使用 Patch Manager (Amazon CLI) - Amazon Systems Manager
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 Patch Manager (Amazon CLI)

此部分包括您可用于为 Patch Manager (Amazon Systems Manager 的一个功能)执行配置任务的 Amazon Command Line Interface (Amazon CLI) 命令的示例。

有关通过 Amazon CLI 使用自定义补丁基准对服务器环境进行修补的说明,请参阅教程:修补服务器环境(Amazon CLI)

有关使用 Amazon CLI 完成 Amazon Systems Manager 任务的更多信息,请参阅Amazon CLI 命令参考的 Amazon Systems Manager 部分

Amazon CLI 命令用于补丁基准

创建补丁基准

以下命令将创建一个补丁基准,该补丁基准将在 Windows Server 2012 R2 的关键和重要安全更新发布 5 天后批准所有这些更新。还为已批准和已拒绝的补丁列表指定了补丁。此外,补丁基准已标记来指示它适用于生产环境。

Linux & macOS
aws ssm create-patch-baseline \ --name "Windows-Server-2012R2" \ --tags "Key=Environment,Value=Production" \ --description "Windows Server 2012 R2, Important and Critical security updates" \ --approved-patches "KB2032276,MS10-048" \ --rejected-patches "KB2124261" \ --rejected-patches-action "ALLOW_AS_DEPENDENCY" \ --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Important,Critical]},{Key=CLASSIFICATION,Values=SecurityUpdates},{Key=PRODUCT,Values=WindowsServer2012R2}]},ApproveAfterDays=5}]"
Windows Server
aws ssm create-patch-baseline ^ --name "Windows-Server-2012R2" ^ --tags "Key=Environment,Value=Production" ^ --description "Windows Server 2012 R2, Important and Critical security updates" ^ --approved-patches "KB2032276,MS10-048" ^ --rejected-patches "KB2124261" ^ --rejected-patches-action "ALLOW_AS_DEPENDENCY" ^ --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Important,Critical]},{Key=CLASSIFICATION,Values=SecurityUpdates},{Key=PRODUCT,Values=WindowsServer2012R2}]},ApproveAfterDays=5}]"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE"
}

创建对不同操作系统版本使用自定义存储库的补丁基准

仅适用于 Linux 托管式节点。以下命令显示如何指定要用于特定版本的 Amazon Linux 操作系统的补丁存储库。此示例使用 Amazon Linux 2017.09 上默认启用的源存储库,但可以调整为您为托管式节点配置的不同源存储库。

注意

为了更好地说明这一更为复杂的命令,我们将 --cli-input-json 选项与存储在外部 JSON 文件中的其他选项结合使用。

  1. 创建一个名称类似于 my-patch-repository.json 的 JSON 文件并将以下内容添加到其中。

    { "Description": "My patch repository for Amazon Linux 2017.09", "Name": "Amazon-Linux-2017.09", "OperatingSystem": "AMAZON_LINUX", "ApprovalRules": { "PatchRules": [ { "ApproveAfterDays": 7, "EnableNonSecurity": true, "PatchFilterGroup": { "PatchFilters": [ { "Key": "SEVERITY", "Values": [ "Important", "Critical" ] }, { "Key": "CLASSIFICATION", "Values": [ "Security", "Bugfix" ] }, { "Key": "PRODUCT", "Values": [ "AmazonLinux2017.09" ] } ] } } ] }, "Sources": [ { "Name": "My-AL2017.09", "Products": [ "AmazonLinux2017.09" ], "Configuration": "[amzn-main] \nname=amzn-main-Base\nmirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list //nmirrorlist_expire=300//nmetadata_expire=300 \npriority=10 \nfailovermethod=priority \nfastestmirror_enabled=0 \ngpgcheck=1 \ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga \nenabled=1 \nretries=3 \ntimeout=5\nreport_instanceid=yes" } ] }
  2. 在保存文件的目录中,键入以下命令。

    aws ssm create-patch-baseline --cli-input-json file://my-patch-repository.json

    系统将返回类似于以下内容的信息。

    {
        "BaselineId": "pb-0c10e65780EXAMPLE"
    }

更新补丁基准

以下命令将两个带已拒绝状态的补丁和一个带已批准状态的补丁添加到现有补丁基准。

注意

有关已批准的补丁和已拒绝的补丁列表的已接受格式的信息,请参阅 关于已批准补丁和已拒绝补丁列表的软件包名称格式

Linux & macOS
aws ssm update-patch-baseline \ --baseline-id pb-0c10e65780EXAMPLE \ --rejected-patches "KB2032276" "MS10-048" \ --approved-patches "KB2124261"
Windows Server
aws ssm update-patch-baseline ^ --baseline-id pb-0c10e65780EXAMPLE ^ --rejected-patches "KB2032276" "MS10-048" ^ --approved-patches "KB2124261"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE",
   "Name":"Windows-Server-2012R2",
   "RejectedPatches":[
      "KB2032276",
      "MS10-048"
   ],
   "GlobalFilters":{
      "PatchFilters":[

      ]
   },
   "ApprovalRules":{
      "PatchRules":[
         {
            "PatchFilterGroup":{
               "PatchFilters":[
                  {
                     "Values":[
                        "Important",
                        "Critical"
                     ],
                     "Key":"MSRC_SEVERITY"
                  },
                  {
                     "Values":[
                        "SecurityUpdates"
                     ],
                     "Key":"CLASSIFICATION"
                  },
                  {
                     "Values":[
                        "WindowsServer2012R2"
                     ],
                     "Key":"PRODUCT"
                  }
               ]
            },
            "ApproveAfterDays":5
         }
      ]
   },
   "ModifiedDate":1481001494.035,
   "CreatedDate":1480997823.81,
   "ApprovedPatches":[
      "KB2124261"
   ],
   "Description":"Windows Server 2012 R2, Important and Critical security updates"
}

重命名补丁基准

Linux & macOS
aws ssm update-patch-baseline \ --baseline-id pb-0c10e65780EXAMPLE \ --name "Windows-Server-2012-R2-Important-and-Critical-Security-Updates"
Windows Server
aws ssm update-patch-baseline ^ --baseline-id pb-0c10e65780EXAMPLE ^ --name "Windows-Server-2012-R2-Important-and-Critical-Security-Updates"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE",
   "Name":"Windows-Server-2012-R2-Important-and-Critical-Security-Updates",
   "RejectedPatches":[
      "KB2032276",
      "MS10-048"
   ],
   "GlobalFilters":{
      "PatchFilters":[

      ]
   },
   "ApprovalRules":{
      "PatchRules":[
         {
            "PatchFilterGroup":{
               "PatchFilters":[
                  {
                     "Values":[
                        "Important",
                        "Critical"
                     ],
                     "Key":"MSRC_SEVERITY"
                  },
                  {
                     "Values":[
                        "SecurityUpdates"
                     ],
                     "Key":"CLASSIFICATION"
                  },
                  {
                     "Values":[
                        "WindowsServer2012R2"
                     ],
                     "Key":"PRODUCT"
                  }
               ]
            },
            "ApproveAfterDays":5
         }
      ]
   },
   "ModifiedDate":1481001795.287,
   "CreatedDate":1480997823.81,
   "ApprovedPatches":[
      "KB2124261"
   ],
   "Description":"Windows Server 2012 R2, Important and Critical security updates"
}

删除补丁基准

aws ssm delete-patch-baseline --baseline-id "pb-0c10e65780EXAMPLE"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE"
}

列出所有补丁基准

aws ssm describe-patch-baselines

系统将返回类似于以下内容的信息。

{
   "BaselineIdentities":[
      {
         "BaselineName":"AWS-DefaultPatchBaseline",
         "DefaultBaseline":true,
         "BaselineDescription":"Default Patch Baseline Provided by Amazon.",
         "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
      },
      {
         "BaselineName":"Windows-Server-2012R2",
         "DefaultBaseline":false,
         "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates",
         "BaselineId":"pb-0c10e65780EXAMPLE"
      }
   ]
}

以下是另一个命令,该命令将列出 Amazon Web Services 区域 中的所有补丁基准。

Linux & macOS
aws ssm describe-patch-baselines \ --region us-east-2 \ --filters "Key=OWNER,Values=[All]"
Windows Server
aws ssm describe-patch-baselines ^ --region us-east-2 ^ --filters "Key=OWNER,Values=[All]"

系统将返回类似于以下内容的信息。

{
   "BaselineIdentities":[
      {
         "BaselineName":"AWS-DefaultPatchBaseline",
         "DefaultBaseline":true,
         "BaselineDescription":"Default Patch Baseline Provided by Amazon.",
         "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
      },
      {
         "BaselineName":"Windows-Server-2012R2",
         "DefaultBaseline":false,
         "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates",
         "BaselineId":"pb-0c10e65780EXAMPLE"
      }
   ]
}

列出所有 Amazon 提供的补丁基准

Linux & macOS
aws ssm describe-patch-baselines \ --region us-east-2 \ --filters "Key=OWNER,Values=[AWS]"
Windows Server
aws ssm describe-patch-baselines ^ --region us-east-2 ^ --filters "Key=OWNER,Values=[AWS]"

系统将返回类似于以下内容的信息。

{
   "BaselineIdentities":[
      {
         "BaselineName":"AWS-DefaultPatchBaseline",
         "DefaultBaseline":true,
         "BaselineDescription":"Default Patch Baseline Provided by Amazon.",
         "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
      }
   ]
}

列出我的补丁基准

Linux & macOS
aws ssm describe-patch-baselines \ --region us-east-2 \ --filters "Key=OWNER,Values=[Self]"
Windows Server
aws ssm describe-patch-baselines ^ --region us-east-2 ^ --filters "Key=OWNER,Values=[Self]"

系统将返回类似于以下内容的信息。

{
   "BaselineIdentities":[
      {
         "BaselineName":"Windows-Server-2012R2",
         "DefaultBaseline":false,
         "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates",
         "BaselineId":"pb-0c10e65780EXAMPLE"
      }
   ]
}

显示补丁基准

aws ssm get-patch-baseline --baseline-id pb-0c10e65780EXAMPLE
注意

对于自定义补丁基准,您可以指定补丁基准 ID 或完整的 Amazon Resource Name (ARN)。对于 Amazon 提供的补丁基准,必须指定完整 ARN。例如,arn:aws:ssm:us-east-2:075727635805:patchbaseline/pb-0c10e65780EXAMPLE

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE",
   "Name":"Windows-Server-2012R2",
   "PatchGroups":[
      "Web Servers"
   ],
   "RejectedPatches":[

   ],
   "GlobalFilters":{
      "PatchFilters":[

      ]
   },
   "ApprovalRules":{
      "PatchRules":[
         {
            "PatchFilterGroup":{
               "PatchFilters":[
                  {
                     "Values":[
                        "Important",
                        "Critical"
                     ],
                     "Key":"MSRC_SEVERITY"
                  },
                  {
                     "Values":[
                        "SecurityUpdates"
                     ],
                     "Key":"CLASSIFICATION"
                  },
                  {
                     "Values":[
                        "WindowsServer2012R2"
                     ],
                     "Key":"PRODUCT"
                  }
               ]
            },
            "ApproveAfterDays":5
         }
      ]
   },
   "ModifiedDate":1480997823.81,
   "CreatedDate":1480997823.81,
   "ApprovedPatches":[

   ],
   "Description":"Windows Server 2012 R2, Important and Critical security updates"
}

获取默认补丁基准

aws ssm get-default-patch-baseline --region us-east-2

系统将返回类似于以下内容的信息。

{
   "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}

将自定义补丁基准设置为默认基准

Linux & macOS
aws ssm register-default-patch-baseline \ --region us-east-2 \ --baseline-id "pb-0c10e65780EXAMPLE"
Windows Server
aws ssm register-default-patch-baseline ^ --region us-east-2 ^ --baseline-id "pb-0c10e65780EXAMPLE"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE"
}

将 Amazon 补丁基准重置为默认基准

Linux & macOS
aws ssm register-default-patch-baseline \ --region us-east-2 \ --baseline-id "arn:aws:ssm:us-east-2:123456789012:patchbaseline/pb-0c10e65780EXAMPLE"
Windows Server
aws ssm register-default-patch-baseline ^ --region us-east-2 ^ --baseline-id "arn:aws:ssm:us-east-2:123456789012:patchbaseline/pb-0c10e65780EXAMPLE"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE"
}

标记补丁基准

Linux & macOS
aws ssm add-tags-to-resource \ --resource-type "PatchBaseline" \ --resource-id "pb-0c10e65780EXAMPLE" \ --tags "Key=Project,Value=Testing"
Windows Server
aws ssm add-tags-to-resource ^ --resource-type "PatchBaseline" ^ --resource-id "pb-0c10e65780EXAMPLE" ^ --tags "Key=Project,Value=Testing"

列出补丁基准的标签

Linux & macOS
aws ssm list-tags-for-resource \ --resource-type "PatchBaseline" \ --resource-id "pb-0c10e65780EXAMPLE"
Windows Server
aws ssm list-tags-for-resource ^ --resource-type "PatchBaseline" ^ --resource-id "pb-0c10e65780EXAMPLE"

从补丁基准删除标签

Linux & macOS
aws ssm remove-tags-from-resource \ --resource-type "PatchBaseline" \ --resource-id "pb-0c10e65780EXAMPLE" \ --tag-keys "Project"
Windows Server
aws ssm remove-tags-from-resource ^ --resource-type "PatchBaseline" ^ --resource-id "pb-0c10e65780EXAMPLE" ^ --tag-keys "Project"

用于补丁组的 Amazon CLI 命令

创建补丁组

为帮助您组织修补工作,我们建议您使用标签将托管式节点添加到补丁组。补丁组需要使用标签键 Patch GroupPatchGroup。如果在 EC2 实例元数据中允许使用标签,则必须使用 PatchGroup(不带空格)。您可以指定任何标签值,但标签键必须为 Patch GroupPatchGroup。有关补丁组的更多信息,请参阅 关于补丁组

使用标签对托管式节点进行分组后,请将补丁组值添加到补丁基准。通过将补丁组注册到补丁基准,您可以确保在修补操作期间安装正确的补丁。

任务 1:请使用标签将 EC2 实例添加到补丁组

注意

使用 Amazon Elastic Compute Cloud (Amazon EC2) 控制台和 Amazon CLI,则可以应用 Key = Patch GroupKey = PatchGroup 标签到尚未配置为与 Systems Manager 一起使用的实例。如果在应用 Patch GroupKey = PatchGroup 标签之后,未列出您希望在 Patch Manager 中看到的 EC2 实例,请参阅 排除托管式节点可用性的问题 以获取故障排除技巧。

运行以下命令将 PatchGroup 标签添加到 EC2 实例。

aws ec2 create-tags --resources "i-1234567890abcdef0" --tags "Key=PatchGroup,Value=GroupValue"

任务 2:使用标签将托管式节点添加到补丁组

运行以下命令以将 PatchGroup 标签添加到托管式节点。

Linux & macOS
aws ssm add-tags-to-resource \ --resource-type "ManagedInstance" \ --resource-id "mi-0123456789abcdefg" \ --tags "Key=PatchGroup,Value=GroupValue"
Windows Server
aws ssm add-tags-to-resource ^ --resource-type "ManagedInstance" ^ --resource-id "mi-0123456789abcdefg" ^ --tags "Key=PatchGroup,Value=GroupValue"

任务 3:将补丁组添加到补丁基准

运行以下命令将 PatchGroup 标签值关联到指定的补丁基准。

Linux & macOS
aws ssm register-patch-baseline-for-patch-group \ --baseline-id "pb-0c10e65780EXAMPLE" \ --patch-group "Development"
Windows Server
aws ssm register-patch-baseline-for-patch-group ^ --baseline-id "pb-0c10e65780EXAMPLE" ^ --patch-group "Development"

系统将返回类似于以下内容的信息。

{
  "PatchGroup": "Development",
  "BaselineId": "pb-0c10e65780EXAMPLE"
}

将补丁组“Web 服务器”注册到补丁基准

Linux & macOS
aws ssm register-patch-baseline-for-patch-group \ --baseline-id "pb-0c10e65780EXAMPLE" \ --patch-group "Web Servers"
Windows Server
aws ssm register-patch-baseline-for-patch-group ^ --baseline-id "pb-0c10e65780EXAMPLE" ^ --patch-group "Web Servers"

系统将返回类似于以下内容的信息。

{
   "PatchGroup":"Web Servers",
   "BaselineId":"pb-0c10e65780EXAMPLE"
}

将补丁组“后端”注册到 Amazon 提供的补丁基准

Linux & macOS
aws ssm register-patch-baseline-for-patch-group \ --region us-east-2 \ --baseline-id "arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" \ --patch-group "Backend"
Windows Server
aws ssm register-patch-baseline-for-patch-group ^ --region us-east-2 ^ --baseline-id "arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" ^ --patch-group "Backend"

系统将返回类似于以下内容的信息。

{
   "PatchGroup":"Backend",
   "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}

显示补丁组注册

aws ssm describe-patch-groups --region us-east-2

系统将返回类似于以下内容的信息。

{
   "PatchGroupPatchBaselineMappings":[
      {
         "PatchGroup":"Backend",
         "BaselineIdentity":{
            "BaselineName":"AWS-DefaultPatchBaseline",
            "DefaultBaseline":false,
            "BaselineDescription":"Default Patch Baseline Provided by Amazon.",
            "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
         }
      },
      {
         "PatchGroup":"Web Servers",
         "BaselineIdentity":{
            "BaselineName":"Windows-Server-2012R2",
            "DefaultBaseline":true,
            "BaselineDescription":"Windows Server 2012 R2, Important and Critical updates",
            "BaselineId":"pb-0c10e65780EXAMPLE"
         }
      }
   ]
}

从补丁基准取消注册补丁组

Linux & macOS
aws ssm deregister-patch-baseline-for-patch-group \ --region us-east-2 \ --patch-group "Production" \ --baseline-id "arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
Windows Server
aws ssm deregister-patch-baseline-for-patch-group ^ --region us-east-2 ^ --patch-group "Production" ^ --baseline-id "arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"

系统将返回类似于以下内容的信息。

{
   "PatchGroup":"Production",
   "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}

Amazon CLI 命令用于查看补丁摘要和详细信息

获取补丁基准定义的所有补丁

注意

此命令仅受 Windows Server 补丁基准的支持。

Linux & macOS
aws ssm describe-effective-patches-for-patch-baseline \ --region us-east-2 \ --baseline-id "pb-0c10e65780EXAMPLE"
Windows Server
aws ssm describe-effective-patches-for-patch-baseline ^ --region us-east-2 ^ --baseline-id "pb-0c10e65780EXAMPLE"

系统将返回类似于以下内容的信息。

{
   "NextToken":"--token string truncated--",
   "EffectivePatches":[
      {
         "PatchStatus":{
            "ApprovalDate":1384711200.0,
            "DeploymentStatus":"APPROVED"
         },
         "Patch":{
            "ContentUrl":"https://support.microsoft.com/en-us/kb/2876331",
            "ProductFamily":"Windows",
            "Product":"WindowsServer2012R2",
            "Vendor":"Microsoft",
            "Description":"A security issue has been identified in a Microsoft software 
               product that could affect your system. You can help protect your system 
               by installing this update from Microsoft. For a complete listing of the 
               issues that are included in this update, see the associated Microsoft 
               Knowledge Base article. After you install this update, you may have to 
               restart your system.",
            "Classification":"SecurityUpdates",
            "Title":"Security Update for Windows Server 2012 R2 Preview (KB2876331)",
            "ReleaseDate":1384279200.0,
            "MsrcClassification":"Critical",
            "Language":"All",
            "KbNumber":"KB2876331",
            "MsrcNumber":"MS13-089",
            "Id":"e74ccc76-85f0-4881-a738-59e9fc9a336d"
         }
      },
      {
         "PatchStatus":{
            "ApprovalDate":1428858000.0,
            "DeploymentStatus":"APPROVED"
         },
         "Patch":{
            "ContentUrl":"https://support.microsoft.com/en-us/kb/2919355",
            "ProductFamily":"Windows",
            "Product":"WindowsServer2012R2",
            "Vendor":"Microsoft",
            "Description":"Windows Server 2012 R2 Update is a cumulative 
               set of security updates, critical updates and updates. You 
               must install Windows Server 2012 R2 Update to ensure that 
               your computer can continue to receive future Windows Updates, 
               including security updates. For a complete listing of the 
               issues that are included in this update, see the associated 
               Microsoft Knowledge Base article for more information. After 
               you install this item, you may have to restart your computer.",
            "Classification":"SecurityUpdates",
            "Title":"Windows Server 2012 R2 Update (KB2919355)",
            "ReleaseDate":1428426000.0,
            "MsrcClassification":"Critical",
            "Language":"All",
            "KbNumber":"KB2919355",
            "MsrcNumber":"MS14-018",
            "Id":"8452bac0-bf53-4fbd-915d-499de08c338b"
         }
      }
     ---output truncated---

获取 Amazonux2018.03 的所有分类为 SECURITY 、严重性为 Critical 的补丁

Linux & macOS
aws ssm describe-available-patches \ --region us-east-2 \ --filters Key=PRODUCT,Values=AmazonLinux2018.03 Key=SEVERITY,Values=Critical
Windows Server
aws ssm describe-available-patches ^ --region us-east-2 ^ --filters Key=PRODUCT,Values=AmazonLinux2018.03 Key=SEVERITY,Values=Critical

系统将返回类似于以下内容的信息。

{
    "Patches": [
        {
            "AdvisoryIds": ["ALAS-2011-1"],
            "BugzillaIds": [ "1234567" ],
            "Classification": "SECURITY",
            "CVEIds": [ "CVE-2011-3192"],
            "Name": "zziplib",
            "Epoch": "0",
            "Version": "2.71",
            "Release": "1.3.amzn1",
            "Arch": "i686",
            "Product": "AmazonLinux2018.03",
            "ReleaseDate": 1590519815,
            "Severity": "CRITICAL"
        }
    ]
}     
---output truncated---

获取 Windows Server 2012 的所有补丁,其 MSRC 严重性为 Critical

Linux & macOS
aws ssm describe-available-patches \ --region us-east-2 \ --filters Key=PRODUCT,Values=WindowsServer2012 Key=MSRC_SEVERITY,Values=Critical
Windows Server
aws ssm describe-available-patches ^ --region us-east-2 ^ --filters Key=PRODUCT,Values=WindowsServer2012 Key=MSRC_SEVERITY,Values=Critical

系统将返回类似于以下内容的信息。

{
   "Patches":[
      {
         "ContentUrl":"https://support.microsoft.com/en-us/kb/2727528",
         "ProductFamily":"Windows",
         "Product":"WindowsServer2012",
         "Vendor":"Microsoft",
         "Description":"A security issue has been identified that could 
           allow an unauthenticated remote attacker to compromise your 
           system and gain control over it. You can help protect your 
           system by installing this update from Microsoft. After you 
           install this update, you may have to restart your system.",
         "Classification":"SecurityUpdates",
         "Title":"Security Update for Windows Server 2012 (KB2727528)",
         "ReleaseDate":1352829600.0,
         "MsrcClassification":"Critical",
         "Language":"All",
         "KbNumber":"KB2727528",
         "MsrcNumber":"MS12-072",
         "Id":"1eb507be-2040-4eeb-803d-abc55700b715"
      },
      {
         "ContentUrl":"https://support.microsoft.com/en-us/kb/2729462",
         "ProductFamily":"Windows",
         "Product":"WindowsServer2012",
         "Vendor":"Microsoft",
         "Description":"A security issue has been identified that could 
           allow an unauthenticated remote attacker to compromise your 
           system and gain control over it. You can help protect your 
           system by installing this update from Microsoft. After you 
           install this update, you may have to restart your system.",
         "Classification":"SecurityUpdates",
         "Title":"Security Update for Microsoft .NET Framework 3.5 on 
           Windows 8 and Windows Server 2012 for x64-based Systems (KB2729462)",
         "ReleaseDate":1352829600.0,
         "MsrcClassification":"Critical",
         "Language":"All",
         "KbNumber":"KB2729462",
         "MsrcNumber":"MS12-074",
         "Id":"af873760-c97c-4088-ab7e-5219e120eab4"
      }
     
---output truncated---

获取所有可用补丁

aws ssm describe-available-patches --region us-east-2

系统将返回类似于以下内容的信息。

{
   "NextToken":"--token string truncated--",
   "Patches":[
      {
         "ContentUrl":"https://support.microsoft.com/en-us/kb/2032276",
         "ProductFamily":"Windows",
         "Product":"WindowsServer2008R2",
         "Vendor":"Microsoft",
         "Description":"A security issue has been identified that could allow an 
           unauthenticated remote attacker to compromise your system and gain 
           control over it. You can help protect your system by installing this 
           update from Microsoft. After you install this update, you may have to
           restart your system.",
         "Classification":"SecurityUpdates",
         "Title":"Security Update for Windows Server 2008 R2 x64 Edition (KB2032276)",
         "ReleaseDate":1279040400.0,
         "MsrcClassification":"Important",
         "Language":"All",
         "KbNumber":"KB2032276",
         "MsrcNumber":"MS10-043",
         "Id":"8692029b-a3a2-4a87-a73b-8ea881b4b4d6"
      },
      {
         "ContentUrl":"https://support.microsoft.com/en-us/kb/2124261",
         "ProductFamily":"Windows",
         "Product":"Windows7",
         "Vendor":"Microsoft",
         "Description":"A security issue has been identified that could allow 
           an unauthenticated remote attacker to compromise your system and gain 
           control over it. You can help protect your system by installing this 
           update from Microsoft. After you install this update, you may have 
           to restart your system.",
         "Classification":"SecurityUpdates",
         "Title":"Security Update for Windows 7 (KB2124261)",
         "ReleaseDate":1284483600.0,
         "MsrcClassification":"Important",
         "Language":"All",
         "KbNumber":"KB2124261",
         "MsrcNumber":"MS10-065",
         "Id":"12ef1bed-0dd2-4633-b3ac-60888aa8ba33"
      }
      ---output truncated---

获取每个托管式节点的补丁摘要状态

每个托管式节点的摘要可为您提供每个节点中具有以下状态的补丁数量:“NotApplicable”(不适用)、“Missing”(缺少)、“Failed”(失败)、“InstalledOther”(已安装其他)和“Installed”(已安装)。

Linux & macOS
aws ssm describe-instance-patch-states \ --instance-ids i-08ee91c0b17045407 i-09a618aec652973a9
Windows Server
aws ssm describe-instance-patch-states ^ --instance-ids i-08ee91c0b17045407 i-09a618aec652973a9

系统将返回类似于以下内容的信息。

{
   "InstancePatchStates":[
      {
            "InstanceId": "i-08ee91c0b17045407",
            "PatchGroup": "",
            "BaselineId": "pb-0c10e65780EXAMPLE",
            "SnapshotId": "6d03d6c5-f79d-41d0-8d0e-00a9aEXAMPLE",
            "InstalledCount": 50,
            "InstalledOtherCount": 353,
            "InstalledPendingRebootCount": 0,
            "InstalledRejectedCount": 0,
            "MissingCount": 0,
            "FailedCount": 0,
            "UnreportedNotApplicableCount": -1,
            "NotApplicableCount": 671,
            "OperationStartTime": "2020-01-24T12:37:56-08:00",
            "OperationEndTime": "2020-01-24T12:37:59-08:00",
            "Operation": "Scan",
            "RebootOption": "NoReboot"
        },
        {
            "InstanceId": "i-09a618aec652973a9",
            "PatchGroup": "",
            "BaselineId": "pb-0c10e65780EXAMPLE",
            "SnapshotId": "c7e0441b-1eae-411b-8aa7-973e6EXAMPLE",
            "InstalledCount": 36,
            "InstalledOtherCount": 396,
            "InstalledPendingRebootCount": 0,
            "InstalledRejectedCount": 0,
            "MissingCount": 3,
            "FailedCount": 0,
            "UnreportedNotApplicableCount": -1,
            "NotApplicableCount": 420,
            "OperationStartTime": "2020-01-24T12:37:34-08:00",
            "OperationEndTime": "2020-01-24T12:37:37-08:00",
            "Operation": "Scan",
            "RebootOption": "NoReboot"
        }
     ---output truncated---

获取托管式节点的补丁合规性详细信息

aws ssm describe-instance-patches --instance-id i-08ee91c0b17045407

系统将返回类似于以下内容的信息。

{
   "NextToken":"--token string truncated--",
   "Patches":[
      {
            "Title": "bind-libs.x86_64:32:9.8.2-0.68.rc1.60.amzn1",
            "KBId": "bind-libs.x86_64",
            "Classification": "Security",
            "Severity": "Important",
            "State": "Installed",
            "InstalledTime": "2019-08-26T11:05:24-07:00"
        },
        {
            "Title": "bind-utils.x86_64:32:9.8.2-0.68.rc1.60.amzn1",
            "KBId": "bind-utils.x86_64",
            "Classification": "Security",
            "Severity": "Important",
            "State": "Installed",
            "InstalledTime": "2019-08-26T11:05:32-07:00"
        },
        {
            "Title": "dhclient.x86_64:12:4.1.1-53.P1.28.amzn1",
            "KBId": "dhclient.x86_64",
            "Classification": "Security",
            "Severity": "Important",
            "State": "Installed",
            "InstalledTime": "2019-08-26T11:05:31-07:00"
        },
    ---output truncated---

查看修补合规性结果 (Amazon CLI)

查看单个托管式节点的补丁合规性结果

在 Amazon Command Line Interface (Amazon CLI) 中运行以下命令,查看单个托管式节点的补丁合规性结果。

aws ssm describe-instance-patch-states --instance-id instance-id

i-02573cafcfEXAMPLEmi-0282f7c436EXAMPLE 格式,将 instance-id 替换为要查看其结果的托管式节点的 ID。

系统将返回类似于以下内容的信息。

{
    "InstancePatchStates": [
        {
            "InstanceId": "i-02573cafcfEXAMPLE",
            "PatchGroup": "mypatchgroup",
            "BaselineId": "pb-0c10e65780EXAMPLE",            
            "SnapshotId": "a3f5ff34-9bc4-4d2c-a665-4d1c1EXAMPLE",
            "CriticalNonCompliantCount": 2,
            "SecurityNonCompliantCount": 2,
            "OtherNonCompliantCount": 1,
            "InstalledCount": 123,
            "InstalledOtherCount": 334,
            "InstalledPendingRebootCount": 0,
            "InstalledRejectedCount": 0,
            "MissingCount": 1,
            "FailedCount": 2,
            "UnreportedNotApplicableCount": 11,
            "NotApplicableCount": 2063,
            "OperationStartTime": "2021-05-03T11:00:56-07:00",
            "OperationEndTime": "2021-05-03T11:01:09-07:00",
            "Operation": "Scan",
            "LastNoRebootInstallOperationTime": "2020-06-14T12:17:41-07:00",
            "RebootOption": "RebootIfNeeded"
        }
    ]
}

查看某个区域中所有 EC2 实例的补丁计数摘要

describe-instance-patch-states 支持一次只检索一个托管实例的结果。但是,使用自定义脚本与 describe-instance-patch-states 命令,您可以生成更精细的报告。

例如,如果在本地计算机上安装 jq 筛选工具,您可以运行以下命令来识别哪些 EC2 实例在特定 Amazon Web Services 区域 中的状态为 InstalledPendingReboot

aws ssm describe-instance-patch-states \ --instance-ids $(aws ec2 describe-instances --region region | jq '.Reservations[].Instances[] | .InstanceId' | tr '\n|"' ' ') \ --output text --query 'InstancePatchStates[*].{Instance:InstanceId, InstalledPendingRebootCount:InstalledPendingRebootCount}'

region 表示 Amazon Systems Manager 支持的 Amazon Web Services 区域 的标识符,例如 us-east-2 对应美国东部(俄亥俄)区域。有关支持的 region 值的列表,请参阅《Amazon Web Services 一般参考》 中的 Systems Manager service endpointsRegion 列。

例如:

aws ssm describe-instance-patch-states \ --instance-ids $(aws ec2 describe-instances --region us-east-2 | jq '.Reservations[].Instances[] | .InstanceId' | tr '\n|"' ' ') \ --output text --query 'InstancePatchStates[*].{Instance:InstanceId, InstalledPendingRebootCount:InstalledPendingRebootCount}'

系统将返回类似于以下内容的信息。

1       i-02573cafcfEXAMPLE
0       i-0471e04240EXAMPLE
3       i-07782c72faEXAMPLE
6       i-083b678d37EXAMPLE
0       i-03a530a2d4EXAMPLE
1       i-01f68df0d0EXAMPLE
0       i-0a39c0f214EXAMPLE
7       i-0903a5101eEXAMPLE
7       i-03823c2fedEXAMPLE

除了 InstalledPendingRebootCount,您可以搜索的计数类型列表包括以下内容:

  • CriticalNonCompliantCount

  • SecurityNonCompliantCount

  • OtherNonCompliantCount

  • UnreportedNotApplicableCount

  • InstalledPendingRebootCount

  • FailedCount

  • NotApplicableCount

  • InstalledRejectedCount

  • InstalledOtherCount

  • MissingCount

  • InstalledCount

用于扫描和修补托管式节点的 Amazon CLI 命令

运行以下命令来扫描补丁合规性或安装补丁后,可以使用 Amazon CLI 命令用于查看补丁摘要和详细信息 部分里的命令来查看有关补丁状态和合规性的信息。

扫描托管式节点以检查是否符合补丁合规性要求 (Amazon CLI)

扫描指定托管式节点以检查是否符合补丁合规性要求

运行以下命令。

Linux & macOS
aws ssm send-command \ --document-name 'AWS-RunPatchBaseline' \ --targets Key=InstanceIds,Values='i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE' \ --parameters 'Operation=Scan' \ --timeout-seconds 600
Windows Server
aws ssm send-command ^ --document-name "AWS-RunPatchBaseline" ^ --targets Key=InstanceIds,Values="i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE" ^ --parameters "Operation=Scan" ^ --timeout-seconds 600

系统将返回类似于以下内容的信息。

{
    "Command": {
        "CommandId": "a04ed06c-8545-40f4-87c2-a0babEXAMPLE",
        "DocumentName": "AWS-RunPatchBaseline",
        "DocumentVersion": "$DEFAULT",
        "Comment": "",
        "ExpiresAfter": 1621974475.267,
        "Parameters": {
            "Operation": [
                "Scan"
            ]
        },
        "InstanceIds": [],
        "Targets": [
            {
                "Key": "InstanceIds",
                "Values": [
                    "i-02573cafcfEXAMPLE,
                     i-0471e04240EXAMPLE"
                ]
            }
        ],
        "RequestedDateTime": 1621952275.267,
        "Status": "Pending",
        "StatusDetails": "Pending",
        "TimeoutSeconds": 600,

    ---output truncated---

    }
}

按补丁组标签扫描托管式节点以检查是否符合补丁合规性要求

运行以下命令。

Linux & macOS
aws ssm send-command \ --document-name 'AWS-RunPatchBaseline' \ --targets Key='tag:PatchGroup',Values='Web servers' \ --parameters 'Operation=Scan' \ --timeout-seconds 600
Windows Server
aws ssm send-command ^ --document-name "AWS-RunPatchBaseline" ^ --targets Key="tag:PatchGroup",Values="Web servers" ^ --parameters "Operation=Scan" ^ --timeout-seconds 600

系统将返回类似于以下内容的信息。

{
    "Command": {
        "CommandId": "87a448ee-8adc-44e0-b4d1-6b429EXAMPLE",
        "DocumentName": "AWS-RunPatchBaseline",
        "DocumentVersion": "$DEFAULT",
        "Comment": "",
        "ExpiresAfter": 1621974983.128,
        "Parameters": {
            "Operation": [
                "Scan"
            ]
        },
        "InstanceIds": [],
        "Targets": [
            {
                "Key": "tag:PatchGroup",
                "Values": [
                    "Web servers"
                ]
            }
        ],
        "RequestedDateTime": 1621952783.128,
        "Status": "Pending",
        "StatusDetails": "Pending",
        "TimeoutSeconds": 600,

    ---output truncated---

    }
}

在托管式节点上安装补丁 (Amazon CLI)

在指定托管式节点上安装补丁

运行以下命令。

注意

目标托管式节点按需重启以完成补丁安装。有关更多信息,请参阅关于 AWS-RunPatchBaseline SSM 文档

Linux & macOS
aws ssm send-command \ --document-name 'AWS-RunPatchBaseline' \ --targets Key=InstanceIds,Values='i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE' \ --parameters 'Operation=Install' \ --timeout-seconds 600
Windows Server
aws ssm send-command ^ --document-name "AWS-RunPatchBaseline" ^ --targets Key=InstanceIds,Values="i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE" ^ --parameters "Operation=Install" ^ --timeout-seconds 600

系统将返回类似于以下内容的信息。

{
    "Command": {
        "CommandId": "5f403234-38c4-439f-a570-93623EXAMPLE",
        "DocumentName": "AWS-RunPatchBaseline",
        "DocumentVersion": "$DEFAULT",
        "Comment": "",
        "ExpiresAfter": 1621975301.791,
        "Parameters": {
            "Operation": [
                "Install"
            ]
        },
        "InstanceIds": [],
        "Targets": [
            {
                "Key": "InstanceIds",
                "Values": [
                    "i-02573cafcfEXAMPLE,
                     i-0471e04240EXAMPLE"
                ]
            }
        ],
        "RequestedDateTime": 1621953101.791,
        "Status": "Pending",
        "StatusDetails": "Pending",
        "TimeoutSeconds": 600,

    ---output truncated---

    }
}

在指定补丁组中的托管式节点上安装补丁

运行以下命令。

Linux & macOS
aws ssm send-command \ --document-name 'AWS-RunPatchBaseline' \ --targets Key='tag:PatchGroup',Values='Web servers' \ -parameters 'Operation=Install' \ --timeout-seconds 600
Windows Server
aws ssm send-command ^ --document-name "AWS-RunPatchBaseline" ^ --targets Key="tag:PatchGroup",Values="Web servers" ^ --parameters "Operation=Install" ^ --timeout-seconds 600

系统将返回类似于以下内容的信息。

{
    "Command": {
        "CommandId": "fa44b086-7d36-4ad5-ac8d-627ecEXAMPLE",
        "DocumentName": "AWS-RunPatchBaseline",
        "DocumentVersion": "$DEFAULT",
        "Comment": "",
        "ExpiresAfter": 1621975407.865,
        "Parameters": {
            "Operation": [
                "Install"
            ]
        },
        "InstanceIds": [],
        "Targets": [
            {
                "Key": "tag:PatchGroup",
                "Values": [
                    "Web servers"
                ]
            }
        ],
        "RequestedDateTime": 1621953207.865,
        "Status": "Pending",
        "StatusDetails": "Pending",
        "TimeoutSeconds": 600,

    ---output truncated---

    }
}