Identifying noncompliant managed nodes

Out-of-compliance managed nodes are identified when either of two AWS Systems Manager documents (SSM documents) are run. These SSM documents reference the appropriate patch baseline for each managed node in Patch Manager, a capability of AWS Systems Manager. They then evaluate the patch state of the managed node and then make compliance results available to you.

There are two SSM documents that are used to identify or update noncompliant managed nodes: AWS-RunPatchBaseline and AWS-RunPatchBaselineAssociation. Each one is used by different processes, and their compliance results are available through different channels. The following table outlines the differences between these documents.

Note

Patch compliance data from Patch Manager can be sent to AWS Security Hub. Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status. It also monitors the patching status of your fleet. For more information, see Integrating Patch Manager with AWS Security Hub.

	`AWS-RunPatchBaseline`	`AWS-RunPatchBaselineAssociation`
Processes that use the document	Patch on demand - You can scan or patch managed nodes on demand using the Patch now option. For information, see Patching managed nodes on demand. Systems Manager Quick Setup patch policies – You can create a patching configuration in Quick Setup, a capability of AWS Systems Manager, that can scan for or install missing patches on separate schedules for an entire organization, a subset of organizational units, or a single AWS account. For information, see Configure patching for instances in an organization using Quick Setup. Run a command – You can manually run `AWS-RunPatchBaseline` in an operation in Run Command, a capability of AWS Systems Manager. For information, see Running commands from the console. Maintenance window – You can create a maintenance window that uses the SSM document `AWS-RunPatchBaseline` in a Run Command task type. For information, see Tutorial: Create a maintenance window for patching using the console.	Systems Manager Quick Setup Host Management – You can enable a Host Management configuration option in Quick Setup to scan your managed instances for patch compliance each day. For information, see Set up Amazon EC2 host management using Quick Setup. Systems Manager Explorer – When you allow Explorer, a capability of AWS Systems Manager, it regularly scans your managed instances for patch compliance and reports results in the Explorer dashboard.
Format of the patch scan result data	After `AWS-RunPatchBaseline` runs, Patch Manager sends an `AWS:PatchSummary` object to Inventory, a capability of AWS Systems Manager.	After `AWS-RunPatchBaselineAssociation` runs, Patch Manager sends an `AWS:ComplianceItem` object to Systems Manager Inventory.
Viewing patch compliance reports in the console	You can view patch compliance information for processes that use `AWS-RunPatchBaseline` in Systems Manager Configuration Compliance and Working with managed nodes. For more information, see Viewing patch compliance results.	If you use Quick Setup to scan your managed instances for patch compliance, you can see the compliance report in Systems Manager Fleet Manager. In the Fleet Manager console, choose the node ID of your managed node. In the General menu, choose Configuration compliance. If you use Explorer to scan your managed instances for patch compliance, you can see the compliance report in both Explorer and Systems Manager OpsCenter.
AWS CLI commands for viewing patch compliance results	For processes that use `AWS-RunPatchBaseline`, you can use the following AWS CLI commands to view summary information about patches on a managed node. describe-instance-patch-states describe-instance-patch-states-for-patch-group describe-patch-group-state	For processes that use `AWS-RunPatchBaselineAssociation`, you can use the following AWS CLI command to view summary information about patches on an instance. list-compliance-items
Patching operations	For processes that use `AWS-RunPatchBaseline`, you specify whether you want the operation to run a `Scan` operation only, or a `Scan and install` operation. If your goal is to identify noncompliant managed nodes and not remediate them, run only a `Scan` operation.	Quick Setup and Explorer processes, which use `AWS-RunPatchBaselineAssociation`, run only a `Scan` operation.
More info	SSM Command document for patching: AWS-RunPatchBaseline	SSM Command document for patching: AWS-RunPatchBaselineAssociation

For information about the various patch compliance states you might see reported, see Patch compliance state values

For information about remediating managed nodes that are out of patch compliance, see Patching noncompliant managed nodes.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Remediating noncompliant managed nodes

Patch compliance state values