Disable IPv6 on Amazon Linux 2023 Instance

Question

For STIG reasons I need to disable IPv6 on my Amazon Linux 2023 Instance. I have tried adding the following lines to /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.ens5.disable_ipv6=1

As well as adding the following line to /etc/default/grub

GRUB_CMDLINE_LINUX="ipv6.disable=1"

However, upon startup it looks like I do have an IPv6 address and if I do a manual application of net.ipv6.conf.all.disable_ipv6=1 it goes away.

$ ip -6 addr
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 state UP qlen 1000
    inet6 fe80::4:6fff:feea:27c7/64 scope link
       valid_lft forever preferred_lft forever
$ sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
$ ip -6 addr
$

I have looked a little into /proc/sys/net:

$ cat /proc/sys/net/ipv6/conf/*/disable_ipv6
1
1
0
1

and it is interesting that even though /proc/sys/net/ipv6/conf/all/disable_ipv6 contains 1, /proc/sys/net/ipv6/conf/ens5/disable_ipv6 is still 0

Is there a better way of disabling IPv6? (Note: I have tried grubby --update-kernel=ALL --args="ipv6.disable=1" and it bricks my instance [I think it kills IPv4 as well].) Or is there something else I need for the setting to stick after a reboot?

Answer 1

I had the same problem. I have added the below in /etc/rc.local

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.ens5.disable_ipv6=1

Answer 2

The best solution is

grubby --update-kernel=ALL --args="ipv6.disable=1"

At the time I asked my question this would kill all networking and make the AWS instance unreachable. This was an AWS bug. It has been resolved since Amazon Linux 2023 version 2023.5.20240916. Now the grubby command works properly and disables IPv6.