Amazon has introduced the Amazon Time Sync Service that is accessible within your VPC by default. It’s a highly accurate time server accessible via NTP. Here’s how to configure ntpd to use the new AWS time service.
The NTP protocol and the ntpd service let you ensure your server clock is accurate. This can be important as “If you use the AWS CLI or an AWS SDK to make requests from your instance, these tools sign requests on your behalf. If your instance’s date and time are not set correctly, the date in the signature may not match the date of the request, and AWS rejects the request.” It also makes correlating logs between servers much easier if you’re tracking down problems.
Here’s what AWS says about this service
Built on Amazon’s proven network infrastructure, the service utilizes a fleet of redundant satellite-connected and atomic reference clocks in AWS regions to deliver current time readings of the Coordinated Universal Time (UTC) global standard. The service is designed to be highly available with a continuously monitored time infrastructure and provides a low variance reference time source. Leap seconds are known to cause application errors, and can be a concern for developers and system administrators. The Amazon Time Sync Service automatically smooths out (smears) leap seconds that are periodically added to UTC, so that customers do not have to worry about application errors due to their addition. In the future, we will also provide mechanisms for accessing non-leap smeared time. EC2 instances running in Amazon Virtual Private Cloud (VPC) can access this service at a universally reachable IP address.
I was already running NTPD and couldn’t be bothered changing to chrony like the AWS documentation suggests. Instead I just added this line to my /etc/ntpd.conf
server 169.254.169.123 prefer iburst
I also made sure none of the existing servers had “prefer” on them. Here’s the relevent part of my configuration file. Note that the the existing “amazon.pool” entries aren’t AWS hosted, they seem to be CNAMEs that change between a set of servers each time they’re used
server 169.254.169.123 prefer iburst server 0.amazon.pool.ntp.org iburst server 1.amazon.pool.ntp.org iburst server 2.amazon.pool.ntp.org iburst server 3.amazon.pool.ntp.org iburst
2.amazon.pool.ntp.org for example mapped to tock.no-such-agency.net on my first ping, then mis.wci.com on my second.