Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
The following procedure walks you through the process of using the Amazon Command Line Interface (Amazon CLI)
to call the Amazon Systems Manager PutComplianceItems API operation to assign custom compliance metadata to a
resource. You can also use this API operation to manually assign patch or association
compliance metadata to a managed nodes, as shown in the following walkthrough. For more
information about custom compliance, see About custom compliance.
To assign custom compliance metadata to a managed instance (Amazon CLI)
Install and configure the Amazon Command Line Interface (Amazon CLI), if you haven't already.
For information, see Installing or updating the latest version of the Amazon CLI.
-
Run the following command to assign custom compliance metadata to a managed
node. Replace each example resource placeholder
with
your own information. The ResourceType
parameter only supports a
value of ManagedInstance
. Specify this value even if you are
assigning custom compliance metadata to a managed Amazon IoT Greengrass core device.
- Linux & macOS
-
aws ssm put-compliance-items \
--resource-id instance_ID
\
--resource-type ManagedInstance \
--compliance-type Custom:user-defined_string
\
--execution-summary ExecutionTime=user-defined_time_and/or_date_value
\
--items Id=user-defined_ID
,Title=user-defined_title
,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED
,Status=COMPLIANT or NON_COMPLIANT
- Windows
-
aws ssm put-compliance-items ^
--resource-id instance_ID
^
--resource-type ManagedInstance ^
--compliance-type Custom:user-defined_string
^
--execution-summary ExecutionTime=user-defined_time_and/or_date_value
^
--items Id=user-defined_ID
,Title=user-defined_title
,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED
,Status=COMPLIANT or NON_COMPLIANT
-
Repeat the previous step to assign additional custom compliance metadata to
one or more nodes. You can also manually assign patch or association compliance
metadata to managed nodes by using the following commands:
Association compliance metadata
- Linux & macOS
-
aws ssm put-compliance-items \
--resource-id instance_ID
\
--resource-type ManagedInstance \
--compliance-type Association \
--execution-summary ExecutionTime=user-defined_time_and/or_date_value
\
--items Id=user-defined_ID
,Title=user-defined_title
,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED
,Status=COMPLIANT or NON_COMPLIANT
- Windows
-
aws ssm put-compliance-items ^
--resource-id instance_ID
^
--resource-type ManagedInstance ^
--compliance-type Association ^
--execution-summary ExecutionTime=user-defined_time_and/or_date_value
^
--items Id=user-defined_ID
,Title=user-defined_title
,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED
,Status=COMPLIANT or NON_COMPLIANT
Patch compliance metadata
- Linux & macOS
-
aws ssm put-compliance-items \
--resource-id instance_ID
\
--resource-type ManagedInstance \
--compliance-type Patch \
--execution-summary ExecutionTime=user-defined_time_and/or_date_value
,ExecutionId=user-defined_ID
,ExecutionType=Command \
--items Id=for_example, KB12345
,Title=user-defined_title
,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED
,Status=COMPLIANT or NON_COMPLIANT
,Details="{PatchGroup=name_of_group
,PatchSeverity=the_patch_severity, for example, CRITICAL
}"
- Windows
-
aws ssm put-compliance-items ^
--resource-id instance_ID
^
--resource-type ManagedInstance ^
--compliance-type Patch ^
--execution-summary ExecutionTime=user-defined_time_and/or_date_value
,ExecutionId=user-defined_ID
,ExecutionType=Command ^
--items Id=for_example, KB12345
,Title=user-defined_title
,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED
,Status=COMPLIANT or NON_COMPLIANT
,Details="{PatchGroup=name_of_group
,PatchSeverity=the_patch_severity, for example, CRITICAL
}"
-
Run the following command to view a list of compliance items for a specific
managed node. Use filters to drill down into specific compliance data.
- Linux & macOS
-
aws ssm list-compliance-items \
--resource-ids instance_ID
\
--resource-types ManagedInstance \
--filters one_or_more_filters
- Windows
-
aws ssm list-compliance-items ^
--resource-ids instance_ID
^
--resource-types ManagedInstance ^
--filters one_or_more_filters
The following examples show you how to use this command with filters.
- Linux & macOS
-
aws ssm list-compliance-items \
--resource-ids i-02573cafcfEXAMPLE \
--resource-type ManagedInstance \
--filters Key=DocumentName,Values=AWS-RunPowerShellScript Key=Status,Values=NON_COMPLIANT,Type=NotEqual Key=Id,Values=cee20ae7-6388-488e-8be1-a88ccEXAMPLE Key=Severity,Values=UNSPECIFIED
- Windows
-
aws ssm list-compliance-items ^
--resource-ids i-02573cafcfEXAMPLE ^
--resource-type ManagedInstance ^
--filters Key=DocumentName,Values=AWS-RunPowerShellScript Key=Status,Values=NON_COMPLIANT,Type=NotEqual Key=Id,Values=cee20ae7-6388-488e-8be1-a88ccEXAMPLE Key=Severity,Values=UNSPECIFIED
- Linux & macOS
-
aws ssm list-resource-compliance-summaries \
--filters Key=OverallSeverity,Values=UNSPECIFIED
- Windows
-
aws ssm list-resource-compliance-summaries ^
--filters Key=OverallSeverity,Values=UNSPECIFIED
- Linux & macOS
-
aws ssm list-resource-compliance-summaries \
--filters Key=OverallSeverity,Values=UNSPECIFIED Key=ComplianceType,Values=Association Key=InstanceId,Values=i-02573cafcfEXAMPLE
- Windows
-
aws ssm list-resource-compliance-summaries ^
--filters Key=OverallSeverity,Values=UNSPECIFIED Key=ComplianceType,Values=Association Key=InstanceId,Values=i-02573cafcfEXAMPLE
-
Run the following command to view a summary of compliance statuses. Use
filters to drill down into specific compliance data.
aws ssm list-resource-compliance-summaries --filters One or more filters.
The following examples show you how to use this command with filters.
- Linux & macOS
-
aws ssm list-resource-compliance-summaries \
--filters Key=ExecutionType,Values=Command
- Windows
-
aws ssm list-resource-compliance-summaries ^
--filters Key=ExecutionType,Values=Command
- Linux & macOS
-
aws ssm list-resource-compliance-summaries \
--filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=OverallSeverity,Values=CRITICAL
- Windows
-
aws ssm list-resource-compliance-summaries ^
--filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=OverallSeverity,Values=CRITICAL
-
Run the following command to view a summary count of compliant and
non-compliant resources for a compliance type. Use filters to drill down into
specific compliance data.
aws ssm list-compliance-summaries --filters One or more filters.
The following examples show you how to use this command with filters.
- Linux & macOS
-
aws ssm list-compliance-summaries \
--filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=PatchGroup,Values=TestGroup
- Windows
-
aws ssm list-compliance-summaries ^
--filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=PatchGroup,Values=TestGroup
- Linux & macOS
-
aws ssm list-compliance-summaries \
--filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=ExecutionId,Values=4adf0526-6aed-4694-97a5-14522EXAMPLE
- Windows
-
aws ssm list-compliance-summaries ^
--filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=ExecutionId,Values=4adf0526-6aed-4694-97a5-14522EXAMPLE