AWS Systems Manager
User Guide

Create a Default Patch Baseline

Patch Manager includes a default patch baseline for each operating system supported by Patch Manager. You can use these default patch baselines (you can't customize them), or you can create your own. The following procedure describes how to view the default patch baselines to see if they meet your needs. The procedure also describes how to create your own default patch baseline. To learn more about patch baselines, see Default and Custom Patch Baselines.

Depending on the service you are using, AWS Systems Manager or Amazon EC2 Systems Manager, use one of the following procedures:

To create a default patch baseline (AWS Systems Manager)

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

  2. In the navigation pane, choose Patch Manager.

    -or-

    If the AWS Systems Manager home page opens first, choose the menu icon ( ) to open the navigation pane, and then choose Patch Manager.

  3. In the patch baselines list, choose the name of a patch baseline for the operating system you want to patch.

  4. Choose the Approval rules tab.

    If the auto-approval rules are acceptable for your instances, then you can skip to the next procedure, Create a Patch Group.

    -or-

    To create your own default patch baseline, in the navigation pane, choose Patch Manager, and then choose Create patch baseline.

  5. In the Name field, enter a name for your new patch baseline, for example, RHEL-Default.

  6. (Optional) Enter a description for this patch baseline.

  7. In the Operating system list, choose an operating system, for example, Red Hat Enterprise Linux.

  8. In the Approval rules section, use the fields to create one or more auto-approval rules.

    • Product: The version of the operating systems the approval rule applies to, such as RedhatEnterpriseLinux7.4. The default selection is All.

    • Classification: The type of patches the approval rule applies to, such as Security. The default selection is All.

    • Severity: The severity value of patches the rule is to apply to, such as Critical. The default selection is All.

    • Auto approval delay: The number of days to wait after a patch is released before a patch is automatically approved. You can enter any integer from zero (0) to 100.

    • (Optional) Compliance level: The severity level you want to assign to patches approved by the baseline, such as High.

      Note

      If an approved patch is reported as missing, the option you choose in Compliance level, such as Critical or Medium, determines the severity of the compliance violation.

    • (Linux only) Include non-security updates: Select the check box to install non-security patches made available in the source repository, in addition to the security-related patches.

      Note

      For SUSE Linux Enterprise Server, it isn't necessary to select the check box because patches for security and non-security issues are installed by default on SLES instances. For more information, see the content for SLES in How Security Patches Are Selected.

    For more information about working with approval rules in a custom patch baseline, see Custom Baselines.

  9. If you want to explicitly approve any patches in addition to those meeting your approval rules, do the following in the Patch exceptions section:

    • In the Approved patches box, enter a comma-separated list of the patches you want to approve.

      Note

      For information about accepted formats for lists of approved patches and rejected patches, see About Package Name Formats for Approved and Rejected Patch Lists.

    • (Optional) In the Approved patches compliance level list, assign a compliance level to the patches in the list.

    • If any approved patches you specify aren't related to security, select the Approved patches include non-security updates box for these patches to be installed as well. Applies to Linux instances only.

  10. If you want to explicitly reject any patches that otherwise meet your approval rules, do the following in the Patch exceptions section:

    • In the Rejected patches box, enter a comma-separated list of the patches you want to reject.

      Note

      For information about accepted formats for lists of approved patches and rejected patches, see About Package Name Formats for Approved and Rejected Patch Lists.

    • In the Rejected patches action list, select the action for Patch Manager to take on patches included in the Rejected patches list.

      • Allow as dependency: A package in the Rejected patches list is installed only if it is a dependency of another package. It is considered compliant with the patch baseline and its status is reported as InstalledOther. This is the default action if no option is specified.

      • Block: Packages in the Rejected patches list, and packages that include them as dependencies, are not installed under any circumstances. If a package was installed before it was added to the Rejected patches list, it is considered non-compliant with the patch baseline and its status is reported as InstalledRejected.

  11. (Optional) For Linux instances only: If you want to specify alternative patch repositories for different versions of an operating system, such as AmazonLinux2016.03 and AmazonLinux2017.09, do the following for each product in the Patch sources section:

    • In Name, enter a name to help you identify the source configuration.

    • In Product, select the version of the operating systems the patch source repository is for, such as RedhatEnterpriseLinux7.4.

    • In Configuration, enter the value of the yum repository configuration to use. For example:

      cachedir=/var/cache/yum/$basesearch $releasever keepcache=0 debuglevel=2

      Choose Add another source to specify a source repository for each additional operating system version, up to a maximum of 20.

      For more information about alternative source patch repositories, see How to Specify an Alternative Patch Source Repository (Linux).

  12. Choose Create patch baseline.

  13. In the list of patch baselines, choose the baseline you want to set as the default.

  14. Choose Actions, and then choose Set default patch baseline.

  15. Verify details in the Set default patch baseline confirmation dialog, and then choose Set default.

To create a default patch baseline (Amazon EC2 Systems Manager)

  1. Open the Amazon EC2 console, expand Systems Manager Services in the navigation pane, and then choose Patch Baselines.

  2. In the patch baselines list, choose a patch baseline for the operating system you want to patch.

    Note

    If the Welcome to EC2 Systems Manager - Patch Baselines page appears, choose Create Patch Baseline. When the Create patch baseline page appears, choose the back button in your browser to view the list of patch baselines.

  3. With a default baseline selected, choose the Approval Rules tab. If the auto-approval rules are acceptable for your instances, then you can skip to the next procedure, Create a Patch Group.

  4. To create your own default patch baseline, choose Create Patch Baseline.

  5. In the Name field, enter a name for your new patch baseline, for example, RHEL-Default.

  6. (Optional) Enter a description for this patch baseline.

  7. In the Operating System field, choose an operating system, for example, RedhatEnterpriseLinux.

  8. In the Approval Rules section, use the fields to create one or more auto-approval rules.

    Note

    If an approved patch is reported as missing, the option you choose in Compliance level, such as Critical or Medium, determines the severity of the compliance violation.

  9. (Optional) In the Patch Exceptions section, enter comma-separated lists of patches you want to explicitly approve and reject for the baseline. For approved patches, choose a corresponding compliance severity level.

    Note

    For information about accepted formats for lists of approved patches and rejected patches, see About Package Name Formats for Approved and Rejected Patch Lists.

  10. Choose Create Patch Baseline, and then choose Close.

  11. In the list of patch baselines, choose the baseline you want to set as the default.

  12. Choose Actions, and then choose Set Default Patch Baseline.

  13. Verify details in the Set Default Patch Baseline confirmation dialog, and then choose Set Default Patch Baseline.