diff --git a/lib/web/join_tokens_test.go b/lib/web/join_tokens_test.go
index 680b956749f51..5aa37c919a21f 100644
--- a/lib/web/join_tokens_test.go
+++ b/lib/web/join_tokens_test.go
@@ -931,12 +931,12 @@ func TestJoinScript(t *testing.T) {
 			require.NoError(t, err)
 
 			require.Contains(t, script, ""+
-				"    PACKAGE_LIST=${TELEPORT_PACKAGE_NAME}\n"+
+				"    PACKAGE_LIST=${TELEPORT_PACKAGE_PIN_VERSION}\n"+
 				"    # (warning): This expression is constant. Did you forget the $ on a variable?\n"+
 				"    # Disabling the warning above because expression is templated.\n"+
 				"    # shellcheck disable=SC2050\n"+
 				"    if [[ \"true\" == \"true\" ]]; then\n"+
-				"        PACKAGE_LIST=\"${PACKAGE_LIST} ${TELEPORT_PACKAGE_NAME}-updater\"\n"+
+				"        PACKAGE_LIST+=\" ${TELEPORT_UPDATER_PIN_VERSION}\"\n"+
 				"    fi\n",
 			)
 		})
@@ -945,12 +945,12 @@ func TestJoinScript(t *testing.T) {
 			require.NoError(t, err)
 
 			require.Contains(t, script, ""+
-				"    PACKAGE_LIST=${TELEPORT_PACKAGE_NAME}\n"+
+				"    PACKAGE_LIST=${TELEPORT_PACKAGE_PIN_VERSION}\n"+
 				"    # (warning): This expression is constant. Did you forget the $ on a variable?\n"+
 				"    # Disabling the warning above because expression is templated.\n"+
 				"    # shellcheck disable=SC2050\n"+
 				"    if [[ \"false\" == \"true\" ]]; then\n"+
-				"        PACKAGE_LIST=\"${PACKAGE_LIST} ${TELEPORT_PACKAGE_NAME}-updater\"\n"+
+				"        PACKAGE_LIST+=\" ${TELEPORT_UPDATER_PIN_VERSION}\"\n"+
 				"    fi\n",
 			)
 		})
diff --git a/lib/web/scripts/node-join/install.sh b/lib/web/scripts/node-join/install.sh
index b435791245f40..7bcf0d8c79497 100755
--- a/lib/web/scripts/node-join/install.sh
+++ b/lib/web/scripts/node-join/install.sh
@@ -661,7 +661,7 @@ if [[ "${OSTYPE}" == "linux-gnu"* ]]; then
             fi
             if [[ ${DISTRO_TYPE} =~ "debian" ]]; then
                 TELEPORT_FORMAT="deb"
-            elif [[ ${DISTRO_TYPE} =~ "centos"* ]] || [[ ${DISTRO_TYPE} =~ "rhel" ]] || [[ ${DISTRO_TYPE} =~ "fedora"* ]]; then
+            elif [[ "$DISTRO_TYPE" =~ "amzn"* ]] || [[ ${DISTRO_TYPE} =~ "centos"* ]] || [[ ${DISTRO_TYPE} =~ "rhel" ]] || [[ ${DISTRO_TYPE} =~ "fedora"* ]]; then
                 TELEPORT_FORMAT="rpm"
             else
                 log "Couldn't match a distro type using /etc/os-release, falling back to tarball installer"
@@ -851,18 +851,11 @@ install_from_repo() {
         REPO_CHANNEL=stable/v"${TELEPORT_VERSION//.*/}"
     fi
 
-    PACKAGE_LIST=${TELEPORT_PACKAGE_NAME}
-    # (warning): This expression is constant. Did you forget the $ on a variable?
-    # Disabling the warning above because expression is templated.
-    # shellcheck disable=SC2050
-    if [[ "{{.installUpdater}}" == "true" ]]; then
-        PACKAGE_LIST="${PACKAGE_LIST} ${TELEPORT_PACKAGE_NAME}-updater"
-    fi
-
     # Populate $ID, $VERSION_ID, $VERSION_CODENAME and other env vars identifying the OS.
     # shellcheck disable=SC1091
     . /etc/os-release
 
+    PACKAGE_LIST=$(package_list)
     if [ "$ID" == "debian" ] || [ "$ID" == "ubuntu" ]; then
         # old versions of ubuntu require that keys get added by `apt-key add`, without
         # adding the key apt shows a key signing error when installing teleport.
@@ -892,7 +885,7 @@ install_from_repo() {
         # Remove metadata cache to prevent cache from other channel (eg, prior version)
         # See: https://github.com/gravitational/teleport/issues/22581
         yum --disablerepo="*" --enablerepo="teleport" clean metadata
-        
+
         yum install -y ${PACKAGE_LIST}
     else
         echo "Unsupported distro: $ID"
@@ -900,6 +893,32 @@ install_from_repo() {
     fi
 }
 
+# package_list returns the list of packages to install.
+# The list of packages can be fed into yum or apt because they already have the expected format when pinning versions.
+package_list() {
+    TELEPORT_PACKAGE_PIN_VERSION=${TELEPORT_PACKAGE_NAME}
+    TELEPORT_UPDATER_PIN_VERSION="${TELEPORT_PACKAGE_NAME}-updater"
+
+    if [[ "${TELEPORT_FORMAT}" == "deb" ]]; then
+        TELEPORT_PACKAGE_PIN_VERSION+="=${TELEPORT_VERSION}"
+        TELEPORT_UPDATER_PIN_VERSION+="=${TELEPORT_VERSION}"
+
+    elif [[ "${TELEPORT_FORMAT}" == "rpm" ]]; then
+        TELEPORT_YUM_VERSION="${TELEPORT_VERSION//-/_}"
+        TELEPORT_PACKAGE_PIN_VERSION+="-${TELEPORT_YUM_VERSION}"
+        TELEPORT_UPDATER_PIN_VERSION+="-${TELEPORT_YUM_VERSION}"
+    fi
+
+    PACKAGE_LIST=${TELEPORT_PACKAGE_PIN_VERSION}
+    # (warning): This expression is constant. Did you forget the $ on a variable?
+    # Disabling the warning above because expression is templated.
+    # shellcheck disable=SC2050
+    if [[ "{{.installUpdater}}" == "true" ]]; then
+        PACKAGE_LIST+=" ${TELEPORT_UPDATER_PIN_VERSION}"
+    fi
+    echo ${PACKAGE_LIST}
+}
+
 is_repo_available() {
     if [[ "${OSTYPE}" != "linux-gnu" ]]; then
         return 1