Use DescribeInstancePatches with an Amazon SDK or CLI - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use DescribeInstancePatches with an Amazon SDK or CLI

The following code examples show how to use DescribeInstancePatches.

CLI
Amazon CLI

Example 1: To get the patch state details for an instance

The following describe-instance-patches example retrieves details about the patches for the specified instance.

aws ssm describe-instance-patches \
    --instance-id "i-1234567890abcdef0"

Output:

{
    "Patches": [
        {
            "Title": "2019-01 Security Update for Adobe Flash Player for Windows Server 2016 for x64-based Systems (KB4480979)",
            "KBId": "KB4480979",
            "Classification": "SecurityUpdates",
            "Severity": "Critical",
            "State": "Installed",
            "InstalledTime": "2019-01-09T00:00:00+00:00"
        },
        {
            "Title": "",
            "KBId": "KB4481031",
            "Classification": "",
            "Severity": "",
            "State": "InstalledOther",
            "InstalledTime": "2019-02-08T00:00:00+00:00"
        },
        ...
    ],
    "NextToken": "--token string truncated--"
}

Example 2: To get a list of patches in the Missing state for an instance

The following describe-instance-patches example retrieves information about patches that are in the Missing state for the specified instance.

aws ssm describe-instance-patches \
    --instance-id "i-1234567890abcdef0" \
    --filters Key=State,Values=Missing

Output:

{
    "Patches": [
        {
            "Title": "Windows Malicious Software Removal Tool x64 - February 2019 (KB890830)",
            "KBId": "KB890830",
            "Classification": "UpdateRollups",
            "Severity": "Unspecified",
            "State": "Missing",
            "InstalledTime": "1970-01-01T00:00:00+00:00"
        },
        ...
    ],
    "NextToken": "--token string truncated--"
}

For more information, see About Patch Compliance States in the Amazon Systems Manager User Guide.

Example 3: To get a list of patches installed since a specified InstalledTime for an instance

The following describe-instance-patches example retrieves information about patches installed since a specified time for the specified instance by combining the use of --filters and --query.

aws ssm describe-instance-patches \
    --instance-id "i-1234567890abcdef0" \
    --filters Key=State,Values=Installed \
    --query "Patches[?InstalledTime >= `2023-01-01T16:00:00`]"

Output:

{
    "Patches": [
        {
            "Title": "2023-03 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB5023702)",
            "KBId": "KB5023702",
            "Classification": "SecurityUpdates",
            "Severity": "Critical",
            "State": "Installed",
            "InstalledTime": "2023-03-16T11:00:00+00:00"
        },
        ...
    ],
    "NextToken": "--token string truncated--"
}
PowerShell
Tools for PowerShell

Example 1: This example gets the patch compliance details for an instance.

Get-SSMInstancePatch -InstanceId "i-08ee91c0b17045407"

For a complete list of Amazon SDK developer guides and code examples, see Using Systems Manager with an Amazon SDK. This topic also includes information about getting started and details about previous SDK versions.