I run some Ubuntu Server instances on EC2, and I always install the latest apt security updates. It only just occurred to me that AMIs have a fixed AKI (kernel ID) / that Amazon only has a certain set of allowed kernels it will boot into. So do EC2 instances always boot into the same kernel, even after installing the latest kernel updates? Does this mean that every time there's a new kernel update, I need to look for the latest AKI from the Ubuntu EC2 team, and then run ec2-modify-instance-attribute --kernel NEWAKI
on all my instances (and re-register my AMIs with the NEWAKI), or else I'd be booting into an old/insecure kernel?
Your concern is factually wrong because Amazon will actually let you run any kernel you like now. It used to be the way you describe, but you can now compile and run a kernel from inside your VM.
That being said, that's not usually the way it's done. Many images still use the Amazon supplied AMIs. Some images like the Ubuntu ones use vendor provided images.
You don't have to worry too much about security issues in kernels. Most security issues don't happen there. Far more important is compatibility / stability with your hardware platform.
If there are newer vendor supplied kernels and you are doing maintenance anyway, throwing one up using the command you supplied is a good idea. If you are using Amazon kernels, I would just leave it that way and not worry about it. Only if you have a special specific need would I bother with making it use a custom kernel from inside your AMI.