In short - OS Amazon Linux or Ubuntu. One EC2 instance (or OpsWorks instance?) is running. Once a day start second instance, update it with latest security updates, install my app. Shutdown first instance. Repeat every day...
AWS documentation states:
By default, AWS OpsWorks automatically installs the latest updates during setup... We recommend that you... Create and start new instances to replace your current online instances. Then delete the current instances. The new instances will have the latest set of security patches installed during setup.
How to automate this process?
I know, I can start one micro instance to manage this process via CLI, but I would prefer to use some AWS built-in tool, so I can get notifications on failure, to add some redundancy (if CLI instance fails), everything continues to work on new CLI / AWS API versions etc.
Am I missing some elegant approach?
Update: Ability to use existing Elastic IP is preferred.
Use EC2 instances behind an ELB.
Upon launch, your nodes should download and install the latest security updates and do whatever other configuration is necessary to get your application running.
As for cycling out your instances, once a day:
All of the above can be trivially automated using various AWS APIs, perhaps even as a Lambda job.
When you say "update it with latest security updates" what do you exactly mean? What is your threat profile and risk mitigation against what adversary? I use
ufwand ensure that I dosudo apt updateorsudo yum update && sudo yum upgrade && rebootin a cron set to once a month with near zero downtime. It is like 30 seconds for a reboot. It seems like what you are trying to do is not worth the time to implement.So my answer would be
implement sane security lockdowns in terms of firewall, ports, proper user jails, proper user runtimes for your application, and in general limit what is running on the instance.
setup crontab with automatic update script on a periodic basic
This would not completely mitigate any downtime but ensures it is like 30 seconds a month.