Menu
Amazon EC2 Systems Manager
User Guide

Systems Manager Patch Manager Walkthrough

The following walkthroughs show you how to use either the Amazon EC2 console or the AWS CLI to create patch baselines, patch groups, and Maintenance Windows to execute patching.

Configure Your Instances

The walkthroughs are designed to illustrate how to use Patch Manager. If you want to perform the steps in the walkthroughs on your instances, then you must configure your instances with an AWS Identity and Access Management (IAM) role for Systems Manager, assign Amazon EC2 tags to your instances, and verify that the latest version of the SSM Agent is installed on your instances.

  • Assign an IAM role: You can use the Amazon EC2 Role for Systems Manager with the AmazonEC2RoleforSSM managed policy. You can associate the IAM role when you create a new instance, or you can attach it to an existing instance. For more information, see Working with IAM Roles in the Amazon EC2 User Guide.

  • Assign EC2 tags: The walkthrough usess patch groups, which are Amazon EC2 tags. Assign tags to your instances. The key for a patch group tag must be Patch Group. Note that the key is case sensitive. The value can be anything you want to specify, but the key must be Patch Group. For more information about Amazon EC2 tags, see Tagging Your Amazon EC2 Resources in the Amazon EC2 User Guide.

  • Update the SSM Agent: For more information, see, Updating the EC2Config Service Using Systems Manager Run Command

Grant Your User Account Access to the Systems Manager API

Your user account must be configured to communicate with the Systems Manager API. Use the following procedure to attach a managed IAM policy to your user account that grants you full access to Systems Manager API actions.

To create the IAM policy for your user account

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies. (If this is your first time using IAM, choose Get Started, and then choose Create Policy.)

  3. In the Filter field, type AmazonSSMFullAccess and press Enter.

  4. Select the check box next to AmazonSSMFullAccess and then choose Policy Actions, Attach.

  5. On the Attach Policy page, choose your user account and then choose Attach Policy.

Configure PassRole Permissions for a Maintenance Window

The walkthroughs perform the patch operation by using a Maintenance Window task. Systems Manager must assume your role so that it has permission to perform the actions you specify for your Maintenance Window. Use the following procedure to attach the iam:PassRole policy to your existing IAM user account, or create a new IAM account and attach this policy to it. If you create a new account, you must also attach the AmazonSSMFullAccess policy so the account can communicate with the Systems Manager API. If you need to create a new user account, see Creating an IAM User in Your AWS Account in the IAM User Guide.

To attach the iam:PassRole policy to your user account

  1. In the IAM console navigation pane, choose Users and then double-click your user account.

  2. In the Managed Policies section, verify that either the AmazonSSMFullAccess policy is listed or there is a comparable policy that gives you permission to the Systems Manager API.

  3. In the Inline Policies section, choose Create User Policy. If you don't see this button, choose the down arrow beside Inline Policies, and then choose click here.

  4. On the Set Permissions page, choose Policy Generator, and then choose Select.

  5. Verify that Effect is set to Allow.

  6. From AWS Services choose AWS Identity and Access Management.

  7. From Actions choose PassRole.

  8. In the Amazon Resource Name (ARN) field, paste the role ARN you created in the previous procedure.

  9. Choose Add Statement, and then choose Next Step.

  10. On the Review Policy page, choose Apply Policy.

Patch Manager Walkthrough Using the EC2 Console

The following procedures illustrate how to patch a server environment by using the AWS-DefaultPatchBaseline, patch groups, and a Maintenance Windows.

To verify the AWS-DefaultPatchBaseline

  1. Open the Amazon EC2 console, expand Systems Manager Services in the navigation pane, and then choose Patch Baselines.

  2. In the patch baselines list, choose AWS-DefaultPatchBaseline.

    Note

    If the Welcome to EC2 Systems Manager - Patch Baselines page appears, choose Create Patch Baseline. When the Create patch baseline page appears, choose the back button in your browser to view the patch baselines list.

  3. With the AWS-DefaultPatchBaseline select, choose the Approval Rules tab. Verify that auto-approving all critical and security updates with a severity of Critical or Important seven days after they are released by Microsoft is acceptable for your instances.

To create a Maintenance Window for patching

  1. In the Amazon EC2 console navigation pane, choose Maintenance Windows, and then choose Create maintenance window.

  2. In the Name field, type a name that designates this as a maintenance window for patching critical and important updates.

  3. In the Specify schedule area, choose the schedule options you want.

  4. In the Duration field, type the number of hours you want the Maintenance Window to be active.

  5. In the Stop initiating tasks field, type the number of hours before the Maintenance Window duration ends that you want the system to stop initiating new tasks.

  6. Choose Create maintenance window.

  7. In the Maintenance Window list, choose the Maintenance Window you just created, and then choose Actions, Register targets.

  8. In the Owner information field, type your name or alias.

  9. In the Select targets by area, choose Specifying tags.

  10. In the Tag Filters section, in the Tag Name list, choose Patch Group.

    Note

    If you don't see this tag name in the list, then you might not have tagged your instances with the EC2 tags required for Patch Manager.

  11. In the Tag Value list, choose the value you want, and then choose Register targets. The system creates a Maintenance Window target.

  12. In the Maintenance Window list, choose the Maintenance Window you created with the procedure, and then choose Actions, Register task.

  13. In the Documents section of the Register task page, choose AWS-ApplyPatchBaseline.

  14. In the Task Priority section, specify a priority. One is the highest priority.

  15. In the Targets section, choose Select, and then choose the Maintenance Window target you created earlier in this procedure.

  16. In the Operation list, choose Scan to scan for missing patches, or choose Install to scan for and install missing patches.

    Note

    Installing missing patches will reboot the instance. Scanning does not cause a reboot.

  17. You don't need to specify anything in the Snapshot Id field. This system automatically generates and provides this parameter.

  18. In the Role field, enter the ARN of a role which has the AmazonSSMMaintenanceWindowRole policy attached to it. For more information, see Configuring Access to Maintenance Windows.

  19. In the Execute on field, choose either Targets or Percent to limit the number of instances where the system can simultaneously perform patching operations.

  20. In the Stop after field, specify the number of allowed errors before the system stops sending the patching task to other instances.

  21. In the Advanced section, choose Write to S3 if you want to write command output and results to an Amazon S3 bucket.

  22. Choose Register task.

After the Maintenance Window task completes, you can view patch compliance details in the Amazon EC2 console on the Managed Instances page. In the filter bar, use the AWS: PatchSummary and AWS: PatchCompliance filters.


                        Patch Manager compliance data

Note

You can save your query by bookmarking the URL after you specify the filters.

You can also drill down on a specific instance by choosing the instance in the Managed Instances page, and then choose the Patch tab. You can also use the DescribePatchGroupState and DescribeInstancePatchStatesForPatchGroup APIs to view compliance details. For more information, see the Amazon EC2 Systems Manager API Reference.

Patch Manager Walkthrough Use the AWS CLI

The following procedure illustrates how a user might patch a server environment by using a custom patch baseline, patch groups, and a Maintenance Window.

To configure Patch Manager and patch instances by using the AWS CLI

  1. Download the AWS CLI to your local machine.

  2. Open the AWS CLI and execute the following command to create a patch baseline named "Production-Baseline" that approves patches for a production environment seven days after they are released by Microsoft.

    Copy
    aws ssm create-patch-baseline --name "Production-Baseline" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Critical,Important,Moderate]},{Key=CLASSIFICATION,Values=[SecurityUpdates,Updates,UpdateRollups,CriticalUpdates]}]},ApproveAfterDays=7}]" --description "Baseline containing all updates approved for production systems"

    The system returns information like the following.

    Copy
    { "BaselineId":"pb-034cba5a84f030362" }
  3. Execute the following commands to register the "Production-Baseline" patch baseline for three patch groups named "Production," "Database Servers," and "Front-End Patch Group."

    Copy
    aws ssm register-patch-baseline-for-patch-group --baseline-id pb-034cba5a84f030362 --patch-group "Production"

    The system returns information like the following.

    Copy
    { "PatchGroup":"Production", "BaselineId":"pb-034cba5a84f030362" }
    Copy
    aws ssm register-patch-baseline-for-patch-group --baseline-id pb-034cba5a84f030362 --patch-group "Database Servers"

    The system returns information like the following.

    Copy
    { "PatchGroup":"Database Servers", "BaselineId":"pb-034cba5a84f030362" }
  4. Execute the following commands to create two Maintenance Windows for the production servers. The first window run every Tuesday at 10 PM. The second window runs every Saturday at 10 PM.

    Copy
    aws ssm create-maintenance-window --name "Production-Tuesdays" --schedule "cron(0 0 22 ? * TUE *)" --duration 1 --cutoff 0 --no-allow-unassociated-targets

    The system returns information like the following.

    Copy
    { "WindowId":"mw-0c66948c711a3b5bd" }
    Copy
    aws ssm create-maintenance-window --name "Production-Saturdays" --schedule "cron(0 0 22 ? * SAT *)" --duration 2 --cutoff 0 --no-allow-unassociated-targets

    The system returns information like the following.

    Copy
    { "WindowId":"mw-09e2a75baadd84e85" }
  5. Execute the following commands to register the Production servers with the two production Maintenance Windows.

    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=tag:Patch Group,Values=Production" --owner-information "Production servers" --resource-type "INSTANCE"

    The system returns information like the following.

    Copy
    { "WindowTargetId":"557e7b3a-bc2f-48dd-ae05-e282b5b20760" }
    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=tag:Patch Group,Values=Database Servers" --owner-information "Database servers" --resource-type "INSTANCE"

    The system returns information like the following.

    Copy
    { "WindowTargetId":"767b6508-f4ac-445e-b6fe-758cc912e55c" }
    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=tag:Patch Group,Values=Production" --owner-information "Production servers" --resource-type "INSTANCE"

    The system returns information like the following.

    Copy
    { "WindowTargetId":"faa01c41-1d57-496c-ba77-ff9cadba4b7d" }
    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=tag:Patch Group,Values=Database Servers" --owner-information "Database servers" --resource-type "INSTANCE"

    The system returns information like the following.

    Copy
    { "WindowTargetId":"673b5840-58a4-42ab-8b80-95749677cb2e" }
  6. Execute the following commands to register a patch task that only scans the production servers for missing updates in the first production Maintenance Window.

    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=WindowTargetIds,Values=557e7b3a-bc2f-48dd-ae05-e282b5b20760" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 1 --task-parameters '{\"Operation\":{\"Values\":[\"Scan\"]}}'

    The system returns information like the following.

    Copy
    { "WindowTaskId":"968e3b17-8591-4fb2-932a-b62389d6f635" }
    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=WindowTargetIds,Values=767b6508-f4ac-445e-b6fe-758cc912e55c" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 5 --task-parameters '{\"Operation\":{\"Values\":[\"Scan\"]}}'

    The system returns information like the following.

    Copy
    { "WindowTaskId":"09f2e873-a3a7-443f-ba0a-05cf4de5a1c7" }
  7. Execute the following commands to register a patch task that installs missing updates on the productions servers in the second Maintenance Window.

    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=WindowTargetIds,Values=557e7b3a-bc2f-48dd-ae05-e282b5b20760" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 1 --task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'

    The system returns information like the following.

    Copy
    { "WindowTaskId":"968e3b17-8591-4fb2-932a-b62389d6f635" }
    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=WindowTargetIds,Values=767b6508-f4ac-445e-b6fe-758cc912e55c" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 5 --task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'

    The system returns information like the following.

    Copy
    { "WindowTaskId":"09f2e873-a3a7-443f-ba0a-05cf4de5a1c7" }
  8. Execute the following command to get the high-level patch compliance summary for a patch group. The high-level patch compliance summary gives you the number of instances with patches in the following states for a patch group: "NotApplicable," "Missing," "Failed," "InstalledOther," and "Installed."

    Copy
    aws ssm describe-patch-group-state --patch-group "Production"

    The system returns information like the following.

    Copy
    { "InstancesWithNotApplicablePatches":0, "InstancesWithMissingPatches":0, "InstancesWithFailedPatches":1, "InstancesWithInstalledOtherPatches":4, "Instances":4, "InstancesWithInstalledPatches":3 }
  9. Execute the following command to get patch summary states per-instance for a patch group. The per-instance summary gives you a number of patches in the following states per instance for a patch group: "NotApplicable," "Missing," "Failed," "InstalledOther," and "Installed."

    Copy
    aws ssm describe-instance-patch-states-for-patch-group --patch-group "Production"

    The system returns information like the following.

    Copy
    { "InstancePatchStates":[ { "OperationStartTime":1481259600.0, "FailedCount":0, "InstanceId":"i-08ee91c0b17045407", "OwnerInformation":"", "NotApplicableCount":2077, "OperationEndTime":1481259757.0, "PatchGroup":"Production", "InstalledOtherCount":186, "MissingCount":7, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":72 }, { "OperationStartTime":1481259602.0, "FailedCount":0, "InstanceId":"i-0fff3aab684d01b23", "OwnerInformation":"", "NotApplicableCount":2692, "OperationEndTime":1481259613.0, "PatchGroup":"Production", "InstalledOtherCount":3, "MissingCount":1, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":1 }, { "OperationStartTime":1481259547.0, "FailedCount":0, "InstanceId":"i-0a00def7faa94f1dc", "OwnerInformation":"", "NotApplicableCount":1859, "OperationEndTime":1481259592.0, "PatchGroup":"Production", "InstalledOtherCount":116, "MissingCount":1, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":110 }, { "OperationStartTime":1481259549.0, "FailedCount":0, "InstanceId":"i-09a618aec652973a9", "OwnerInformation":"", "NotApplicableCount":1637, "OperationEndTime":1481259837.0, "PatchGroup":"Production", "InstalledOtherCount":388, "MissingCount":2, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":141 } ] }

Additional Patch Manager CLI Commands

The section includes additional examples of CLI commands that you can use to perform Patch Manager configuration tasks.

Create a patch baseline

The following command creates a patch baseline that approves all critical and important security updates for Windows Server 2012 R2 five days after they are released.

Copy
aws ssm create-patch-baseline --name "Windows-Server-2012R2" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Important,Critical]},{Key=CLASSIFICATION,Values=SecurityUpdates},{Key=PRODUCT,Values=WindowsServer2012R2}]},ApproveAfterDays=5}]" --description "Windows Server 2012 R2, Important and Critical security updates"

The system returns information like the following.

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3" }

Update a patch baseline

The following command adds two patches as rejected and one patch as approved to an existing patch baseline.

Copy
aws ssm update-patch-baseline --baseline-id pb-00dbb759999aa2bc3 --rejected-patches "KB2032276" "MS10-048" --approved-patches "KB2124261"

The system returns information like the following.

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012R2", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001494.035, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

Rename a patch baseline

Copy
aws ssm update-patch-baseline --baseline-id pb-00dbb759999aa2bc3 --name "Windows-Server-2012-R2-Important-and-Critical-Security-Updates"

The system returns information like the following.

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012-R2-Important-and-Critical-Security-Updates", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001795.287, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

Delete a patch baseline

Copy
aws ssm delete-patch-baseline --baseline-id "pb-0a34d8c0f03c1e529"

The system returns information like the following.

Copy
{ "BaselineId":"pb-0a34d8c0f03c1e529" }

List all patch baselines

Copy
aws ssm describe-patch-baselines

The system returns information like the following.

Copy
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

Here is another command that lists all patch baselines in a Region.

Copy
aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[All]"

The system returns information like the following.

Copy
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

List all AWS provided patch baselines

Copy
aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[AWS]"

The system returns information like the following.

Copy
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" } ] }

List my patch baselines

Copy
aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[Self]"

The system returns information like the following.

Copy
{ "BaselineIdentities":[ { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

Display a patch baseline

Copy
aws ssm get-patch-baseline --baseline-id pb-00dbb759999aa2bc3

The system returns information like the following.

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012R2", "PatchGroups":[ "Web Servers" ], "RejectedPatches":[ ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1480997823.81, "CreatedDate":1480997823.81, "ApprovedPatches":[ ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

Get the default patch baseline

Copy
aws ssm get-default-patch-baseline --region us-west-1

The system returns information like the following.

Copy
{ "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

Set the default patch baseline

Copy
aws ssm register-default-patch-baseline --region us-west-1 --baseline-id "pb-08b654cf9b9681f04"
Copy
{ "BaselineId":"pb-08b654cf9b9681f04" }

Register a patch group "Web Servers" with a patch baseline

Copy
aws ssm register-patch-baseline-for-patch-group --baseline-id "pb-00dbb759999aa2bc3" --patch-group "Web Servers"

The system returns information like the following.

Copy
{ "PatchGroup":"Web Servers", "BaselineId":"pb-00dbb759999aa2bc3" }

Register a patch group "Backend" with the AWS-provided patch baseline

Copy
aws ssm register-patch-baseline-for-patch-group --region us-west-1 --baseline-id "arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" --patch-group "Backend"

The system returns information like the following.

Copy
{ "PatchGroup":"Backend", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

Display patch group registrations

Copy
aws ssm describe-patch-groups --region us-west-1

The system returns information like the following.

Copy
{ "PatchGroupPatchBaselineMappings":[ { "PatchGroup":"Backend", "BaselineIdentity":{ "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":false, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" } }, { "PatchGroup":"Web Servers", "BaselineIdentity":{ "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":true, "BaselineDescription":"Windows Server 2012 R2, Important and Critical updates", "BaselineId":"pb-08b654cf9b9681f04" } } ] }

Deregister a patch group from a patch baseline

Copy
aws ssm deregister-patch-baseline-for-patch-group --region us-west-1 --patch-group "Production" --baseline-id "arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725"

The system returns information like the following.

Copy
{ "PatchGroup":"Production", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

Get all patches defined by a patch baseline

Copy
aws ssm describe-effective-patches-for-patch-baseline --region us-west-1 --baseline-id "pb-08b654cf9b9681f04"

The system returns information like the following.

Copy
{ "NextToken":"--token string truncated--", "EffectivePatches":[ { "PatchStatus":{ "ApprovalDate":1384711200.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2876331", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 R2 Preview (KB2876331)", "ReleaseDate":1384279200.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2876331", "MsrcNumber":"MS13-089", "Id":"e74ccc76-85f0-4881-a738-59e9fc9a336d" } }, { "PatchStatus":{ "ApprovalDate":1428858000.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2919355", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"Windows Server 2012 R2 Update is a cumulative set of security updates, critical updates and updates. You must install Windows Server 2012 R2 Update to ensure that your computer can continue to receive future Windows Updates, including security updates. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.", "Classification":"SecurityUpdates", "Title":"Windows Server 2012 R2 Update (KB2919355)", "ReleaseDate":1428426000.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2919355", "MsrcNumber":"MS14-018", "Id":"8452bac0-bf53-4fbd-915d-499de08c338b" } } ---output truncated---

Get all patches for Windows Server 2012 that have a MSRC severity of Critical

Copy
aws ssm describe-available-patches --region us-west-1 --filters Key=PRODUCT,Values=WindowsServer2012 Key=MSRC_SEVERITY,Values=Critical

The system returns information like the following.

Copy
{ "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2727528", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 (KB2727528)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2727528", "MsrcNumber":"MS12-072", "Id":"1eb507be-2040-4eeb-803d-abc55700b715" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2729462", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2729462)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2729462", "MsrcNumber":"MS12-074", "Id":"af873760-c97c-4088-ab7e-5219e120eab4" } ---output truncated---

Get all available patches

Copy
aws ssm describe-available-patches --region us-west-1

The system returns information like the following.

Copy
{ "NextToken":"--token string truncated--", "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2032276", "ProductFamily":"Windows", "Product":"WindowsServer2008R2", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2008 R2 x64 Edition (KB2032276)", "ReleaseDate":1279040400.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2032276", "MsrcNumber":"MS10-043", "Id":"8692029b-a3a2-4a87-a73b-8ea881b4b4d6" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2124261", "ProductFamily":"Windows", "Product":"Windows7", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows 7 (KB2124261)", "ReleaseDate":1284483600.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2124261", "MsrcNumber":"MS10-065", "Id":"12ef1bed-0dd2-4633-b3ac-60888aa8ba33" } ---output truncated---

Tag a patch baseline

Copy
aws ssm add-tags-to-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081" --tags "Key=Project,Value=Testing"

List the tags for a patch baseline

Copy
aws ssm list-tags-for-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081"

Remove a tag from a patch baseline

Copy
aws ssm remove-tags-from-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081" --tag-keys "Project"

Get patch summary states per-instance

The per-instance summary gives you a number of patches in the following states per instance: "NotApplicable", "Missing", "Failed", "InstalledOther" and "Installed".

Copy
aws ssm describe-instance-patch-states --instance-ids i-08ee91c0b17045407 i-09a618aec652973a9 i-0a00def7faa94f1c i-0fff3aab684d01b23

The system returns information like the following.

Copy
{ "InstancePatchStates":[ { "OperationStartTime":"2016-12-09T05:00:00Z", "FailedCount":0, "InstanceId":"i-08ee91c0b17045407", "OwnerInformation":"", "NotApplicableCount":2077, "OperationEndTime":"2016-12-09T05:02:37Z", "PatchGroup":"Production", "InstalledOtherCount":186, "MissingCount":7, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":72 }, { "OperationStartTime":"2016-12-09T04:59:09Z", "FailedCount":0, "InstanceId":"i-09a618aec652973a9", "OwnerInformation":"", "NotApplicableCount":1637, "OperationEndTime":"2016-12-09T05:03:57Z", "PatchGroup":"Production", "InstalledOtherCount":388, "MissingCount":2, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":141 } ---output truncated---

Get patch compliance details for an instance

Copy
aws ssm describe-instance-patches --instance-id i-08ee91c0b17045407

The system returns information like the following.

Copy
{ "NextToken":"--token string truncated--", "Patches":[ { "KBId":"KB2919355", "Severity":"Critical", "Classification":"SecurityUpdates", "Title":"Windows 8.1 Update for x64-based Systems (KB2919355)", "State":"Installed", "InstalledTime":"2014-03-18T12:00:00Z" }, { "KBId":"KB2977765", "Severity":"Important", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 and Windows Server 2012 R2 x64-based Systems (KB2977765)", "State":"Installed", "InstalledTime":"2014-10-15T12:00:00Z" }, { "KBId":"KB2978126", "Severity":"Important", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 (KB2978126)", "State":"Installed", "InstalledTime":"2014-11-18T12:00:00Z" }, ---output truncated---