Identifying out-of-compliance managed nodes - AWS Systems Manager

Identifying out-of-compliance managed nodes

Out-of-compliance managed nodes are identified when either of two AWS Systems Manager documents (SSM documents) are run. These SSM documents reference the appropriate patch baseline for each managed node in Patch Manager, a capability of AWS Systems Manager. They then evaluate the patch state of the managed node and then make compliance results available to you.

There are two SSM documents that are used to identify or update out-of-compliance managed nodes: AWS-RunPatchBaseline and AWS-RunPatchBaselineAssociation. Each one is used by different processes, and their compliance results are available through different channels. The following table outlines the differences between these documents.

Note

Patch compliance data from Patch Manager can be sent to AWS Security Hub. Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status. It also monitors the patching status of your fleet. For more information, see Integrating Patch Manager with AWS Security Hub.

AWS-RunPatchBaseline AWS-RunPatchBaselineAssociation
Processes that use the document

Patch on demand - You can scan or patch managed nodes on demand using the Patch now option. For information, see Patching managed nodes on demand (console).

Patch Manager patching configuration – You can create a patching configuration that includes a maintenance window to scan managed nodes for patch compliance on a schedule. For information, see Creating a patching configuration (console).

Run a command – You can manually run AWS-RunPatchBaseline in an operation in Run Command, a capability of AWS Systems Manager. For information, see Running commands from the console.

Maintenance window – You can create a maintenance window that uses the SSM document AWS-RunPatchBaseline in a Run Command task type. For information, see Walkthrough: Creating a maintenance window for patching (console).

Systems Manager Quick Setup – You can configure Quick Setup, a capability of AWS Systems Manager, to use Patch Manager to scan your managed instances for patch compliance each day. For information, see Quick Setup Host Management in the topic AWS Systems Manager Quick Setup.

Systems Manager Explorer – When you allow Explorer, a capability of AWS Systems Manager, it regularly scans your managed instances for patch compliance and reports results in the Explorer dashboard.

Format of the patch scan result data

After AWS-RunPatchBaseline runs, Patch Manager sends an AWS:PatchSummary object to Inventory, a capability of AWS Systems Manager.

After AWS-RunPatchBaselineAssociation runs, Patch Manager sends an AWS:ComplianceItem object to Systems Manager Inventory.

Viewing patch compliance reports in the console

You can view patch compliance information for processes that use AWS-RunPatchBaseline in Systems Manager Configuration Compliance and Managed nodes. For more information, see Viewing patch compliance results (console).

If you use Quick Setup to scan your managed instances for patch compliance, you can see the compliance report in Systems Manager State Manager, which is accessible using a View results button in Quick Setup.

If you use Explorer to scan your managed instances for patch compliance, you can see the compliance report in both Explorer and Systems Manager OpsCenter.

AWS CLI commands for viewing patch compliance results

For processes that use AWS-RunPatchBaseline, you can use the following AWS CLI commands to view summary information about patches on a managed node.

For processes that use AWS-RunPatchBaselineAssociation, you can use the following AWS CLI command to view summary information about patches on an instance.

Patching operations

For processes that use AWS-RunPatchBaseline, you specify whether you want the operation to run a Scan operation only, or a Scan and install operation.

If your goal is to identify out-of-compliance managed nodes and not remediate them, run only a Scan operation.

Quick Setup and Explorer processes, which use AWS-RunPatchBaselineAssociation, run only a Scan operation.
More info

About the AWS-RunPatchBaseline SSM document

About the AWS-RunPatchBaselineAssociation SSM document

For information about the various patch compliance states you might see reported, see Understanding patch compliance state values

For information about remediating managed nodes that are out of patch compliance, see Patching out-of-compliance managed nodes.