Menu
AWS Systems Manager
User Guide

About Configuration Compliance

This section includes information about the different types of information, compliance types, that you can view by using Configuration Compliance. Configuration Compliance currently supports Patch Manager patching data, State Manager associations, and custom compliance types.

About Patch Compliance

After you configure and execute patching by using Patch Manager, Configuration Compliance automatically reports patch compliance status. You don't need to perform any additional steps to view these statuses. If you want to assign a specific patch compliance status to an instance, you can use the PutComplianceItems API action to explicitly assign a status. You can use this API action from the AWS CLI, AWS Tools for Windows PowerShell, or the SDK. You currently can't assign compliance status by using the Amazon EC2 console.

You can view and drill down into patch compliance details in the Amazon EC2 console on the Compliance Configuration page, or you can use the following API actions:

  • ListComplianceSummaries: Returns a summary count of compliant and non-compliant patch statuses according to the filter you specify.

  • ListResourceComplianceSummaries: Returns a resource-level summary count. The summary includes information about compliant and non-compliant statuses and detailed compliance-item severity counts, according to the filter criteria you specify.

  • DescribePatchGroupState: Returns high-level aggregated patch compliance state for a patch group.

  • DescribeInstancePatchStatesForPatchGroup: Returns the high-level patch state for the instances in the specified patch group.

The results for each patch show one of the following states.

  • Installed: Either the patch was already installed, or Patch Manager installed it when the AWS-RunPatchBaseline document was run on the instance.

  • Installed_Other: The patch is not in the baseline, but it is installed on the instance. An individual might have installed it manually.

  • Missing: The patch is approved in the baseline, but it's not installed on the instance. If you configure the AWS-RunPatchBaseline document task to scan (instead of install) the system reports this status for patches that were located during the scan, but have not been installed.

  • Not_Applicable: The patch is approved in the baseline, but the service or feature that uses the patch is not installed on the instance. For example, a patch for a web server service would show Not_Applicable if it was approved in the baseline, but the web service is not installed on the instance.

  • Failed: The patch is approved in the baseline, but it could not be installed. To troubleshoot this situation, review the command output for information that might help you understand the problem.

To view an example of how to configure patching and how to view patch compliance details by using the AWS CLI, see Systems Manager Patch Manager Walkthroughs.

About Association Compliance

After you create one or more State Manager associations, Configuration Compliance automatically reports association compliance status. You don't need to perform any additional steps to view these statuses. If you want to assign a specific association compliance status to an instance, you can use the PutComplianceItems API action to explicitly assign a status. You can use this API action from the AWS CLI, AWS Tools for Windows PowerShell, or the SDK. You currently can't assign compliance status by using the Amazon EC2 console.

You can view association compliance details in the Amazon EC2 console on the Compliance Configuration page, or you can use the following API actions to view compliance details:

Note

Currently, Configuration Compliance shows compliance statuses of Compliant or Non-compliant and severity of Unspecified.

  • ListComplianceSummaries: Returns a summary count of compliant and non-compliant association statuses according to the filter you specify.

  • ListResourceComplianceSummaries: Returns a resource-level summary count. The summary includes information about compliant and non-compliant statuses and Unspecified counts, according to the filter criteria you specify.

About Custom Compliance

You can assign compliance metadata to a managed instance. This metadata can then be aggregated with other compliance data for compliance reporting purposes. For example, say that your business runs versions 2.0, 3.0, and 4.0 of software X on your managed instances. The company wants to standardize on version 4.0, meaning that instances running versions 2.0 and 3.0 are non-compliant. You can use the PutComplianceItems API action to explicitly note which managed instances are running older versions of software X. Currently you can only assign compliance metadata by using the AWS CLI, AWS Tools for Windows PowerShell, or the SDKs. The following CLI sample command assigns compliance metadata to a managed instance and specifies the compliance type in the required format Custom:.

Copy
aws ssm put-compliance-items --resource-id i-1234567890 --resource-type ManagedInstance --compliance-type Custom:SoftwareXCheck --execution-summary ExecutionTime=AnyStringToDenoteTimeOrDate, --items Id=Version2.0,Title=SoftwareXVersion,Severity=CRITICAL,Status=NON_COMPLIANT

Compliance managers can then view summaries or create reports about which instances are or aren't compliant. You can assign a maximum of 10 different custom compliance types to an instance.

For an example of how to create a custom compliance type and view compliance data, see Systems Manager Configuration Compliance Manager Walkthrough.