Menu
AWS Systems Manager
User Guide

AWS CLI Commands for Patch Manager

The section includes examples of CLI commands that you can use to perform Patch Manager configuration tasks.

For an illustration of using the AWS CLI to patch a server environment by using a custom patch baseline, see Walkthrough: Patch a Server Environment (AWS CLI).

For more information about using the CLI forAWS Systems Manager tasks, see the AWS Systems Manager section of the AWS CLI Command Reference.

Create a patch baseline

The following command creates a patch baseline that approves all critical and important security updates for Windows Server 2012 R2 five days after they are released.

aws ssm create-patch-baseline --name "Windows-Server-2012R2" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Important,Critical]},{Key=CLASSIFICATION,Values=SecurityUpdates},{Key=PRODUCT,Values=WindowsServer2012R2}]},ApproveAfterDays=5}]" --description "Windows Server 2012 R2, Important and Critical security updates"

The system returns information like the following.

{ "BaselineId":"pb-00dbb759999aa2bc3" }

Create a patch baseline with custom repositories for different OS versions

Applies to Linux instances only. The following command shows how to specify the patch repository to use for a particular version of the Amazon Linux operating system. This sample uses a source repository enabled by default on Amazon Linux 2017.09, but could be adapted to a different source repository that you have configured for an instance.

aws ssm create-patch-baseline --name "Amazon-Linux-Versions" \ --operating-system AMAZON_LINUX \ --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=SEVERITY,Values=[Important,Critical]},{Key=CLASSIFICATION,Values=[Security,Bugfix]},{Key=PRODUCT,Values=[AmazonLinux2016.03,AmazonLinux2017.09]}]},ApproveAfterDays=7,EnableNonSecurity=True}]" \ --sources "Name=My-AL2017.09,Products=AmazonLinux2017.09,Configuration='[amzn-main] \nname=amzn-main-Base\nmirrorlist=http://repo.\$awsregion.\$awsdomain/\$releasever/main/ mirror.list\nmirrorlist_expire=300\nmetadata_expire=300 \npriority=10 \nfailovermethod=priority \nfastestmirror_enabled=0 \ngpgcheck=1 \ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY- amazon-ga \nenabled=1 \nretries=3 \ntimeout=5\nreport_instanceid=yes'" \ --description "Amazon Linux Important and Critical updates for Security and Bugfixes"

Update a patch baseline

The following command adds two patches as rejected and one patch as approved to an existing patch baseline.

aws ssm update-patch-baseline --baseline-id pb-00dbb759999aa2bc3 --rejected-patches "KB2032276" "MS10-048" --approved-patches "KB2124261"

The system returns information like the following.

{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012R2", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001494.035, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

Rename a patch baseline

aws ssm update-patch-baseline --baseline-id pb-00dbb759999aa2bc3 --name "Windows-Server-2012-R2-Important-and-Critical-Security-Updates"

The system returns information like the following.

{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012-R2-Important-and-Critical-Security-Updates", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001795.287, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

Delete a patch baseline

aws ssm delete-patch-baseline --baseline-id "pb-0a34d8c0f03c1e529"

The system returns information like the following.

{ "BaselineId":"pb-0a34d8c0f03c1e529" }

List all patch baselines

aws ssm describe-patch-baselines

The system returns information like the following.

{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

Here is another command that lists all patch baselines in a Region.

aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[All]"

The system returns information like the following.

{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

List all AWS-provided patch baselines

aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[AWS]"

The system returns information like the following.

{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" } ] }

List my patch baselines

aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[Self]"

The system returns information like the following.

{ "BaselineIdentities":[ { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

Display a patch baseline

aws ssm get-patch-baseline --baseline-id pb-00dbb759999aa2bc3

The system returns information like the following.

{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012R2", "PatchGroups":[ "Web Servers" ], "RejectedPatches":[ ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1480997823.81, "CreatedDate":1480997823.81, "ApprovedPatches":[ ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

Get the default patch baseline

aws ssm get-default-patch-baseline --region us-west-1

The system returns information like the following.

{ "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

Set the default patch baseline

aws ssm register-default-patch-baseline --region us-west-1 --baseline-id "pb-08b654cf9b9681f04"
{ "BaselineId":"pb-08b654cf9b9681f04" }

Register a patch group "Web Servers" with a patch baseline

aws ssm register-patch-baseline-for-patch-group --baseline-id "pb-00dbb759999aa2bc3" --patch-group "Web Servers"

The system returns information like the following.

{ "PatchGroup":"Web Servers", "BaselineId":"pb-00dbb759999aa2bc3" }

Register a patch group "Backend" with the AWS-provided patch baseline

aws ssm register-patch-baseline-for-patch-group --region us-west-1 --baseline-id "arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" --patch-group "Backend"

The system returns information like the following.

{ "PatchGroup":"Backend", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

Display patch group registrations

aws ssm describe-patch-groups --region us-west-1

The system returns information like the following.

{ "PatchGroupPatchBaselineMappings":[ { "PatchGroup":"Backend", "BaselineIdentity":{ "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":false, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" } }, { "PatchGroup":"Web Servers", "BaselineIdentity":{ "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":true, "BaselineDescription":"Windows Server 2012 R2, Important and Critical updates", "BaselineId":"pb-08b654cf9b9681f04" } } ] }

Deregister a patch group from a patch baseline

aws ssm deregister-patch-baseline-for-patch-group --region us-west-1 --patch-group "Production" --baseline-id "arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725"

The system returns information like the following.

{ "PatchGroup":"Production", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

Get all patches defined by a patch baseline

aws ssm describe-effective-patches-for-patch-baseline --region us-west-1 --baseline-id "pb-08b654cf9b9681f04"

The system returns information like the following.

{ "NextToken":"--token string truncated--", "EffectivePatches":[ { "PatchStatus":{ "ApprovalDate":1384711200.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2876331", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 R2 Preview (KB2876331)", "ReleaseDate":1384279200.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2876331", "MsrcNumber":"MS13-089", "Id":"e74ccc76-85f0-4881-a738-59e9fc9a336d" } }, { "PatchStatus":{ "ApprovalDate":1428858000.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2919355", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"Windows Server 2012 R2 Update is a cumulative set of security updates, critical updates and updates. You must install Windows Server 2012 R2 Update to ensure that your computer can continue to receive future Windows Updates, including security updates. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.", "Classification":"SecurityUpdates", "Title":"Windows Server 2012 R2 Update (KB2919355)", "ReleaseDate":1428426000.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2919355", "MsrcNumber":"MS14-018", "Id":"8452bac0-bf53-4fbd-915d-499de08c338b" } } ---output truncated---

Get all patches for Windows Server 2012 that have a MSRC severity of Critical

aws ssm describe-available-patches --region us-west-1 --filters Key=PRODUCT,Values=WindowsServer2012 Key=MSRC_SEVERITY,Values=Critical

The system returns information like the following.

{ "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2727528", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 (KB2727528)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2727528", "MsrcNumber":"MS12-072", "Id":"1eb507be-2040-4eeb-803d-abc55700b715" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2729462", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2729462)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2729462", "MsrcNumber":"MS12-074", "Id":"af873760-c97c-4088-ab7e-5219e120eab4" } ---output truncated---

Get all available patches

aws ssm describe-available-patches --region us-west-1

The system returns information like the following.

{ "NextToken":"--token string truncated--", "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2032276", "ProductFamily":"Windows", "Product":"WindowsServer2008R2", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2008 R2 x64 Edition (KB2032276)", "ReleaseDate":1279040400.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2032276", "MsrcNumber":"MS10-043", "Id":"8692029b-a3a2-4a87-a73b-8ea881b4b4d6" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2124261", "ProductFamily":"Windows", "Product":"Windows7", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows 7 (KB2124261)", "ReleaseDate":1284483600.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2124261", "MsrcNumber":"MS10-065", "Id":"12ef1bed-0dd2-4633-b3ac-60888aa8ba33" } ---output truncated---

Tag a patch baseline

aws ssm add-tags-to-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081" --tags "Key=Project,Value=Testing"

List the tags for a patch baseline

aws ssm list-tags-for-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081"

Remove a tag from a patch baseline

aws ssm remove-tags-from-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081" --tag-keys "Project"

Get patch summary states per-instance

The per-instance summary gives you a number of patches in the following states per instance: "NotApplicable", "Missing", "Failed", "InstalledOther" and "Installed".

aws ssm describe-instance-patch-states --instance-ids i-08ee91c0b17045407 i-09a618aec652973a9 i-0a00def7faa94f1c i-0fff3aab684d01b23

The system returns information like the following.

{ "InstancePatchStates":[ { "OperationStartTime":"2016-12-09T05:00:00Z", "FailedCount":0, "InstanceId":"i-08ee91c0b17045407", "OwnerInformation":"", "NotApplicableCount":2077, "OperationEndTime":"2016-12-09T05:02:37Z", "PatchGroup":"Production", "InstalledOtherCount":186, "MissingCount":7, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":72 }, { "OperationStartTime":"2016-12-09T04:59:09Z", "FailedCount":0, "InstanceId":"i-09a618aec652973a9", "OwnerInformation":"", "NotApplicableCount":1637, "OperationEndTime":"2016-12-09T05:03:57Z", "PatchGroup":"Production", "InstalledOtherCount":388, "MissingCount":2, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":141 } ---output truncated---

Get patch compliance details for an instance

aws ssm describe-instance-patches --instance-id i-08ee91c0b17045407

The system returns information like the following.

{ "NextToken":"--token string truncated--", "Patches":[ { "KBId":"KB2919355", "Severity":"Critical", "Classification":"SecurityUpdates", "Title":"Windows 8.1 Update for x64-based Systems (KB2919355)", "State":"Installed", "InstalledTime":"2014-03-18T12:00:00Z" }, { "KBId":"KB2977765", "Severity":"Important", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 and Windows Server 2012 R2 x64-based Systems (KB2977765)", "State":"Installed", "InstalledTime":"2014-10-15T12:00:00Z" }, { "KBId":"KB2978126", "Severity":"Important", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 (KB2978126)", "State":"Installed", "InstalledTime":"2014-11-18T12:00:00Z" }, ---output truncated---