AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on Amazon Linux 2023 Automation Complete Guide

By Luca Berton · Published 2024-01-01 · Category: installation

Automate Amazon Linux 2023 (AL2023) on AWS with Ansible: dnf, systemd, SELinux, CloudWatch agent, SSM, EC2 Image Builder, and dynamic inventory.

Amazon Linux 2023 (AL2023) is AWS's RHEL-derived OS for EC2, ECS, EKS, and Lambda runtimes. It provides 5 years of support from GA (March 2023, support to March 2028). AL2023 ships kernel 6.1 LTS, Python 3.9 (3.11/3.12 modules), dnf, SELinux, systemd 252, and tight integrations with AWS Systems Manager (SSM) and CloudWatch Agent. This guide is the master Ansible reference for AL2023 on AWS.

Amazon Linux 2023 release facts

| Item | Value | |---|---| | GA | 2023-03-15 | | Support end | 2028-03-15 | | Default kernel | 6.1 LTS | | Default Python | 3.9 | | Package manager | dnf |

See also: Ansible AWS: Complete Guide to Cloud Automation (2026)

Ansible-core compatibility

Use ansible-core 2.18 LTS. AL2023's system Python 3.9 works as the managed-node interpreter.

Dynamic inventory from EC2

# inventory/aws_ec2.yml
plugin: amazon.aws.aws_ec2
regions:
  - us-east-1
filters:
  tag:OS: AL2023
keyed_groups:
  - key: tags.Role
ansible-inventory -i inventory/aws_ec2.yml --graph

See also: How to install Ansible in Amazon Linux 2023 — Ansible install

Baseline playbook

- name: Amazon Linux 2023 baseline
  hosts: tag_OS_AL2023
  become: true
  tasks:
    - name: Update packages
      ansible.builtin.dnf: { name: "*", state: latest, update_cache: true }

- name: Install baseline tools
      ansible.builtin.dnf:
        name:
          - vim-enhanced
          - chrony
          - amazon-cloudwatch-agent
          - amazon-ssm-agent
          - jq
          - awscli-2
          - cockpit
          - podman
        state: present


- name: Enable agents
      ansible.builtin.service:
        name: "{{ item }}"
        enabled: true
        state: started
      loop: [chronyd, amazon-ssm-agent, amazon-cloudwatch-agent]


- name: SELinux enforcing
      ansible.posix.selinux: { policy: targeted, state: enforcing }

CloudWatch Agent configuration

- name: Configure CloudWatch Agent
  hosts: tag_OS_AL2023
  become: true
  tasks:
    - name: Drop CW agent config
      ansible.builtin.copy:
        dest: /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json
        mode: "0644"
        content: |
          {
            "metrics": {
              "metrics_collected": {
                "mem": { "measurement": ["mem_used_percent"] },
                "disk": { "measurement": ["used_percent"], "resources": ["/"] }
              }
            },
            "logs": {
              "logs_collected": {
                "files": { "collect_list": [
                  { "file_path": "/var/log/messages", "log_group_name": "al2023/syslog" }
                ]}
              }
            }
          }

- name: Reload CW agent
      ansible.builtin.command: |
        /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl
        -a fetch-config -m ec2 -s
        -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json

See also: Ansible on AlmaLinux 10 Automation Complete Guide

SSM-based connection (no SSH)

Use AWS SSM as the Ansible transport for private VPCs:

[al2023:vars]
ansible_connection=community.aws.aws_ssm
ansible_aws_ssm_bucket_name=ansible-ssm-state
ansible_aws_ssm_region=us-east-1
ansible_python_interpreter=/usr/bin/python3

Patching with Patch Manager + Ansible

- name: Apply security patches
  hosts: tag_OS_AL2023
  become: true
  serial: 25%
  tasks:
    - name: Apply security updates
      ansible.builtin.dnf:
        name: "*"
        state: latest
        security: true
        update_cache: true

- name: Reboot if kernel updated
      ansible.builtin.reboot:
      when: ansible_facts['kernel'] != lookup('ansible.builtin.file', '/proc/version')

Best practices

• Bake AMIs with EC2 Image Builder + Ansible, then drift-detect with the same playbooks. • Tag instances with OS=AL2023 and Role=... to drive dynamic inventory and patch groups. • Prefer SSM transport in private VPCs; reserve SSH for jump-host paths. • Use IAM Instance Profiles instead of static AWS credentials in playbooks.

Conclusion

Amazon Linux 2023 + Ansible is a tight cloud-native combination. Pair amazon.aws and community.aws collections, dynamic inventory, and SSM transport to manage thousands of AL2023 EC2 instances without exposing SSH.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home