AWS Systems Manager
用户指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

Patch Manager 的 AWS CLI 命令

此部分包括您可用于执行 Patch Manager 配置任务的 CLI 命令示例。

有关通过 AWS CLI 使用自定义补丁基准对服务器环境进行修补的说明,请参阅 演练:修补服务器环境 (AWS CLI)

有关使用 CLI 执行 AWS Systems Manager 任务的更多信息,请参阅 AWS Systems Manager section of the AWS CLI Command Reference

创建补丁基准

以下命令将创建一个补丁基准,该补丁基准将在发布 Windows Server 2012 R2 的关键和重要安全更新后 5 天内批准所有这些更新。

aws ssm create-patch-baseline --name "Windows-Server-2012R2" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Important,Critical]},{Key=CLASSIFICATION,Values=SecurityUpdates},{Key=PRODUCT,Values=WindowsServer2012R2}]},ApproveAfterDays=5}]" --description "Windows Server 2012 R2, Important and Critical security updates"

系统将返回类似于以下内容的信息。

{ "BaselineId":"pb-0c10e65780EXAMPLE"" }

创建对不同操作系统版本使用自定义存储库的补丁基准

仅适用于 Linux 实例。以下命令显示如何指定要用于特定版本的 Amazon Linux 操作系统的补丁存储库。此示例使用 Amazon Linux 2017.09 上默认启用的源存储库,但可以调整为您为实例配置的不同源存储库。

注意

为了更好地演示此更为复杂的命令,我们使用 -cli-input-json 选项与存储在外部 JSON 文件中的其他选项。

  1. 创建一个名称类似于 my-patch-repository.json 的 JSON 文件并将以下内容添加到其中:

    { "Description": "My patch repository for Amazon Linux 2017.09", "Name": "Amazon-Linux-2017.09", "OperatingSystem": "AMAZON_LINUX", "ApprovalRules": { "PatchRules": [ { "ApproveAfterDays": 7, "EnableNonSecurity": true, "PatchFilterGroup": { "PatchFilters": [ { "Key": "SEVERITY", "Values": [ "Important", "Critical" ] }, { "Key": "CLASSIFICATION", "Values": [ "Security", "Bugfix" ] }, { "Key": "PRODUCT", "Values": [ "AmazonLinux2017.09" ] } ] } } ] }, "Sources": [ { "Name": "My-AL2017.09", "Products": [ "AmazonLinux2017.09" ], "Configuration": "[amzn-main] \nname=amzn-main-Base\nmirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list //nmirrorlist_expire=300//nmetadata_expire=300 \npriority=10 \nfailovermethod=priority \nfastestmirror_enabled=0 \ngpgcheck=1 \ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga \nenabled=1 \nretries=3 \ntimeout=5\nreport_instanceid=yes" } ] }
  2. 在保存文件的目录中,键入以下命令:

    aws ssm create-patch-baseline --cli-input-json file://my-patch-repository.json

    系统将返回类似于以下内容的信息:

    { "BaselineId": "pb-12343b962ba63wxya" }

更新补丁基准

以下命令将两个带已拒绝状态的补丁和一个带已批准状态的补丁添加到现有补丁基准。

注意

有关批准的修补程序和拒绝的修补程序列表的接受格式的信息,请参阅 已批准补丁和已拒绝补丁列表的程序包名称格式

aws ssm update-patch-baseline --baseline-id pb-0c10e65780EXAMPLE" --rejected-patches "KB2032276" "MS10-048" --approved-patches "KB2124261"

系统将返回类似于以下内容的信息。

{ "BaselineId":"pb-0c10e65780EXAMPLE"", "Name":"Windows-Server-2012R2", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001494.035, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

重命名补丁基准

aws ssm update-patch-baseline --baseline-id pb-0c10e65780EXAMPLE" --name "Windows-Server-2012-R2-Important-and-Critical-Security-Updates"

系统将返回类似于以下内容的信息。

{ "BaselineId":"pb-0c10e65780EXAMPLE"", "Name":"Windows-Server-2012-R2-Important-and-Critical-Security-Updates", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001795.287, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

删除补丁基准

aws ssm delete-patch-baseline --baseline-id "pb-0c10e65780EXAMPLE""

系统将返回类似于以下内容的信息。

{ "BaselineId":"pb-0c10e65780EXAMPLE"" }

列出所有补丁基准

aws ssm describe-patch-baselines

系统将返回类似于以下内容的信息。

{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-0c10e65780EXAMPLE"" } ] }

以下是另一个命令,该命令将列出区域中的所有补丁基准。

aws ssm describe-patch-baselines --region us-east-2 --filters "Key=OWNER,Values=[All]"

系统将返回类似于以下内容的信息。

{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-0c10e65780EXAMPLE"" } ] }

列出所有 AWS 提供的补丁基准

aws ssm describe-patch-baselines --region us-east-2 --filters "Key=OWNER,Values=[AWS]"

系统将返回类似于以下内容的信息。

{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"" } ] }

列出我的补丁基准

aws ssm describe-patch-baselines --region us-east-2 --filters "Key=OWNER,Values=[Self]"

系统将返回类似于以下内容的信息。

{ "BaselineIdentities":[ { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-0c10e65780EXAMPLE"" } ] }

显示补丁基准

aws ssm get-patch-baseline --baseline-id pb-0c10e65780EXAMPLE"

系统将返回类似于以下内容的信息。

{ "BaselineId":"pb-0c10e65780EXAMPLE"", "Name":"Windows-Server-2012R2", "PatchGroups":[ "Web Servers" ], "RejectedPatches":[ ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1480997823.81, "CreatedDate":1480997823.81, "ApprovedPatches":[ ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

获取默认补丁基准

aws ssm get-default-patch-baseline --region us-east-2

系统将返回类似于以下内容的信息。

{ "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"" }

设置默认补丁基准

aws ssm register-default-patch-baseline --region us-east-2 --baseline-id "pb-0c10e65780EXAMPLE""
{ "BaselineId":"pb-0c10e65780EXAMPLE"" }

将补丁组“Web 服务器”注册到补丁基准

aws ssm register-patch-baseline-for-patch-group --baseline-id "pb-0c10e65780EXAMPLE"" --patch-group "Web Servers"

系统将返回类似于以下内容的信息。

{ "PatchGroup":"Web Servers", "BaselineId":"pb-0c10e65780EXAMPLE"" }

将补丁组“后端”注册到 AWS 提供的补丁基准

aws ssm register-patch-baseline-for-patch-group --region us-east-2 --baseline-id "arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"" --patch-group "Backend"

系统将返回类似于以下内容的信息。

{ "PatchGroup":"Backend", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"" }

显示补丁组注册

aws ssm describe-patch-groups --region us-east-2

系统将返回类似于以下内容的信息。

{ "PatchGroupPatchBaselineMappings":[ { "PatchGroup":"Backend", "BaselineIdentity":{ "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":false, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"" } }, { "PatchGroup":"Web Servers", "BaselineIdentity":{ "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":true, "BaselineDescription":"Windows Server 2012 R2, Important and Critical updates", "BaselineId":"pb-0c10e65780EXAMPLE"" } } ] }

从补丁基准取消注册补丁组

aws ssm deregister-patch-baseline-for-patch-group --region us-east-2 --patch-group "Production" --baseline-id "arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE""

系统将返回类似于以下内容的信息。

{ "PatchGroup":"Production", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"" }

获取补丁基准定义的所有补丁

aws ssm describe-effective-patches-for-patch-baseline --region us-east-2 --baseline-id "pb-0c10e65780EXAMPLE""

系统将返回类似于以下内容的信息。

{ "NextToken":"--token string truncated--", "EffectivePatches":[ { "PatchStatus":{ "ApprovalDate":1384711200.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2876331", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 R2 Preview (KB2876331)", "ReleaseDate":1384279200.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2876331", "MsrcNumber":"MS13-089", "Id":"e74ccc76-85f0-4881-a738-59e9fc9a336d" } }, { "PatchStatus":{ "ApprovalDate":1428858000.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2919355", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"Windows Server 2012 R2 Update is a cumulative set of security updates, critical updates and updates. You must install Windows Server 2012 R2 Update to ensure that your computer can continue to receive future Windows Updates, including security updates. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.", "Classification":"SecurityUpdates", "Title":"Windows Server 2012 R2 Update (KB2919355)", "ReleaseDate":1428426000.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2919355", "MsrcNumber":"MS14-018", "Id":"8452bac0-bf53-4fbd-915d-499de08c338b" } } ---output truncated---

获取所有 MSRC 严重性为“关键”的适用于 Windows Server 2012 的补丁

aws ssm describe-available-patches --region us-east-2 --filters Key=PRODUCT,Values=WindowsServer2012 Key=MSRC_SEVERITY,Values=Critical

系统将返回类似于以下内容的信息。

{ "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2727528", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 (KB2727528)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2727528", "MsrcNumber":"MS12-072", "Id":"1eb507be-2040-4eeb-803d-abc55700b715" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2729462", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2729462)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2729462", "MsrcNumber":"MS12-074", "Id":"af873760-c97c-4088-ab7e-5219e120eab4" } ---output truncated---

获取所有可用补丁

aws ssm describe-available-patches --region us-east-2

系统将返回类似于以下内容的信息。

{ "NextToken":"--token string truncated--", "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2032276", "ProductFamily":"Windows", "Product":"WindowsServer2008R2", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2008 R2 x64 Edition (KB2032276)", "ReleaseDate":1279040400.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2032276", "MsrcNumber":"MS10-043", "Id":"8692029b-a3a2-4a87-a73b-8ea881b4b4d6" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2124261", "ProductFamily":"Windows", "Product":"Windows7", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows 7 (KB2124261)", "ReleaseDate":1284483600.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2124261", "MsrcNumber":"MS10-065", "Id":"12ef1bed-0dd2-4633-b3ac-60888aa8ba33" } ---output truncated---

标记补丁基准

aws ssm add-tags-to-resource --resource-type "PatchBaseline" --resource-id "pb-0c10e65780EXAMPLE"" --tags "Key=Project,Value=Testing"

列出补丁基准的标签

aws ssm list-tags-for-resource --resource-type "PatchBaseline" --resource-id "pb-0c10e65780EXAMPLE""

从补丁基准删除标签

aws ssm remove-tags-from-resource --resource-type "PatchBaseline" --resource-id "pb-0c10e65780EXAMPLE"" --tag-keys "Project"

获取每个实例的修补摘要状态

每个实例的摘要将为您提供每个实例中具有以下状态的大量补丁:“NotApplicable”、“Missing”、“Failed”、“InstalledOther”和“Installed”。

aws ssm describe-instance-patch-states --instance-ids i-08ee91c0b17045407 i-09a618aec652973a9 i-0a00def7faa94f1c i-0fff3aab684d01b23

系统将返回类似于以下内容的信息。

{ "InstancePatchStates":[ { "OperationStartTime":"2016-12-09T05:00:00Z", "FailedCount":0, "InstanceId":"i-08ee91c0b17045407", "OwnerInformation":"", "NotApplicableCount":2077, "OperationEndTime":"2016-12-09T05:02:37Z", "PatchGroup":"Production", "InstalledOtherCount":186, "MissingCount":7, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":72 }, { "OperationStartTime":"2016-12-09T04:59:09Z", "FailedCount":0, "InstanceId":"i-09a618aec652973a9", "OwnerInformation":"", "NotApplicableCount":1637, "OperationEndTime":"2016-12-09T05:03:57Z", "PatchGroup":"Production", "InstalledOtherCount":388, "MissingCount":2, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":141 } ---output truncated---

获取实例的补丁合规性详细信息

aws ssm describe-instance-patches --instance-id i-08ee91c0b17045407

系统将返回类似于以下内容的信息。

{ "NextToken":"--token string truncated--", "Patches":[ { "KBId":"KB2919355", "Severity":"Critical", "Classification":"SecurityUpdates", "Title":"Windows 8.1 Update for x64-based Systems (KB2919355)", "State":"Installed", "InstalledTime":"2014-03-18T12:00:00Z" }, { "KBId":"KB2977765", "Severity":"Important", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 and Windows Server 2012 R2 x64-based Systems (KB2977765)", "State":"Installed", "InstalledTime":"2014-10-15T12:00:00Z" }, { "KBId":"KB2978126", "Severity":"Important", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 (KB2978126)", "State":"Installed", "InstalledTime":"2014-11-18T12:00:00Z" }, ---output truncated---