Amazon EC2 Systems Manager
用户指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

Systems Manager Patch Manager 演练

以下演练将向您说明如何使用 Amazon EC2 控制台或 AWS CLI 创建补丁基准、补丁组和执行修补的Maintenance Window。

开始前的准备工作

以下演练将在Maintenance Window期间执行修补。您必须先为Maintenance Window配置角色和权限,然后才能开始使用。有关更多信息,请参阅 控制对 Maintenance Window 的访问权限

使用 Amazon EC2 控制台的 Patch Manager 演练

以下演练介绍如何使用默认补丁基准、补丁组和Maintenance Window来修补服务器环境。要详细了解此演练介绍的过程,请参阅 使用 Patch Manager

开始前的准备工作

在您的实例上安装或更新 SSM 代理。要修补 Linux 实例,您的实例必须运行 SSM 代理 2.0.834.0 版或更高版本。有关更新此代理的信息,请参阅 从 EC2 控制台执行命令 中标题为示例:更新 SSM 代理的部分。

使用 Amazon EC2 控制台创建默认补丁基准

Patch Manager 包含用于 Patch Manager 支持的每个操作系统的默认补丁基准。您可以利用这些默认补丁基准 (您不能对其进行自定义),也可创建自己的补丁基准。以下程序介绍了如何查看默认补丁基准,以查看它们是否满足需求。该程序还介绍了如何创建自己的默认补丁基准。要了解有关补丁基准的更多信息,请参阅 步骤 1:验证默认补丁基准或创建补丁基准

创建默认补丁基准

  1. 打开 Amazon EC2 控制台,展开导航窗格中的 Systems Manager Services,然后选择 Patch Baselines

  2. 在补丁基准列表中,选择要修补的操作系统的补丁基准。

    注意

    如果 Welcome to EC2 Systems Manager - Patch Baselines 页面出现,则选择 Create Patch Baseline。当 Create patch baseline 页面出现时,在浏览器中选择后退按钮以查看补丁基准列表。

  3. 选择默认基准后,选择 Approval Rules 选项卡。如果您的实例接受自动批准规则,则可跳至下面的步骤。

  4. 要创建自己的默认补丁基准,则选择 Create Patch Baseline

  5. Name 字段中,键入新补丁基准的名称,例如 RHEL-Default。

  6. (可选) 键入此补丁基准的描述。

  7. Operating System 字段中,选择操作系统,例如 RedhatEnterpriseLinux。

  8. Approval Rules 部分,使用字段创建一个或多个自动批准规则。

    注意

    如果经批准的补丁报告为缺失,则 Compliance Level 是违反合规性的严重性。

  9. Patch Exceptions 部分,列出基准显式批准和拒绝的补丁。对于已批准的补丁,选择相应的合规性严重性级别。

  10. 选择 Create Patch Baseline

将实例添加到补丁组

为了帮助您组织修补工作,我们建议您使用 Amazon EC2 标签将实例添加到补丁组。补丁组需要以下标签键:补丁组。您可以指定任何值,但标签键必须为补丁组。有关补丁组的更多信息,请参阅 步骤 2:将实例组织到补丁组中

将实例添加到补丁组

  1. 打开 Amazon EC2 控制台,然后在左侧导航窗格中选择 Instances

  2. 从实例列表中选择您要配置用于修补的实例。

  3. Actions 菜单中,选择 Instance SettingsAdd/Edit Tags

  4. Key 字段中,键入“Patch Group”。

  5. Value 字段中,键入可帮助您了解要修补的实例的值。

  6. 选择 Save

  7. 重复此程序,为同一补丁组中的其他实例添加标签。

创建Maintenance Window用于修补

为了最大程度减少对服务器可用性的影响,我们建议您将Maintenance Window配置为在不中断业务运营的时间执行修补。有关Maintenance Window的更多信息,请参阅 Systems Manager Maintenance Window

创建Maintenance Window用于修补

  1. 在 Amazon EC2 控制台导航窗格中,选择 Maintenance Window,然后选择 Create maintenance window

  2. Name 字段中,键入一个将此项指定为用于修补关键更新和重要更新的Maintenance Window的名称。

  3. Specify schedule 区域中,选择所需的计划选项。

  4. Duration 字段中,键入您希望Maintenance Window处于活动状态的小时数。

  5. Stop initiating tasks 字段中,键入您希望系统在Maintenance Window周期结束前几小时停止启动新任务。

  6. 选择 Create maintenance window

  7. 在Maintenance Window列表中,选择您刚创建的Maintenance Window,然后选择 ActionsRegister targets

  8. Owner information 字段中,键入您的姓名或别名。

  9. Select targets by 区域中,选择 Specifying tags

  10. Tag Filters 部分,使用列表选择标签键和标签值。

  11. 选择注册目标。系统将创建Maintenance Window目标。

  12. 在Maintenance Window列表中,选择您使用该过程创建的Maintenance Window,然后选择 ActionsRegister task

  13. Register task 页面的 Documents 部分中,选择 AWS-RunPatchBaseline

  14. Task Priority 部分中,指定优先级。1 表示最高优先级。

  15. Targets 部分中,选择 Select,然后选择您在此过程中先前创建的Maintenance Window目标。

  16. Operation 列表中,选择 Scan 以扫描缺失的补丁,或选择 Install 以扫描并安装缺失的补丁。

    注意

    Install 操作将使实例重启 (如果已安装补丁)。Scan 操作不会导致重启。

  17. 您不需要在 Snapshot Id 字段中指定任何值。此系统将自动生成并提供此参数。

  18. Role 字段中,输入已附加 AmazonSSMMaintenanceWindowRole 策略的角色的 ARN。有关更多信息,请参阅 控制对 Maintenance Window 的访问权限

  19. Execute on 字段中,选择 TargetsPercent 以限制系统可以同时在其中执行修补操作的实例的数目。

  20. Stop after 字段中,指定系统停止向其他实例发送修补任务之前所允许的错误数。

  21. 如果您要向 Amazon S3 存储桶中写入命令输出和结果,请在 Advanced 部分中,选择 Write to S3

  22. 选择 Register task

Maintenance Window任务完成后,您可以在 Managed Instances 页面上的 Amazon EC2 控制台中查看补丁合规性详细信息。在筛选栏中,使用 AWS:PatchSummaryAWS:ComplianceItem 筛选器。

 Patch Manager 合规性数据

注意

指定筛选器后,您可以通过为 URL 添加书签来保存您的查询。

您还可以通过在 Managed Instances 页面中选择实例来向下钻取到特定实例,然后选择 Patch 选项卡。您也可以使用 DescribePatchGroupStateDescribeInstancePatchStatesForPatchGroup API 来查看合规性详细信息。有关帮助您了解补丁合规性数据的信息,请参阅 关于补丁合规性

使用 AWS CLI 的 Patch Manager 演练

以下过程将说明用户如何使用自定义补丁基准、补丁组和Maintenance Window来修补服务器环境。

开始前的准备工作

在您的实例上安装或更新 SSM 代理。要修补 Linux 实例,您的实例必须运行 SSM 代理 2.0.834.0 版或更高版本。有关更新此代理的信息,请参阅 从 EC2 控制台执行命令 中标题为示例:更新 SSM 代理的部分。

使用 AWS CLI 配置 Patch Manager 和修补实例

  1. 在您的本地计算机上,下载最新版本的 AWS CLI。

  2. 打开 AWS CLI 并运行以下命令指定您的凭证和区域。您必须在 Amazon EC2 中具有管理员权限,或者您必须在 AWS Identity and Access Management (IAM) 中被授予相应权限。

    Copy
    aws configure

    系统将提示您指定以下内容。

    Copy
    AWS Access Key ID [None]: key_name AWS Secret Access Key [None]: key_name Default region name [None]: region Default output format [None]: ENTER
  3. (Windows) 执行以下命令以创建一个名为“Production-Baseline”的补丁基准,该补丁基准将在发布适用于生产环境的补丁 7 天后批准这些补丁。

    Copy
    aws ssm create-patch-baseline --name "Production-Baseline" --operating-system "WINDOWS" --product "WindowsServer2012R2" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Critical,Important]},{Key=CLASSIFICATION,Values=[SecurityUpdates,Updates,UpdateRollups,CriticalUpdates]}]},ApproveAfterDays=7}]" --description "Baseline containing all updates approved for production systems"

    (Linux) 执行以下命令以创建一个名为“Production-Baseline”的补丁基准,该补丁基准将在发布适用于生产环境的补丁 7 天后批准这些补丁。

    Copy
    aws ssm create-patch-baseline --name "Production-Baseline" --operating-system "AMAZON_LINUX" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=PRODUCT,Values=[AmazonLinux2016.03,AmazonLinux2016.09,AmazonLinux2017.03,AmazonLinux2017.09]},{Key=SEVERITY,Values=[Critical,Important]},{Key=CLASSIFICATION,Values=[Security]}]},ApproveAfterDays=7}]" --description "Baseline containing all updates approved for production systems"

    系统将返回类似于以下内容的信息。

    Copy
    { "BaselineId":"pb-034cba5a84f030362" }
  4. 执行以下命令,为三个分别名为“Production”、“Database Servers”和“Front-End Patch Group”的补丁组注册“Production-Baseline”补丁基准。

    Copy
    aws ssm register-patch-baseline-for-patch-group --baseline-id pb-034cba5a84f030362 --patch-group "Production"

    系统将返回类似于以下内容的信息。

    Copy
    { "PatchGroup":"Production", "BaselineId":"pb-034cba5a84f030362" }
    Copy
    aws ssm register-patch-baseline-for-patch-group --baseline-id pb-034cba5a84f030362 --patch-group "Database Servers"

    系统将返回类似于以下内容的信息。

    Copy
    { "PatchGroup":"Database Servers", "BaselineId":"pb-034cba5a84f030362" }
  5. 执行以下命令,为生产服务器创建两个Maintenance Window。第一个时段在每周二晚上 10 点运行。第二个时段在每周六晚上 10 点运行。

    Copy
    aws ssm create-maintenance-window --name "Production-Tuesdays" --schedule "cron(0 0 22 ? * TUE *)" --duration 1 --cutoff 0 --no-allow-unassociated-targets

    系统将返回类似于以下内容的信息。

    Copy
    { "WindowId":"mw-0c66948c711a3b5bd" }
    Copy
    aws ssm create-maintenance-window --name "Production-Saturdays" --schedule "cron(0 0 22 ? * SAT *)" --duration 2 --cutoff 0 --no-allow-unassociated-targets

    系统将返回类似于以下内容的信息。

    Copy
    { "WindowId":"mw-09e2a75baadd84e85" }
  6. 执行以下命令,将生产服务器注册到两个生产Maintenance Window。

    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=tag:Patch Group,Values=Production" --owner-information "Production servers" --resource-type "INSTANCE"

    系统将返回类似于以下内容的信息。

    Copy
    { "WindowTargetId":"557e7b3a-bc2f-48dd-ae05-e282b5b20760" }
    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=tag:Patch Group,Values=Database Servers" --owner-information "Database servers" --resource-type "INSTANCE"

    系统将返回类似于以下内容的信息。

    Copy
    { "WindowTargetId":"767b6508-f4ac-445e-b6fe-758cc912e55c" }
    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=tag:Patch Group,Values=Production" --owner-information "Production servers" --resource-type "INSTANCE"

    系统将返回类似于以下内容的信息。

    Copy
    { "WindowTargetId":"faa01c41-1d57-496c-ba77-ff9cadba4b7d" }
    Copy
    aws ssm register-target-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=tag:Patch Group,Values=Database Servers" --owner-information "Database servers" --resource-type "INSTANCE"

    系统将返回类似于以下内容的信息。

    Copy
    { "WindowTargetId":"673b5840-58a4-42ab-8b80-95749677cb2e" }
  7. 执行以下命令以注册一个补丁任务,此任务仅在第一个生产Maintenance Window内扫描生产服务器是否存在缺失的更新。

    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=WindowTargetIds,Values=557e7b3a-bc2f-48dd-ae05-e282b5b20760" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 1 --task-parameters '{\"Operation\":{\"Values\":[\"Scan\"]}}'

    系统将返回类似于以下内容的信息。

    Copy
    { "WindowTaskId":"968e3b17-8591-4fb2-932a-b62389d6f635" }
    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-0c66948c711a3b5bd --targets "Key=WindowTargetIds,Values=767b6508-f4ac-445e-b6fe-758cc912e55c" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 5 --task-parameters '{\"Operation\":{\"Values\":[\"Scan\"]}}'

    系统将返回类似于以下内容的信息。

    Copy
    { "WindowTaskId":"09f2e873-a3a7-443f-ba0a-05cf4de5a1c7" }
  8. 执行以下命令以注册一个补丁任务,此任务在第二个Maintenance Window内在生产服务器上安装缺失的更新。

    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=WindowTargetIds,Values=557e7b3a-bc2f-48dd-ae05-e282b5b20760" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 1 --task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'

    系统将返回类似于以下内容的信息。

    Copy
    { "WindowTaskId":"968e3b17-8591-4fb2-932a-b62389d6f635" }
    Copy
    aws ssm register-task-with-maintenance-window --window-id mw-09e2a75baadd84e85 --targets "Key=WindowTargetIds,Values=767b6508-f4ac-445e-b6fe-758cc912e55c" --task-arn "AWS-ApplyPatchBaseline" --service-role-arn "arn:aws:iam::12345678:role/MW-Role" --task-type "RUN_COMMAND" --max-concurrency 2 --max-errors 1 --priority 5 --task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'

    系统将返回类似于以下内容的信息。

    Copy
    { "WindowTaskId":"09f2e873-a3a7-443f-ba0a-05cf4de5a1c7" }
  9. 执行以下命令以获取补丁组的高级补丁合规性摘要。高级补丁合规性摘要将为您提供补丁组的大量具有以下状态的补丁的实例数:“NotApplicable”、“Missing”、“Failed”、“InstalledOther”和“Installed”。

    Copy
    aws ssm describe-patch-group-state --patch-group "Production"

    系统将返回类似于以下内容的信息。

    Copy
    { "InstancesWithNotApplicablePatches":0, "InstancesWithMissingPatches":0, "InstancesWithFailedPatches":1, "InstancesWithInstalledOtherPatches":4, "Instances":4, "InstancesWithInstalledPatches":3 }
  10. 执行以下命令以获取补丁组的每个实例的补丁摘要状态。每个实例的摘要将为您提供补丁组的每个实例中具有以下状态的大量补丁:“NotApplicable”、“Missing”、“Failed”、“InstalledOther”和“Installed”。

    Copy
    aws ssm describe-instance-patch-states-for-patch-group --patch-group "Production"

    系统将返回类似于以下内容的信息。

    Copy
    { "InstancePatchStates":[ { "OperationStartTime":1481259600.0, "FailedCount":0, "InstanceId":"i-08ee91c0b17045407", "OwnerInformation":"", "NotApplicableCount":2077, "OperationEndTime":1481259757.0, "PatchGroup":"Production", "InstalledOtherCount":186, "MissingCount":7, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":72 }, { "OperationStartTime":1481259602.0, "FailedCount":0, "InstanceId":"i-0fff3aab684d01b23", "OwnerInformation":"", "NotApplicableCount":2692, "OperationEndTime":1481259613.0, "PatchGroup":"Production", "InstalledOtherCount":3, "MissingCount":1, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":1 }, { "OperationStartTime":1481259547.0, "FailedCount":0, "InstanceId":"i-0a00def7faa94f1dc", "OwnerInformation":"", "NotApplicableCount":1859, "OperationEndTime":1481259592.0, "PatchGroup":"Production", "InstalledOtherCount":116, "MissingCount":1, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":110 }, { "OperationStartTime":1481259549.0, "FailedCount":0, "InstanceId":"i-09a618aec652973a9", "OwnerInformation":"", "NotApplicableCount":1637, "OperationEndTime":1481259837.0, "PatchGroup":"Production", "InstalledOtherCount":388, "MissingCount":2, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":141 } ] }

其他 Patch Manager CLI 命令

此部分包括您可用于执行 Patch Manager 配置任务的 CLI 命令的其他示例。

创建补丁基准

以下命令将创建一个补丁基准,该补丁基准将在发布 Windows Server 2012 R2 的关键和重要安全更新后 5 天内批准所有这些更新。

Copy
aws ssm create-patch-baseline --name "Windows-Server-2012R2" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Important,Critical]},{Key=CLASSIFICATION,Values=SecurityUpdates},{Key=PRODUCT,Values=WindowsServer2012R2}]},ApproveAfterDays=5}]" --description "Windows Server 2012 R2, Important and Critical security updates"

系统将返回类似于以下内容的信息。

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3" }

更新补丁基准

以下命令将两个带已拒绝状态的补丁和一个带已批准状态的补丁添加到现有补丁基准。

Copy
aws ssm update-patch-baseline --baseline-id pb-00dbb759999aa2bc3 --rejected-patches "KB2032276" "MS10-048" --approved-patches "KB2124261"

系统将返回类似于以下内容的信息。

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012R2", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001494.035, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

重命名补丁基准

Copy
aws ssm update-patch-baseline --baseline-id pb-00dbb759999aa2bc3 --name "Windows-Server-2012-R2-Important-and-Critical-Security-Updates"

系统将返回类似于以下内容的信息。

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012-R2-Important-and-Critical-Security-Updates", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001795.287, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

删除补丁基准

Copy
aws ssm delete-patch-baseline --baseline-id "pb-0a34d8c0f03c1e529"

系统将返回类似于以下内容的信息。

Copy
{ "BaselineId":"pb-0a34d8c0f03c1e529" }

列出所有补丁基准

Copy
aws ssm describe-patch-baselines

系统将返回类似于以下内容的信息。

Copy
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

以下是另一个命令,该命令将列出区域中的所有补丁基准。

Copy
aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[All]"

系统将返回类似于以下内容的信息。

Copy
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

列出所有 AWS 提供的补丁基准

Copy
aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[AWS]"

系统将返回类似于以下内容的信息。

Copy
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-2:755505623295:patchbaseline/pb-04f1feddd7c0c5339" } ] }

列出我的补丁基准

Copy
aws ssm describe-patch-baselines --region us-west-1 --filters "Key=OWNER,Values=[Self]"

系统将返回类似于以下内容的信息。

Copy
{ "BaselineIdentities":[ { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-00dbb759999aa2bc3" } ] }

显示补丁基准

Copy
aws ssm get-patch-baseline --baseline-id pb-00dbb759999aa2bc3

系统将返回类似于以下内容的信息。

Copy
{ "BaselineId":"pb-00dbb759999aa2bc3", "Name":"Windows-Server-2012R2", "PatchGroups":[ "Web Servers" ], "RejectedPatches":[ ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1480997823.81, "CreatedDate":1480997823.81, "ApprovedPatches":[ ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }

获取默认补丁基准

Copy
aws ssm get-default-patch-baseline --region us-west-1

系统将返回类似于以下内容的信息。

Copy
{ "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

设置默认补丁基准

Copy
aws ssm register-default-patch-baseline --region us-west-1 --baseline-id "pb-08b654cf9b9681f04"
Copy
{ "BaselineId":"pb-08b654cf9b9681f04" }

将补丁组“Web 服务器”注册到补丁基准

Copy
aws ssm register-patch-baseline-for-patch-group --baseline-id "pb-00dbb759999aa2bc3" --patch-group "Web Servers"

系统将返回类似于以下内容的信息。

Copy
{ "PatchGroup":"Web Servers", "BaselineId":"pb-00dbb759999aa2bc3" }

将补丁组“后端”注册到 AWS 提供的补丁基准

Copy
aws ssm register-patch-baseline-for-patch-group --region us-west-1 --baseline-id "arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" --patch-group "Backend"

系统将返回类似于以下内容的信息。

Copy
{ "PatchGroup":"Backend", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

显示补丁组注册

Copy
aws ssm describe-patch-groups --region us-west-1

系统将返回类似于以下内容的信息。

Copy
{ "PatchGroupPatchBaselineMappings":[ { "PatchGroup":"Backend", "BaselineIdentity":{ "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":false, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" } }, { "PatchGroup":"Web Servers", "BaselineIdentity":{ "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":true, "BaselineDescription":"Windows Server 2012 R2, Important and Critical updates", "BaselineId":"pb-08b654cf9b9681f04" } } ] }

从补丁基准取消注册补丁组

Copy
aws ssm deregister-patch-baseline-for-patch-group --region us-west-1 --patch-group "Production" --baseline-id "arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725"

系统将返回类似于以下内容的信息。

Copy
{ "PatchGroup":"Production", "BaselineId":"arn:aws:ssm:us-west-1:075727635805:patchbaseline/pb-0ca44a362f8afc725" }

获取补丁基准定义的所有补丁

Copy
aws ssm describe-effective-patches-for-patch-baseline --region us-west-1 --baseline-id "pb-08b654cf9b9681f04"

系统将返回类似于以下内容的信息。

Copy
{ "NextToken":"--token string truncated--", "EffectivePatches":[ { "PatchStatus":{ "ApprovalDate":1384711200.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2876331", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 R2 Preview (KB2876331)", "ReleaseDate":1384279200.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2876331", "MsrcNumber":"MS13-089", "Id":"e74ccc76-85f0-4881-a738-59e9fc9a336d" } }, { "PatchStatus":{ "ApprovalDate":1428858000.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2919355", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"Windows Server 2012 R2 Update is a cumulative set of security updates, critical updates and updates. You must install Windows Server 2012 R2 Update to ensure that your computer can continue to receive future Windows Updates, including security updates. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.", "Classification":"SecurityUpdates", "Title":"Windows Server 2012 R2 Update (KB2919355)", "ReleaseDate":1428426000.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2919355", "MsrcNumber":"MS14-018", "Id":"8452bac0-bf53-4fbd-915d-499de08c338b" } } ---output truncated---

获取所有 MSRC 严重性为“关键”的适用于 Windows Server 2012 的补丁

Copy
aws ssm describe-available-patches --region us-west-1 --filters Key=PRODUCT,Values=WindowsServer2012 Key=MSRC_SEVERITY,Values=Critical

系统将返回类似于以下内容的信息。

Copy
{ "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2727528", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 (KB2727528)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2727528", "MsrcNumber":"MS12-072", "Id":"1eb507be-2040-4eeb-803d-abc55700b715" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2729462", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2729462)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2729462", "MsrcNumber":"MS12-074", "Id":"af873760-c97c-4088-ab7e-5219e120eab4" } ---output truncated---

获取所有可用补丁

Copy
aws ssm describe-available-patches --region us-west-1

系统将返回类似于以下内容的信息。

Copy
{ "NextToken":"--token string truncated--", "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2032276", "ProductFamily":"Windows", "Product":"WindowsServer2008R2", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2008 R2 x64 Edition (KB2032276)", "ReleaseDate":1279040400.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2032276", "MsrcNumber":"MS10-043", "Id":"8692029b-a3a2-4a87-a73b-8ea881b4b4d6" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2124261", "ProductFamily":"Windows", "Product":"Windows7", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows 7 (KB2124261)", "ReleaseDate":1284483600.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2124261", "MsrcNumber":"MS10-065", "Id":"12ef1bed-0dd2-4633-b3ac-60888aa8ba33" } ---output truncated---

标记补丁基准

Copy
aws ssm add-tags-to-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081" --tags "Key=Project,Value=Testing"

列出补丁基准的标签

Copy
aws ssm list-tags-for-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081"

从补丁基准删除标签

Copy
aws ssm remove-tags-from-resource --resource-type "PatchBaseline" --resource-id "pb-0869b5cf84fa07081" --tag-keys "Project"

获取每个实例的修补摘要状态

每个实例的摘要将为您提供每个实例中具有以下状态的大量补丁:“NotApplicable”、“Missing”、“Failed”、“InstalledOther”和“Installed”。

Copy
aws ssm describe-instance-patch-states --instance-ids i-08ee91c0b17045407 i-09a618aec652973a9 i-0a00def7faa94f1c i-0fff3aab684d01b23

系统将返回类似于以下内容的信息。

Copy
{ "InstancePatchStates":[ { "OperationStartTime":"2016-12-09T05:00:00Z", "FailedCount":0, "InstanceId":"i-08ee91c0b17045407", "OwnerInformation":"", "NotApplicableCount":2077, "OperationEndTime":"2016-12-09T05:02:37Z", "PatchGroup":"Production", "InstalledOtherCount":186, "MissingCount":7, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":72 }, { "OperationStartTime":"2016-12-09T04:59:09Z", "FailedCount":0, "InstanceId":"i-09a618aec652973a9", "OwnerInformation":"", "NotApplicableCount":1637, "OperationEndTime":"2016-12-09T05:03:57Z", "PatchGroup":"Production", "InstalledOtherCount":388, "MissingCount":2, "SnapshotId":"b0e65479-79be-4288-9f88-81c96bc3ed5e", "Operation":"Scan", "InstalledCount":141 } ---output truncated---

获取实例的补丁合规性详细信息

Copy
aws ssm describe-instance-patches --instance-id i-08ee91c0b17045407

系统将返回类似于以下内容的信息。

Copy
{ "NextToken":"--token string truncated--", "Patches":[ { "KBId":"KB2919355", "Severity":"Critical", "Classification":"SecurityUpdates", "Title":"Windows 8.1 Update for x64-based Systems (KB2919355)", "State":"Installed", "InstalledTime":"2014-03-18T12:00:00Z" }, { "KBId":"KB2977765", "Severity":"Important", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 and Windows Server 2012 R2 x64-based Systems (KB2977765)", "State":"Installed", "InstalledTime":"2014-10-15T12:00:00Z" }, { "KBId":"KB2978126", "Severity":"Important", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 (KB2978126)", "State":"Installed", "InstalledTime":"2014-11-18T12:00:00Z" }, ---output truncated---