Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . ssm ]

update-patch-baseline

Description

Modifies an existing patch baseline. Fields not specified in the request are left unchanged.

Note

For information about valid key and value pairs in PatchFilters for each supported operating system type, see PatchFilter .

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.

Synopsis

  update-patch-baseline
--baseline-id <value>
[--name <value>]
[--global-filters <value>]
[--approval-rules <value>]
[--approved-patches <value>]
[--approved-patches-compliance-level <value>]
[--approved-patches-enable-non-security | --no-approved-patches-enable-non-security]
[--rejected-patches <value>]
[--description <value>]
[--sources <value>]
[--replace | --no-replace]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Options

--baseline-id (string)

The ID of the patch baseline to update.

--name (string)

The name of the patch baseline.

--global-filters (structure)

A set of global filters used to exclude patches from the baseline.

JSON Syntax:

{
  "PatchFilters": [
    {
      "Key": "PRODUCT"|"CLASSIFICATION"|"MSRC_SEVERITY"|"PATCH_ID"|"SECTION"|"PRIORITY"|"SEVERITY",
      "Values": ["string", ...]
    }
    ...
  ]
}

--approval-rules (structure)

A set of rules used to include patches in the baseline.

JSON Syntax:

{
  "PatchRules": [
    {
      "PatchFilterGroup": {
        "PatchFilters": [
          {
            "Key": "PRODUCT"|"CLASSIFICATION"|"MSRC_SEVERITY"|"PATCH_ID"|"SECTION"|"PRIORITY"|"SEVERITY",
            "Values": ["string", ...]
          }
          ...
        ]
      },
      "ComplianceLevel": "CRITICAL"|"HIGH"|"MEDIUM"|"LOW"|"INFORMATIONAL"|"UNSPECIFIED",
      "ApproveAfterDays": integer,
      "EnableNonSecurity": true|false
    }
    ...
  ]
}

--approved-patches (list)

A list of explicitly approved patches for the baseline.

For information about accepted formats for lists of approved patches and rejected patches, see Package Name Formats for Approved and Rejected Patch Lists in the AWS Systems Manager User Guide .

Syntax:

"string" "string" ...

--approved-patches-compliance-level (string)

Assigns a new compliance severity level to an existing patch baseline.

Possible values:

  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
  • INFORMATIONAL
  • UNSPECIFIED

--approved-patches-enable-non-security | --no-approved-patches-enable-non-security (boolean)

Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. The default value is 'false'. Applies to Linux instances only.

--rejected-patches (list)

A list of explicitly rejected patches for the baseline.

For information about accepted formats for lists of approved patches and rejected patches, see Package Name Formats for Approved and Rejected Patch Lists in the AWS Systems Manager User Guide .

Syntax:

"string" "string" ...

--description (string)

A description of the patch baseline.

--sources (list)

Information about the patches to use to update the instances, including target operating systems and source repositories. Applies to Linux instances only.

Shorthand Syntax:

Name=string,Products=string,string,Configuration=string ...

JSON Syntax:

[
  {
    "Name": "string",
    "Products": ["string", ...],
    "Configuration": "string"
  }
  ...
]

--replace | --no-replace (boolean)

If True, then all fields that are required by the CreatePatchBaseline action are also required for this API request. Optional fields that are not specified are set to null.

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.

Examples

To update a patch baseline

This example adds two patches as rejected and one patch as approved to a patch baseline.

Command:

aws ssm update-patch-baseline --baseline-id "pb-045f10b4f382baeda" --rejected-patches "KB2032276" "MS10-048" --approved-patches "KB2124261"

Output:

{
  "BaselineId": "pb-045f10b4f382baeda",
  "Name": "Production-Baseline",
  "RejectedPatches": [
      "KB2032276",
      "MS10-048"
  ],
  "GlobalFilters": {
      "PatchFilters": []
  },
  "ApprovalRules": {
      "PatchRules": [
          {
              "PatchFilterGroup": {
                  "PatchFilters": [
                      {
                          "Values": [
                              "Critical",
                              "Important",
                              "Moderate"
                          ],
                          "Key": "MSRC_SEVERITY"
                      },
                      {
                          "Values": [
                              "SecurityUpdates",
                              "Updates",
                              "UpdateRollups",
                              "CriticalUpdates"
                          ],
                          "Key": "CLASSIFICATION"
                      }
                  ]
              },
              "ApproveAfterDays": 7
          }
      ]
  },
  "ModifiedDate": 1487872602.453,
  "CreatedDate": 1487870482.16,
  "ApprovedPatches": [
      "KB2124261"
  ],
  "Description": "Baseline containing all updates approved for production systems"
}

To rename a patch baseline

This example renames a patch baseline.

Command:

aws ssm update-patch-baseline --baseline-id "pb-00dbb759999aa2bc3" --name "Windows-Server-2012-R2-Important-and-Critical-Security-Updates"

Output

BaselineId -> (string)

The ID of the deleted patch baseline.

Name -> (string)

The name of the patch baseline.

OperatingSystem -> (string)

The operating system rule used by the updated patch baseline.

GlobalFilters -> (structure)

A set of global filters used to exclude patches from the baseline.

PatchFilters -> (list)

The set of patch filters that make up the group.

(structure)

Defines a patch filter.

A patch filter consists of key/value pairs, but not all keys are valid for all operating system types. For example, the key PRODUCT is valid for all supported operating system types. The key MSRC_SEVERITY , however, is valid only for Windows operating systems, and the key SECTION is valid only for Ubuntu operating systems.

Refer to the following sections for information about which keys may be used with each major operating system, and which values are valid for each key.

Windows Operating Systems

The supported keys for Windows operating systems are PRODUCT , CLASSIFICATION , and MSRC_SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • Windows7
  • Windows8
  • Windows8.1
  • Windows8Embedded
  • Windows10
  • Windows10LTSB
  • WindowsServer2008
  • WindowsServer2008R2
  • WindowsServer2012
  • WindowsServer2012R2
  • WindowsServer2016
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • CriticalUpdates
  • DefinitionUpdates
  • Drivers
  • FeaturePacks
  • SecurityUpdates
  • ServicePacks
  • Tools
  • UpdateRollups
  • Updates
  • Upgrades

Supported key: MSRC_SEVERITY

Supported values:

  • Critical
  • Important
  • Moderate
  • Low
  • Unspecified
Ubuntu Operating Systems

The supported keys for Ubuntu operating systems are PRODUCT , PRIORITY , and SECTION . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • Ubuntu14.04
  • Ubuntu16.04
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: PRIORITY

Supported values:

  • Required
  • Important
  • Standard
  • Optional
  • Extra
Supported key: SECTION

Only the length of the key value is validated. Minimum length is 1. Maximum length is 64.

Amazon Linux Operating Systems

The supported keys for Amazon Linux operating systems are PRODUCT , CLASSIFICATION , and SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • AmazonLinux2012.03
  • AmazonLinux2012.09
  • AmazonLinux2013.03
  • AmazonLinux2013.09
  • AmazonLinux2014.03
  • AmazonLinux2014.09
  • AmazonLinux2015.03
  • AmazonLinux2015.09
  • AmazonLinux2016.03
  • AmazonLinux2016.09
  • AmazonLinux2017.03
  • AmazonLinux2017.09
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • Security
  • Bugfix
  • Enhancement
  • Recommended
  • Newpackage

Supported key: SEVERITY

Supported values:

  • Critical
  • Important
  • Medium
  • Low
Amazon Linux 2 Operating Systems

The supported keys for Amazon Linux 2 operating systems are PRODUCT , CLASSIFICATION , and SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • AmazonLinux2
  • AmazonLinux2.0
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • Security
  • Bugfix
  • Enhancement
  • Recommended
  • Newpackage

Supported key: SEVERITY

Supported values:

  • Critical
  • Important
  • Medium
  • Low
RedHat Enterprise Linux (RHEL) Operating Systems

The supported keys for RedHat Enterprise Linux operating systems are PRODUCT , CLASSIFICATION , and SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • RedhatEnterpriseLinux6.5
  • RedhatEnterpriseLinux6.6
  • RedhatEnterpriseLinux6.7
  • RedhatEnterpriseLinux6.8
  • RedhatEnterpriseLinux6.9
  • RedhatEnterpriseLinux7.0
  • RedhatEnterpriseLinux7.1
  • RedhatEnterpriseLinux7.2
  • RedhatEnterpriseLinux7.3
  • RedhatEnterpriseLinux7.4
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • Security
  • Bugfix
  • Enhancement
  • Recommended
  • Newpackage

Supported key: SEVERITY

Supported values:

  • Critical
  • Important
  • Medium
  • Low
SUSE Linux Enterprise Server (SLES) Operating Systems

The supported keys for SLES operating systems are PRODUCT , CLASSIFICATION , and SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • Suse12.0
  • Suse12.1
  • Suse12.2
  • Suse12.3
  • Suse12.4
  • Suse12.5
  • Suse12.6
  • Suse12.7
  • Suse12.8
  • Suse12.9
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • Security
  • Recommended
  • Optional
  • Feature
  • Document
  • Yast

Supported key: SEVERITY

Supported values:

  • Critical
  • Important
  • Moderate
  • Low
CentOS Operating Systems

The supported keys for CentOS operating systems are PRODUCT , CLASSIFICATION , and SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • CentOS6.5
  • CentOS6.6
  • CentOS6.7
  • CentOS6.8
  • CentOS6.9
  • CentOS7.0
  • CentOS7.1
  • CentOS7.2
  • CentOS7.3
  • CentOS7.4
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • Security
  • Bugfix
  • Enhancement
  • Recommended
  • Newpackage

Supported key: SEVERITY

Supported values:

  • Critical
  • Important
  • Medium
  • Low

Key -> (string)

The key for the filter.

See PatchFilter for lists of valid keys for each operating system type.

Values -> (list)

The value for the filter key.

See PatchFilter for lists of valid values for each key based on operating system type.

(string)

ApprovalRules -> (structure)

A set of rules used to include patches in the baseline.

PatchRules -> (list)

The rules that make up the rule group.

(structure)

Defines an approval rule for a patch baseline.

PatchFilterGroup -> (structure)

The patch filter group that defines the criteria for the rule.

PatchFilters -> (list)

The set of patch filters that make up the group.

(structure)

Defines a patch filter.

A patch filter consists of key/value pairs, but not all keys are valid for all operating system types. For example, the key PRODUCT is valid for all supported operating system types. The key MSRC_SEVERITY , however, is valid only for Windows operating systems, and the key SECTION is valid only for Ubuntu operating systems.

Refer to the following sections for information about which keys may be used with each major operating system, and which values are valid for each key.

Windows Operating Systems

The supported keys for Windows operating systems are PRODUCT , CLASSIFICATION , and MSRC_SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • Windows7
  • Windows8
  • Windows8.1
  • Windows8Embedded
  • Windows10
  • Windows10LTSB
  • WindowsServer2008
  • WindowsServer2008R2
  • WindowsServer2012
  • WindowsServer2012R2
  • WindowsServer2016
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • CriticalUpdates
  • DefinitionUpdates
  • Drivers
  • FeaturePacks
  • SecurityUpdates
  • ServicePacks
  • Tools
  • UpdateRollups
  • Updates
  • Upgrades

Supported key: MSRC_SEVERITY

Supported values:

  • Critical
  • Important
  • Moderate
  • Low
  • Unspecified
Ubuntu Operating Systems

The supported keys for Ubuntu operating systems are PRODUCT , PRIORITY , and SECTION . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • Ubuntu14.04
  • Ubuntu16.04
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: PRIORITY

Supported values:

  • Required
  • Important
  • Standard
  • Optional
  • Extra
Supported key: SECTION

Only the length of the key value is validated. Minimum length is 1. Maximum length is 64.

Amazon Linux Operating Systems

The supported keys for Amazon Linux operating systems are PRODUCT , CLASSIFICATION , and SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • AmazonLinux2012.03
  • AmazonLinux2012.09
  • AmazonLinux2013.03
  • AmazonLinux2013.09
  • AmazonLinux2014.03
  • AmazonLinux2014.09
  • AmazonLinux2015.03
  • AmazonLinux2015.09
  • AmazonLinux2016.03
  • AmazonLinux2016.09
  • AmazonLinux2017.03
  • AmazonLinux2017.09
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • Security
  • Bugfix
  • Enhancement
  • Recommended
  • Newpackage

Supported key: SEVERITY

Supported values:

  • Critical
  • Important
  • Medium
  • Low
Amazon Linux 2 Operating Systems

The supported keys for Amazon Linux 2 operating systems are PRODUCT , CLASSIFICATION , and SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • AmazonLinux2
  • AmazonLinux2.0
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • Security
  • Bugfix
  • Enhancement
  • Recommended
  • Newpackage

Supported key: SEVERITY

Supported values:

  • Critical
  • Important
  • Medium
  • Low
RedHat Enterprise Linux (RHEL) Operating Systems

The supported keys for RedHat Enterprise Linux operating systems are PRODUCT , CLASSIFICATION , and SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • RedhatEnterpriseLinux6.5
  • RedhatEnterpriseLinux6.6
  • RedhatEnterpriseLinux6.7
  • RedhatEnterpriseLinux6.8
  • RedhatEnterpriseLinux6.9
  • RedhatEnterpriseLinux7.0
  • RedhatEnterpriseLinux7.1
  • RedhatEnterpriseLinux7.2
  • RedhatEnterpriseLinux7.3
  • RedhatEnterpriseLinux7.4
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • Security
  • Bugfix
  • Enhancement
  • Recommended
  • Newpackage

Supported key: SEVERITY

Supported values:

  • Critical
  • Important
  • Medium
  • Low
SUSE Linux Enterprise Server (SLES) Operating Systems

The supported keys for SLES operating systems are PRODUCT , CLASSIFICATION , and SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • Suse12.0
  • Suse12.1
  • Suse12.2
  • Suse12.3
  • Suse12.4
  • Suse12.5
  • Suse12.6
  • Suse12.7
  • Suse12.8
  • Suse12.9
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • Security
  • Recommended
  • Optional
  • Feature
  • Document
  • Yast

Supported key: SEVERITY

Supported values:

  • Critical
  • Important
  • Moderate
  • Low
CentOS Operating Systems

The supported keys for CentOS operating systems are PRODUCT , CLASSIFICATION , and SEVERITY . See the following lists for valid values for each of these keys.

Supported key: PRODUCT

Supported values:

  • CentOS6.5
  • CentOS6.6
  • CentOS6.7
  • CentOS6.8
  • CentOS6.9
  • CentOS7.0
  • CentOS7.1
  • CentOS7.2
  • CentOS7.3
  • CentOS7.4
  • * Use a wildcard character () to target all supported operating system versions.*

Supported key: CLASSIFICATION

Supported values:

  • Security
  • Bugfix
  • Enhancement
  • Recommended
  • Newpackage

Supported key: SEVERITY

Supported values:

  • Critical
  • Important
  • Medium
  • Low

Key -> (string)

The key for the filter.

See PatchFilter for lists of valid keys for each operating system type.

Values -> (list)

The value for the filter key.

See PatchFilter for lists of valid values for each key based on operating system type.

(string)

ComplianceLevel -> (string)

A compliance severity level for all approved patches in a patch baseline. Valid compliance severity levels include the following: Unspecified, Critical, High, Medium, Low, and Informational.

ApproveAfterDays -> (integer)

The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of 7 means that patches are approved seven days after they are released.

EnableNonSecurity -> (boolean)

For instances identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository. The default value is 'false'. Applies to Linux instances only.

ApprovedPatches -> (list)

A list of explicitly approved patches for the baseline.

(string)

ApprovedPatchesComplianceLevel -> (string)

The compliance severity level assigned to the patch baseline after the update completed.

ApprovedPatchesEnableNonSecurity -> (boolean)

Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. The default value is 'false'. Applies to Linux instances only.

RejectedPatches -> (list)

A list of explicitly rejected patches for the baseline.

(string)

CreatedDate -> (timestamp)

The date when the patch baseline was created.

ModifiedDate -> (timestamp)

The date when the patch baseline was last modified.

Description -> (string)

A description of the Patch Baseline.

Sources -> (list)

Information about the patches to use to update the instances, including target operating systems and source repositories. Applies to Linux instances only.

(structure)

Information about the patches to use to update the instances, including target operating systems and source repository. Applies to Linux instances only.

Name -> (string)

The name specified to identify the patch source.

Products -> (list)

The specific operating system versions a patch repository applies to, such as "Ubuntu16.04", "AmazonLinux2016.09", "RedhatEnterpriseLinux7.2" or "Suse12.7". For lists of supported product values, see PatchFilter .

(string)

Configuration -> (string)

The value of the yum repo configuration. For example:

cachedir=/var/cache/yum/$basesearch

$releasever

keepcache=0

debuglevel=2