Menu
Amazon EC2 Systems Manager
User Guide

Systems Manager Patch Manager Walkthroughs

The following walkthroughs show you how to use either the Amazon EC2 console or the AWS CLI to create patch baselines, patch groups, and Maintenance Windows to execute patching.

Before you begin

The following walkthroughs execute patching during a Maintenance Window. You must configure roles and permissions for Maintenance Windows before you begin. For more information, see Controlling Access to Maintenance Windows.

Patch Manager Walkthrough Using the Amazon EC2 Console

The following walkthrough describes how to patch a server environment by using a default patch baseline, patch groups, and a Maintenance Window. To learn more about the processes described in this walkthrough, see Working with Patch Manager.

Before You Begin

Install or update the SSM Agent on your instances. To patch Linux instances, your instances must be running SSM Agent version 2.0.834.0 or later. For information about updating the agent, see the section titled Example: Update the SSM Agent in Executing Commands from the EC2 Console.

Create a Default Patch Baseline by Using the Amazon EC2 Console

Patch Manager includes a default patch baseline for each operating system supported by Patch Manager. You can use these default patch baselines (you can't customize them), or you can create your own. The following procedure describes how to view the default patch baselines to see if they meet or you needs. The procedure also describes how to create your own default patch baseline. To learn more about patch baselines, see Step 1: Verifying Default Patch Baselines, or Creating Your Own.

To create a default patch baseline

  1. Open the Amazon EC2 console, expand Systems Manager Services in the navigation pane, and then choose Patch Baselines.

  2. In the patch baselines list, choose a patch baseline for the operating system you want to patch.

    Note

    If the Welcome to EC2 Systems Manager - Patch Baselines page appears, choose Create Patch Baseline. When the Create patch baseline page appears, choose the back button in your browser to view the list of patch baselines.

  3. With a default baseline selected, choose the Approval Rules tab. If the auto-approval rules are acceptable for your instances, then you can skip to the next procedure.

  4. To create your own default patch baseline, choose Create Patch Baseline.

  5. In the Name field, type a name for your new patch baseline, for example, RHEL-Default.

  6. (Optional) Type a description for this patch baseline.

  7. In the Operating System field, choose an operating system, for example, RedhatEnterpriseLinux.

  8. In the Approval Rules section, use the fields to create one or more auto-approval rules.

    Note

    If an approved patch is reported as missing, Compliance Level is the severity of the compliance violation.

  9. In the Patch Exceptions section, list explicitly approved and rejected patches for the baseline. For approved patches, choose a corresponding compliance severity level.

  10. Choose Create Patch Baseline.

Add Instances to a Patch Group

To help you organize your patching efforts, we recommend that you add instances to patch groups by using Amazon EC2 tags. Patch groups require the following tag key, Patch Group. You can specify any value, but the tag key must be Patch Group. For more information about patch groups, see Step 2: Organizing Instances into Patch Groups.

To add instances to a patch group

  1. Open the Amazon EC2 console, and then choose Instances in the left navigation.

  2. In the list of instances, choose an instance that you want to configure for patching.

  3. From the Actions menu, choose Instance Settings, Add/Edit Tags.

  4. In the Key field, type Patch Group.

  5. In the Value field, type a value that helps you understand which instances will be patched.

  6. Choose Save.

  7. Repeat this procedure to tag other instances in the same patch group.

Create a Maintenance Window for Patching

To minimize the impact on your server availability, we recommend that you configure a Maintenance Window to execute patching during times that won't interrupt your business operations. For more information about Maintenance Windows, see Systems Manager Maintenance Windows.

To create a Maintenance Window for patching

  1. In the Amazon EC2 console navigation pane, choose Maintenance Window, and then choose Create maintenance window.

  2. In the Name field, type a name that designates this as a Maintenance Window for patching critical and important updates.

  3. In the Specify schedule area, choose the schedule options you want.

  4. In the Duration field, type the number of hours you want the Maintenance Window to be active.

  5. In the Stop initiating tasks field, type the number of hours before the Maintenance Window duration ends that you want the system to stop initiating new tasks.

  6. Choose Create maintenance window.

  7. In the Maintenance Window list, choose the Maintenance Window you just created, and then choose Actions, Register targets.

  8. In the Owner information field, type your name or alias.

  9. In the Select targets by area, choose Specifying tags.

  10. In the Tag Filters section, use the lists to choose a tag key and a tag value.

  11. Choose Register targets. The system creates a Maintenance Window target.

  12. In the Maintenance Window list, choose the Maintenance Window you created with the procedure, and then choose Actions, Register task.

  13. In the Documents section of the Register task page, choose AWS-RunPatchBaseline.

  14. In the Task Priority section, specify a priority. One is the highest priority.

  15. In the Targets section, choose Select, and then choose the Maintenance Window target you created earlier in this procedure.

  16. In the Operation list, choose Scan to scan for missing patches, or choose Install to scan for and install missing patches.

    Note

    The Install operation causes the instance to reboot (if patches are installed). The Scan operations does not cause a reboot.

  17. You don't need to specify anything in the Snapshot Id field. This system automatically generates and provides this parameter.

  18. In the Role field, enter the ARN of a role which has the AmazonSSMMaintenanceWindowRole policy attached to it. For more information, see Controlling Access to Maintenance Windows.

  19. In the Execute on field, choose either Targets or Percent to limit the number of instances where the system can simultaneously perform patching operations.

  20. In the Stop after field, specify the number of allowed errors before the system stops sending the patching task to other instances.

  21. In the Advanced section, choose Write to S3 if you want to write command output and results to an Amazon S3 bucket.

  22. Choose Register task.

After the Maintenance Window task completes, you can view patch compliance details in the Amazon EC2 console on the Managed Instances page. In the filter bar, use the AWS:PatchSummary and AWS:ComplianceItem filters.


                        Patch Manager compliance data

Note

You can save your query by bookmarking the URL after you specify the filters.

You can also drill down on a specific instance by choosing the instance in the Managed Instances page, and then choose the Patch tab. You can also use the DescribePatchGroupState and DescribeInstancePatchStatesForPatchGroup APIs to view compliance details. For information to help you understand patch compliance data, see About Patch Compliance.

Patch Manager Walkthrough Using the AWS CLI

The following procedure illustrates how a user might patch a server environment by using a custom patch baseline, patch groups, and a Maintenance Window.

Before You Begin

Install or update the SSM Agent on your instances. To patch Linux instances, your instances must be running SSM Agent version 2.0.834.0 or later. For information about updating the agent, see the section titled Example: Update the SSM Agent in Executing Commands from the EC2 Console.

To configure Patch Manager and patch instances by using the AWS CLI

  1. Download the latest version of the AWS CLI to your local machine.

  2. Open the AWS CLI and run the following command to specify your credentials and a Region. You must either have administrator privileges in Amazon EC2, or you must have been granted the appropriate permission in AWS Identity and Access Management (IAM).

    Copy
    aws configure

    The system prompts you to specify the following.

    Copy
    AWS Access Key ID [None]: key_name AWS Secret Access Key [None]: key_name Default region name [None]: region Default output format [None]: ENTER
  3. (Windows) Execute the following command to create a patch baseline named "Production-Baseline" that approves patches for a production environment seven days after they are released.

    Copy
    aws ssm create-patch-baseline --name "Production-Baseline" --operating-system "WINDOWS" --product "WindowsServer2012R2" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Critical,Important]},{Key=CLASSIFICATION,Values=[SecurityUpdates,Updates,UpdateRollups,CriticalUpdates]}]},ApproveAfterDays=7}]" --description "Baseline containing all updates approved for production systems"

    (Linux) Execute the following command to create a patch baseline named "Production-Baseline" that approves patches for a production environment seven days after they are released.

    Copy
    aws ssm create-patch-baseline --name "Production-Baseline" --operating-system "AMAZON_LINUX" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=PRODUCT,Values=[AmazonLinux2016.03,AmazonLinux2016.09,AmazonLinux2017.03,AmazonLinux2017.09]},{Key=SEVERITY,Values=[Critical,Important]},{Key=CLASSIFICATION,Values=[Security]}]},ApproveAfterDays=7}]" --description "Baseline containing all updates approved for production systems"

    The system returns information like the following.

    Copy
    { "BaselineId":"pb-034cba5a84f030362" }
  4. Execute the following commands to register the "Production-Baseline" patch baseline for three patch groups named "Production," "Database Servers," and "Front-End Patch Group."

    Copy
    aws ssm register-patch-baseline-for-patch-group --baseline-id pb-034cba5a84f030362 --patch-group "Production"

    The system returns information like the following.

    Copy
    { "PatchGroup":"Production", "BaselineId":"pb-034cba5a84f030362" }
    Copy
    aws ssm register-patch-baseline-for-patch-group --baseline-id pb-034cba5a84f030362 --patch-group "Database Servers"

    The system returns information like the following.

    Copy
    { "PatchGroup":"Database Servers", "BaselineId":"pb-034cba5a84f030362" }
  5. Execute the following commands to create two Maintenance Windows for the production servers. The first window run every Tuesday at 10 PM. The second window runs every Saturday at 10 PM.

    Copy
    aws ssm create-maintenance-window --name "Production-Tuesdays" --schedule "cron(0 0 22 ? * TUE *)" --duration 1 --cutoff 0 --no-allow-unassociated-targets

    The system returns information like the following.

    Copy
    { "WindowId":"mw-0c66948c711a3b5bd" }
    Copy
    aws ssm create-maintenance-window --name "Production-Saturdays" --schedule "cron(0 0 22 ? * SAT *)" --duration 2 --cutoff 0 --no-allow-unassociated-targets

    The system returns information like the following.

    Copy
    { "WindowId":"mw-09e2a75baadd84e85" }
  6. Execute the following commands to register the Production servers with the two production Maintenance Windows.

    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=tag:Patch Group,Values=Production" --owner-information "Production servers" --resource-type "INSTANCE"

    The system returns information like the following.

    Copy
    { "WindowTargetId":"557e7b3a-bc2f-48dd-ae05-e282b5b20760" }
    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=tag:Patch Group,Values=Database Servers" --owner-information "Database servers" --resource-type "INSTANCE"

    The system returns information like the following.

    Copy
    { "WindowTargetId":"767b6508-f4ac-445e-b6fe-758cc912e55c" }
    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=tag:Patch Group,Values=Production" --owner-information "Production servers" --resource-type "INSTANCE"

    The system returns information like the following.

    Copy
    { "WindowTargetId":"faa01c41-1d57-496c-ba77-ff9cadba4b7d" }
    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=tag:Patch Group,Values=Database Servers" --owner-information "Database servers" --resource-type "INSTANCE"

    The system returns information like the following.

    Copy
    { "WindowTargetId":"673b5840-58a4-42ab-8b80-95749677cb2e" }
  7. Execute the following commands to register a patch task that only scans the production servers for missing updates in the first production Maintenance Window.

    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=WindowTargetIds,Values=557e7b3a-bc2f-48dd-ae05-e282b5b20760" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 1 --task-parameters '{\"Operation\":{\"Values\":[\"Scan\"]}}'

    The system returns information like the following.

    Copy
    { "WindowTaskId":"968e3b17-8591-4fb2-932a-b62389d6f635" }
    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=WindowTargetIds,Values=767b6508-f4ac-445e-b6fe-758cc912e55c" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 5 --task-parameters '{\"Operation\":{\"Values\":[\"Scan\"]}}'

    The system returns information like the following.

    Copy
    { "WindowTaskId":"09f2e873-a3a7-443f-ba0a-05cf4de5a1c7" }
  8. Execute the following commands to register a patch task that installs missing updates on the productions servers in the second Maintenance Window.

    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=WindowTargetIds,Values=557e7b3a-bc2f-48dd-ae05-e282b5b20760" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 1 --task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'

    The system returns information like the following.

    Copy
    { "WindowTaskId":"968e3b17-8591-4fb2-932a-b62389d6f635" }
    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=WindowTargetIds,Values=767b6508-f4ac-445e-b6fe-758cc912e55c" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 5 --task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'

    The system returns information like the following.

    Copy
    { "WindowTaskId":"09f2e873-a3a7-443f-ba0a-05cf4de5a1c7" }
  9. Execute the following command to get the high-level patch compliance summary for a patch group. The high-level patch compliance summary gives you the number of instances with patches in the following states for a patch group: "NotApplicable," "Missing," "Failed," "InstalledOther," and "Installed."

    Copy
    aws ssm describe-patch-group-state --patch-group "Production"

    The system returns information like the following.

    Copy
    { "InstancesWithNotApplicablePatches":0, "InstancesWithMissingPatches":0, "InstancesWithFailedPatches":1, "InstancesWithInstalledOtherPatches":4, "Instances":4, "InstancesWithInstalledPatches":3 }
  10. Execute the following command to get patch summary states per-instance for a patch group. The per-instance summary gives you a number of patches in the following states per instance for a patch group: "NotApplicable," "Missing," "Failed," "InstalledOther," and "Installed."

    Copy
    aws ssm describe-instance-patch-states-for-patch-group --patch-group "Production"

    The system returns information like the following.

    Copy
    { "InstancePatchStates":[ { "OperationStartTime":1481259600.0, "FailedCount":0, "InstanceId":"i-08ee91c0b17045407", "OwnerInformation":"", "NotApplicableCount":2077, "OperationEndTime":1481259757.0, "PatchGroup":"Production", "InstalledOtherCount":186, "MissingCount":7, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":72 }, { "OperationStartTime":1481259602.0, "FailedCount":0, "InstanceId":"i-0fff3aab684d01b23", "OwnerInformation":"", "NotApplicableCount":2692, "OperationEndTime":1481259613.0, "PatchGroup":"Production", "InstalledOtherCount":3, "MissingCount":1, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":1 }, { "OperationStartTime":1481259547.0, "FailedCount":0, "InstanceId":"i-0a00def7faa94f1dc", "OwnerInformation":"", "NotApplicableCount":1859, "OperationEndTime":1481259592.0, "PatchGroup":"Production", "InstalledOtherCount":116, "MissingCount":1, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":110 }, { "OperationStartTime":1481259549.0, "FailedCount":0, "InstanceId":"i-09a618aec652973a9", "OwnerInformation":"", "NotApplicableCount":1637, "OperationEndTime":1481259837.0, "PatchGroup":"Production", "InstalledOtherCount":388, "MissingCount":2, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":141 } ] }

Additional Patch Manager CLI Commands

The section includes additional examples of CLI commands that you can use to perform Patch Manager configuration tasks.

Create a patch baseline

The following command creates a patch baseline that approves all critical and important security updates for Windows Server 2012 R2 five days after they are released.

Copy
aws ssm create-patch-baseline --name "Windows-Server-2012R2" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Important,Critical]},{Key=CLASSIFICATION,Values=SecurityUpdates},{Key=PRODUCT,Values=WindowsServer2012R2}]},ApproveAfterDays=5}]" --description "Windows Server 2012 R2, Important and Critical security updates"

The system returns information like the following.

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3" }

Update a patch baseline

The following command adds two patches as rejected and one patch as approved to an existing patch baseline.

Copy
aws ssm update-patch-baseline --baseline-id pb-00dbb759999aa2bc3 --rejected-patches "KB2032276" "MS10-048" --approved-patches "KB2124261"

The system returns information like the following.

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012R2", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001494.035, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

Rename a patch baseline

Copy
aws ssm update-patch-baseline --baseline-id pb-00dbb759999aa2bc3 --name "Windows-Server-2012-R2-Important-and-Critical-Security-Updates"

The system returns information like the following.

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012-R2-Important-and-Critical-Security-Updates", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001795.287, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

Delete a patch baseline

Copy
aws ssm delete-patch-baseline --baseline-id "pb-0a34d8c0f03c1e529"

The system returns information like the following.

Copy
{ "BaselineId":"pb-0a34d8c0f03c1e529" }

List all patch baselines

Copy
aws ssm describe-patch-baselines

The system returns information like the following.

Copy
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

Here is another command that lists all patch baselines in a Region.

Copy
aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[All]"

The system returns information like the following.

Copy
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

List all AWS provided patch baselines

Copy
aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[AWS]"

The system returns information like the following.

Copy
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" } ] }

List my patch baselines

Copy
aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[Self]"

The system returns information like the following.

Copy
{ "BaselineIdentities":[ { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

Display a patch baseline

Copy
aws ssm get-patch-baseline --baseline-id pb-00dbb759999aa2bc3

The system returns information like the following.

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012R2", "PatchGroups":[ "Web Servers" ], "RejectedPatches":[ ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1480997823.81, "CreatedDate":1480997823.81, "ApprovedPatches":[ ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

Get the default patch baseline

Copy
aws ssm get-default-patch-baseline --region us-west-1

The system returns information like the following.

Copy
{ "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

Set the default patch baseline

Copy
aws ssm register-default-patch-baseline --region us-west-1 --baseline-id "pb-08b654cf9b9681f04"
Copy
{ "BaselineId":"pb-08b654cf9b9681f04" }

Register a patch group "Web Servers" with a patch baseline

Copy
aws ssm register-patch-baseline-for-patch-group --baseline-id "pb-00dbb759999aa2bc3" --patch-group "Web Servers"

The system returns information like the following.

Copy
{ "PatchGroup":"Web Servers", "BaselineId":"pb-00dbb759999aa2bc3" }

Register a patch group "Backend" with the AWS-provided patch baseline

Copy
aws ssm register-patch-baseline-for-patch-group --region us-west-1 --baseline-id "arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" --patch-group "Backend"

The system returns information like the following.

Copy
{ "PatchGroup":"Backend", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

Display patch group registrations

Copy
aws ssm describe-patch-groups --region us-west-1

The system returns information like the following.

Copy
{ "PatchGroupPatchBaselineMappings":[ { "PatchGroup":"Backend", "BaselineIdentity":{ "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":false, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" } }, { "PatchGroup":"Web Servers", "BaselineIdentity":{ "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":true, "BaselineDescription":"Windows Server 2012 R2, Important and Critical updates", "BaselineId":"pb-08b654cf9b9681f04" } } ] }

Deregister a patch group from a patch baseline

Copy
aws ssm deregister-patch-baseline-for-patch-group --region us-west-1 --patch-group "Production" --baseline-id "arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725"

The system returns information like the following.

Copy
{ "PatchGroup":"Production", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

Get all patches defined by a patch baseline

Copy
aws ssm describe-effective-patches-for-patch-baseline --region us-west-1 --baseline-id "pb-08b654cf9b9681f04"

The system returns information like the following.

Copy
{ "NextToken":"--token string truncated--", "EffectivePatches":[ { "PatchStatus":{ "ApprovalDate":1384711200.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2876331", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 R2 Preview (KB2876331)", "ReleaseDate":1384279200.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2876331", "MsrcNumber":"MS13-089", "Id":"e74ccc76-85f0-4881-a738-59e9fc9a336d" } }, { "PatchStatus":{ "ApprovalDate":1428858000.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2919355", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"Windows Server 2012 R2 Update is a cumulative set of security updates, critical updates and updates. You must install Windows Server 2012 R2 Update to ensure that your computer can continue to receive future Windows Updates, including security updates. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.", "Classification":"SecurityUpdates", "Title":"Windows Server 2012 R2 Update (KB2919355)", "ReleaseDate":1428426000.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2919355", "MsrcNumber":"MS14-018", "Id":"8452bac0-bf53-4fbd-915d-499de08c338b" } } ---output truncated---

Get all patches for Windows Server 2012 that have a MSRC severity of Critical

Copy
aws ssm describe-available-patches --region us-west-1 --filters Key=PRODUCT,Values=WindowsServer2012 Key=MSRC_SEVERITY,Values=Critical

The system returns information like the following.

Copy
{ "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2727528", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 (KB2727528)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2727528", "MsrcNumber":"MS12-072", "Id":"1eb507be-2040-4eeb-803d-abc55700b715" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2729462", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2729462)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2729462", "MsrcNumber":"MS12-074", "Id":"af873760-c97c-4088-ab7e-5219e120eab4" } ---output truncated---

Get all available patches

Copy
aws ssm describe-available-patches --region us-west-1

The system returns information like the following.

Copy
{ "NextToken":"--token string truncated--", "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2032276", "ProductFamily":"Windows", "Product":"WindowsServer2008R2", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2008 R2 x64 Edition (KB2032276)", "ReleaseDate":1279040400.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2032276", "MsrcNumber":"MS10-043", "Id":"8692029b-a3a2-4a87-a73b-8ea881b4b4d6" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2124261", "ProductFamily":"Windows", "Product":"Windows7", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows 7 (KB2124261)", "ReleaseDate":1284483600.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2124261", "MsrcNumber":"MS10-065", "Id":"12ef1bed-0dd2-4633-b3ac-60888aa8ba33" } ---output truncated---

Tag a patch baseline

Copy
aws ssm add-tags-to-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081" --tags "Key=Project,Value=Testing"

List the tags for a patch baseline

Copy
aws ssm list-tags-for-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081"

Remove a tag from a patch baseline

Copy
aws ssm remove-tags-from-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081" --tag-keys "Project"

Get patch summary states per-instance

The per-instance summary gives you a number of patches in the following states per instance: "NotApplicable", "Missing", "Failed", "InstalledOther" and "Installed".

Copy
aws ssm describe-instance-patch-states --instance-ids i-08ee91c0b17045407 i-09a618aec652973a9 i-0a00def7faa94f1c i-0fff3aab684d01b23

The system returns information like the following.

Copy
{ "InstancePatchStates":[ { "OperationStartTime":"2016-12-09T05:00:00Z", "FailedCount":0, "InstanceId":"i-08ee91c0b17045407", "OwnerInformation":"", "NotApplicableCount":2077, "OperationEndTime":"2016-12-09T05:02:37Z", "PatchGroup":"Production", "InstalledOtherCount":186, "MissingCount":7, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":72 }, { "OperationStartTime":"2016-12-09T04:59:09Z", "FailedCount":0, "InstanceId":"i-09a618aec652973a9", "OwnerInformation":"", "NotApplicableCount":1637, "OperationEndTime":"2016-12-09T05:03:57Z", "PatchGroup":"Production", "InstalledOtherCount":388, "MissingCount":2, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":141 } ---output truncated---

Get patch compliance details for an instance

Copy
aws ssm describe-instance-patches --instance-id i-08ee91c0b17045407

The system returns information like the following.

Copy
{ "NextToken":"--token string truncated--", "Patches":[ { "KBId":"KB2919355", "Severity":"Critical", "Classification":"SecurityUpdates", "Title":"Windows 8.1 Update for x64-based Systems (KB2919355)", "State":"Installed", "InstalledTime":"2014-03-18T12:00:00Z" }, { "KBId":"KB2977765", "Severity":"Important", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 and Windows Server 2012 R2 x64-based Systems (KB2977765)", "State":"Installed", "InstalledTime":"2014-10-15T12:00:00Z" }, { "KBId":"KB2978126", "Severity":"Important", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 (KB2978126)", "State":"Installed", "InstalledTime":"2014-11-18T12:00:00Z" }, ---output truncated---