Have you got an issue because your EC2 instance doesn’t have a correct time? It’s a nightmare when time is not synced properly. It could cause transaction data to be inserted in the wrong chronological order or cause service failure due to data inconsistency.
To avoid those problems and keep your machine clock in sync, you need to properly configure the time synchronization using NTP. Cloud Infra already pre-configured NTP service in our Golden AMI. We also configured it to use internal Amazon Time Sync Service, so your instance does not require access to the Internet and you don't have to configure your security group rules or your network ACL to allow egress to public NTP servers.
Let’s see how do you get your machine configured.
Any Ubuntu 16 and Ubuntu 20 golden AMI that owned by AWS account 745412875337 and has been released after Nov 11, 2020 already has NTP syncing with Amazon Time Sync Service. Other golden AMI has NTP configured to use public server, please read section below on how to configure it properly.
Use AMI filter on your tool (Terraform, Ansible, or AWS CLI). You can filter the list of AMI by using AMI prefix and account ID and don’t forget to set the most_recent option to true to get the latest AMI. You can also view list of golden AMIs in this document.
Note: We strongly recommend engineers to start using Ubuntu 20 AMI if you’re still using old unsupported Ubuntu 16 version.
Check the creation date of the AMI that you’re using. If it’s older than Nov 11, 2020. You should update your application AMI and use the latest Golden AMI.
Be aware, some team may have hard-coded the AMI ID on their pipeline configuration, and the application might be baked on top of old outdated AMI that isn’t configured to use Amazon Time Sync Service. Another way to check is to connect to EC2 instance using SSM, and check whether content of /etc/ntp.conf contains 169.254.169.123 (Amazon Time Sync IP)
We strongly recommend you to use latest Golden AMI instead of using workaround, but if you must, you can still use previous AMI, but you need to allow UDP egress to Internet (0.0.0.0/0) on port 123.
Older golden AMIs have NTP configured with public NTP servers, but the down side you need to allow UDP traffic to Internet on port 123.
That’s all about NTP, now it’s time to upgrade your application AMI, and stop worrying about out of sync clock in your EC2 instance.
This announcement is also posted in our Confluence Blog, where we post other PSA and decommission notices: [psa] Improve Reliability Time Synchronization in your EC2 Instance