合規演練 (AWS CLI) - AWS Systems Manager

合規演練 (AWS CLI)

以下程序逐步引導您使用 AWS Command Line Interface (AWS CLI) 來呼叫 AWS Systems Manager PutComplianceItems API 動作,進而指派自訂的合規中繼資料到資源。您也可以使用此 API 操作,手動將修補程式或關聯合規中繼資料指派到執行個體,如以下演練中所示。如需自訂合規的詳細資訊,請參閱 關於自訂合規

將自訂合規中繼資料指派給受管執行個體 (AWS CLI)

  1. 如果您尚未安裝並設定 AWS Command Line Interface (AWS CLI),請進行相應的操作。

    如需相關資訊,請參閱安裝或升級 AWS 命令列工具

  2. 執行以下命令,將自訂合規中繼資料指派給執行個體。唯一支援的資源類型為 ManagedInstance

    Linux & macOS
    aws ssm put-compliance-items \ --resource-id instance_ID \ --resource-type ManagedInstance \ --compliance-type Custom:user-defined_string \ --execution-summary ExecutionTime=user-defined_time_and/or_date_value \ --items Id=user-defined_ID,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT
    Windows
    aws ssm put-compliance-items ^ --resource-id instance_ID ^ --resource-type ManagedInstance ^ --compliance-type Custom:user-defined_string ^ --execution-summary ExecutionTime=user-defined_time_and/or_date_value ^ --items Id=user-defined_ID,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT
  3. 重複之前的步驟,以指派更多自訂合規中繼資料到一個以上的執行個體。您也可以使用下列命令,手動指派修補程式或關聯合規中繼資料到受管執行個體:

    關聯合規中繼資料

    Linux & macOS
    aws ssm put-compliance-items \ --resource-id instance_ID \ --resource-type ManagedInstance \ --compliance-type Association \ --execution-summary ExecutionTime=user-defined_time_and/or_date_value \ --items Id=user-defined_ID,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT
    Windows
    aws ssm put-compliance-items ^ --resource-id instance_ID ^ --resource-type ManagedInstance ^ --compliance-type Association ^ --execution-summary ExecutionTime=user-defined_time_and/or_date_value ^ --items Id=user-defined_ID,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT

    修補程式合規中繼資料

    Linux & macOS
    aws ssm put-compliance-items \ --resource-id instance_ID \ --resource-type ManagedInstance \ --compliance-type Patch \ --execution-summary ExecutionTime=user-defined_time_and/or_date_value,ExecutionId=user-defined_ID,ExecutionType=Command \ --items Id=for_example, KB12345,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT,Details="{PatchGroup=name_of_group,PatchSeverity=the_patch_severity, for example, CRITICAL}"
    Windows
    aws ssm put-compliance-items ^ --resource-id instance_ID ^ --resource-type ManagedInstance ^ --compliance-type Patch ^ --execution-summary ExecutionTime=user-defined_time_and/or_date_value,ExecutionId=user-defined_ID,ExecutionType=Command ^ --items Id=for_example, KB12345,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT,Details="{PatchGroup=name_of_group,PatchSeverity=the_patch_severity, for example, CRITICAL}"
  4. 執行以下命令來檢視特定受管執行個體的合規項目清單。使用篩選條件來深入檢視特定的合規資料。

    Linux & macOS
    aws ssm list-compliance-items \ --resource-ids instance_ID \ --resource-types ManagedInstance \ --filters one_or_more_filters
    Windows
    aws ssm list-compliance-items ^ --resource-ids instance_ID ^ --resource-types ManagedInstance ^ --filters one_or_more_filters

    以下範例說明如何搭配篩選條件使用此命令。

    Linux & macOS
    aws ssm list-compliance-items \ --resource-ids i-02573cafcfEXAMPLE \ --resource-type ManagedInstance \ --filters Key=DocumentName,Values=AWS-RunPowerShellScript Key=Status,Values=NON_COMPLIANT,Type=NotEqual Key=Id,Values=cee20ae7-6388-488e-8be1-a88ccEXAMPLE Key=Severity,Values=UNSPECIFIED
    Windows
    aws ssm list-compliance-items ^ --resource-ids i-02573cafcfEXAMPLE ^ --resource-type ManagedInstance ^ --filters Key=DocumentName,Values=AWS-RunPowerShellScript Key=Status,Values=NON_COMPLIANT,Type=NotEqual Key=Id,Values=cee20ae7-6388-488e-8be1-a88ccEXAMPLE Key=Severity,Values=UNSPECIFIED
    Linux & macOS
    aws ssm list-resource-compliance-summaries \ --filters Key=OverallSeverity,Values=UNSPECIFIED
    Windows
    aws ssm list-resource-compliance-summaries ^ --filters Key=OverallSeverity,Values=UNSPECIFIED
    Linux & macOS
    aws ssm list-resource-compliance-summaries \ --filters Key=OverallSeverity,Values=UNSPECIFIED Key=ComplianceType,Values=Association Key=InstanceId,Values=i-02573cafcfEXAMPLE
    Windows
    aws ssm list-resource-compliance-summaries ^ --filters Key=OverallSeverity,Values=UNSPECIFIED Key=ComplianceType,Values=Association Key=InstanceId,Values=i-02573cafcfEXAMPLE
  5. 執行下列命令以檢視合規狀態摘要。使用篩選條件來深入檢視特定的合規資料。

    aws ssm list-resource-compliance-summaries --filters One or more filters.

    以下範例說明如何搭配篩選條件使用此命令。

    Linux & macOS
    aws ssm list-resource-compliance-summaries \ --filters Key=ExecutionType,Values=Command
    Windows
    aws ssm list-resource-compliance-summaries ^ --filters Key=ExecutionType,Values=Command
    Linux & macOS
    aws ssm list-resource-compliance-summaries \ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=OverallSeverity,Values=CRITICAL
    Windows
    aws ssm list-resource-compliance-summaries ^ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=OverallSeverity,Values=CRITICAL
  6. 執行以下命令以檢視合規類型的合規與不合規資源計數摘要。使用篩選條件來深入檢視特定的合規資料。

    aws ssm list-compliance-summaries --filters One or more filters.

    以下範例說明如何搭配篩選條件使用此命令。

    Linux & macOS
    aws ssm list-compliance-summaries \ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=PatchGroup,Values=TestGroup
    Windows
    aws ssm list-compliance-summaries ^ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=PatchGroup,Values=TestGroup
    Linux & macOS
    aws ssm list-compliance-summaries \ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=ExecutionId,Values=4adf0526-6aed-4694-97a5-14522EXAMPLE
    Windows
    aws ssm list-compliance-summaries ^ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=ExecutionId,Values=4adf0526-6aed-4694-97a5-14522EXAMPLE