Amazon Linux 2 end-of-life: migration checklist (AL2 → AL2023)

Amazon Linux 2 reaches end of life 2026-06-30. After that: no security patches, no new AMIs, no extras updates. Anything still pinned to AL2 in a launch template, EKS node group, ECS task, Beanstalk env, or container base image runs unpatched. [AWS source]

Scan your stack free — find every AL2 reference →

What changes on AL2023

The checklist

  1. Inventory. Find every AL2 AMI, launch template, EKS node group, ECS task definition, Beanstalk platform, and container base image. (free scan or the al2023-gate CLI.)
  2. Rebuild the base AMI on AL2023 (Packer/EC2 Image Builder), then bake your app layers on top.
  3. Package manager. Move yum usage to dnf and drop amazon-linux-extras — install packages directly, version-namespaced, or via SPAL. (extras fix · missing-package fix)
  4. Time sync. Replace ntpd with chronyd. (ntpd fix)
  5. Firewall. Move iptables rules to nftables.
  6. Python. AL2023 ships no Python 2 — port python2 scripts/shebangs to python3. (python2 fix)
  7. Test boot, app start, networking, and time sync on a canary instance.
  8. Roll out with a staged canary (5 → 25 → 50 → 100%) and a tested rollback to the previous AMI.

Do it faster

The free scanner and the MIT al2023-gate CLI find and patch most of this. Want it done for you? A hash-anchored audit ($299, 30-day money-back) scores every finding by blast-radius and hands back a roll-forward plan; the Migration Pack opens the PR. See the full Amazon Linux 2 migration guide.