.