KernelCare is the Advanced Technology Partner at AWS for Live Patching

At KernelCare, we strive to make our IT products well engineered, beautifully designed, and simple to use. That’s why we couldn’t be more proud to be named as the exclusive advanced technology partner for Linux Kernel Live Patching. It truly is a testament to our mission.

Why did AWS select KernelCare?

Becoming an Advanced partner means showing our deep technical skills and expertise to design, deploy, and operate applications and infrastructure on AWS.

It also means that our product follows architectural design best practices, delivering reliable, secure, efficient, and cost-effective systems in the cloud.

We passed the Technical Baseline Review for our applications, infrastructure, and operational processes. The review focused on compliance to a set of standards that help produce successful outcomes for AWS customers.

The Technical Baseline Review process is:

1. AWS Business Support (or better) for all AWS production accounts
2. Compliance with Identity and Access Management (IAM) best practices
3. Compliance with logging and auditing best practices
4. Documented and tested backup & recovery strategy
5. Additional requirements based on workload type

Did you know that there are more than 20 Linux vulnerabilities each month?

To help secure your environment, KernelCare automatically installs Linux kernel patches to live (or staging) servers without performance impact or downtime.

KernelCare takes minutes to install, nanoseconds to update, does it without reboots, and provides patch roll-back capability.

Imagine this scenario:

1. You log into your AWS account.
2. Run up an instance of Amazon Linux 2.
3. Install your apps, your databases, your data.
4. Deploy and advertise your services.
5. Wait for one of the 20 or so Linux kernel vulnerabilities that appear each month on average (if you look at the past 3 years as a guide).

That last step is what spoils everything, because installing kernel updates means rebooting your nicely-ticking-over EC2 instance. It’s OK if you’ve a handful of them; you just install the update and reboot to apply it. For a few dozen or more servers, doing this is a nightmare. Security patches are, by definition, urgent.

Kernel vulnerabilities are routinely published with explicit details of how to exercise the exploit. That means that when a vulnerability is discovered, anyone who wants to know about it, will know about it. It’s like leaving home remembering you left a window unlocked. It doesn’t mean anyone will use it to get in. It just means they can if they want, once they figure out which house and which window.

So imagine you’re on the way to the airport and won’t be back for some time. That’s how it feels to be a system administrator constrained by maintenance schedules. Think of KernelCare as a home security robot, checking windows and closing them without you having to worry about it. KernelCare is ‘install and forget’ software. The KernelCare software agent (a small program that runs on every system) handles the installation of the patch quickly, and no processes are killed.

A recent example of KernelCare protecting Amazon Linux 2 kernels from critical vulnerabilities was in CVE–2019–8912. This is a use-after-free vulnerability affecting kernels running on Amazon Linux 2, among others. MITRE created an entry for the vulnerability on February 18, 2019. NVD published it on February 20. By Friday, February 22, KernelCare patches were out, protecting over 100 of our customers’ AL2 installs from this vulnerability. (The details are in this blog post.)

KernelCare runs on more than a quarter of a million servers and is trusted by Dell,1&1, Liquidweb, Nexcess, True and thousands of other companies across the globe.

Read this white paper to learn more about KernelCare, and you can try it yourself using the one-line install procedure.