Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS::SSM::PatchBaseline

The AWS::SSM::PatchBaseline resource defines the basic information for an Amazon EC2 Systems Manager patch baseline. A patch baseline defines which patches are approved for installation on your instances. For more information, see CreatePatchBaseline in the Amazon EC2 Systems Manager API Reference.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

Copy
{ "Type" : "AWS::SSM::PatchBaseline", "Properties" : { "OperatingSystem" : String, "ApprovedPatches" : [ String, ... ], "PatchGroups" : [ String, ... ], "Description" : String, "ApprovedPatchesComplianceLevel" : String, "ApprovalRules" : RuleGroup, "GlobalFilters" : PatchFilterGroup, "Name" : String, "RejectedPatches" : [ String, ... ] } }

YAML

Copy
Type: "AWS::SSM::PatchBaseline" Properties: OperatingSystem: String ApprovedPatches: - String PatchGroups: - String Description: String ApprovedPatchesComplianceLevel: String ApprovalRules: RuleGroup GlobalFilters: PatchFilterGroup Name: String RejectedPatches: - String

Properties

OperatingSystem

Defines the operating system that the patch baseline applies to. Supported operating systems include WINDOWS, AMAZON_LINUX, UBUNTU, and REDHAT_ENTERPRISE_LINUX. The default value is WINDOWS.

Required: No

Type: String

Update requires: Replacement

ApprovedPatches

A list of explicitly approved patches for the baseline.

Required: No

Type: List of String

Update requires: No interruption

PatchGroups

The names of the patch groups to register with the patch baseline.

Required: No

Type: List of String

Update requires: No interruption

Description

A description of the patch baseline.

Required: No

Type: String

Update requires: No interruption

ApprovedPatchesComplianceLevel

The compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance severity levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, and UNSPECIFIED. The default value is UNSPECIFIED.

Required: No

Type: String

Update requires: No interruption

ApprovalRules

A set of rules that are used to include patches in the baseline.

Required: No

Type: SSM PatchBaseline RuleGroup

Update requires: No interruption

GlobalFilters

A set of global filters that are used to exclude patches from the baseline.

Required: No

Type: SSM PatchBaseline PatchFilterGroup

Update requires: No interruption

Name

The name of the patch baseline.

Required: Yes

Type: String

Update requires: No interruption

RejectedPatches

A list of explicitly rejected patches for the baseline.

Required: No

Type: List of String

Update requires: No interruption

See Also

On this page: