Working with Patch Manager (Amazon CLI)
The section includes examples of Amazon Command Line Interface (Amazon CLI) commands that you can use to perform configuration tasks for Patch Manager, a capability of Amazon Systems Manager.
For an illustration of using the Amazon CLI to patch a server environment by using a custom patch baseline, see Tutorial: Patch a server environment (Amazon CLI).
For more information about using the Amazon CLI for Amazon Systems Manager tasks, see the Amazon Systems Manager section of the Amazon CLI Command Reference.
Topics
Amazon CLI commands for patch baselines
Sample commands for patch baselines
- Create a patch baseline
- Create a patch baseline with custom repositories for different OS versions
- Update a patch baseline
- Rename a patch baseline
- Delete a patch baseline
- List all patch baselines
- List all Amazon-provided patch baselines
- List my patch baselines
- Display a patch baseline
- Get the default patch baseline
- Set a custom patch baseline as the default
- Reset an Amazon patch baseline as the default
- Tag a patch baseline
- List the tags for a patch baseline
- Remove a tag from a patch baseline
Create a patch baseline
The following command creates a patch baseline that approves all critical and important security updates for Windows Server 2012 R2 5 days after they're released. Patches have also been specified for the Approved and Rejected patch lists. In addition, the patch baseline has been tagged to indicate that it's for a production environment.
The system returns information like the following.
{
"BaselineId":"pb-0c10e65780EXAMPLE"
}
Create a patch baseline with custom repositories for different OS versions
Applies to Linux managed nodes only. The following command shows how to specify the patch repository to use for a particular version of the Amazon Linux operating system. This sample uses a source repository allowed by default on Amazon Linux 2017.09, but it could be adapted to a different source repository that you have configured for a managed node.
Note
To better demonstrate this more complex command, we're using the
--cli-input-json option with additional options stored an
external JSON file.
-
Create a JSON file with a name like
my-patch-repository.jsonand add the following content to it.{ "Description": "My patch repository for Amazon Linux 2017.09", "Name": "Amazon-Linux-2017.09", "OperatingSystem": "AMAZON_LINUX", "ApprovalRules": { "PatchRules": [ { "ApproveAfterDays": 7, "EnableNonSecurity": true, "PatchFilterGroup": { "PatchFilters": [ { "Key": "SEVERITY", "Values": [ "Important", "Critical" ] }, { "Key": "CLASSIFICATION", "Values": [ "Security", "Bugfix" ] }, { "Key": "PRODUCT", "Values": [ "AmazonLinux2017.09" ] } ] } } ] }, "Sources": [ { "Name": "My-AL2017.09", "Products": [ "AmazonLinux2017.09" ], "Configuration": "[amzn-main] \nname=amzn-main-Base\nmirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list //nmirrorlist_expire=300//nmetadata_expire=300 \npriority=10 \nfailovermethod=priority \nfastestmirror_enabled=0 \ngpgcheck=1 \ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga \nenabled=1 \nretries=3 \ntimeout=5\nreport_instanceid=yes" } ] } -
In the directory where you saved the file, run the following command.
aws ssm create-patch-baseline --cli-input-json file://my-patch-repository.jsonThe system returns information like the following.
{ "BaselineId": "pb-0c10e65780EXAMPLE" }
Update a patch baseline
The following command adds two patches as rejected and one patch as approved to an existing patch baseline.
Note
For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists.
The system returns information like the following.
{ "BaselineId":"pb-0c10e65780EXAMPLE", "Name":"Windows-Server-2012R2", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001494.035, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }
Rename a patch baseline
The system returns information like the following.
{ "BaselineId":"pb-0c10e65780EXAMPLE", "Name":"Windows-Server-2012-R2-Important-and-Critical-Security-Updates", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001795.287, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }
Delete a patch baseline
aws ssm delete-patch-baseline --baseline-id "pb-0c10e65780EXAMPLE"
The system returns information like the following.
{
"BaselineId":"pb-0c10e65780EXAMPLE"
}
List all patch baselines
aws ssm describe-patch-baselines
The system returns information like the following.
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by Amazon.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-0c10e65780EXAMPLE" } ] }
Here is another command that lists all patch baselines in an Amazon Web Services Region.
The system returns information like the following.
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by Amazon.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-0c10e65780EXAMPLE" } ] }
List all Amazon-provided patch baselines
The system returns information like the following.
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by Amazon.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" } ] }
List my patch baselines
The system returns information like the following.
{ "BaselineIdentities":[ { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-0c10e65780EXAMPLE" } ] }
Display a patch baseline
aws ssm get-patch-baseline --baseline-id pb-0c10e65780EXAMPLE
Note
For custom patch baselines, you can specify either the patch baseline ID
or the full Amazon Resource Name (ARN). For an Amazon-provided patch
baseline, you must specify the full ARN. For example,
arn:aws:ssm:us-east-2:075727635805:patchbaseline/pb-0c10e65780EXAMPLE.
The system returns information like the following.
{ "BaselineId":"pb-0c10e65780EXAMPLE", "Name":"Windows-Server-2012R2", "PatchGroups":[ "Web Servers" ], "RejectedPatches":[ ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1480997823.81, "CreatedDate":1480997823.81, "ApprovedPatches":[ ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }
Get the default patch baseline
aws ssm get-default-patch-baseline --region us-east-2
The system returns information like the following.
{
"BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}
Set a custom patch baseline as the default
The system returns information like the following.
{
"BaselineId":"pb-0c10e65780EXAMPLE"
}
Reset an Amazon patch baseline as the default
The system returns information like the following.
{
"BaselineId":"pb-0c10e65780EXAMPLE"
}
Tag a patch baseline
List the tags for a patch baseline
Remove a tag from a patch baseline
Amazon CLI commands for patch groups
Sample commands for patch groups
Create a patch group
To help you organize your patching efforts, we recommend that you add managed
nodes to patch groups by using tags. Patch groups require use of the tag key
Patch Group or PatchGroup. If you have allowed tags in EC2 instance metadata, you must use
PatchGroup (without a space). You can specify any tag value,
but the tag key must be Patch Group or PatchGroup. For
more information about patch groups, see About patch groups.
After you group your managed nodes using tags, you add the patch group value to a patch baseline. By registering the patch group with a patch baseline, you ensure that the correct patches are installed during the patching operation.
Task 1: Add EC2 instances to a patch group using tags
Note
When using the Amazon Elastic Compute Cloud (Amazon EC2) console and Amazon CLI, it's possible to
apply Key = Patch Group or Key = PatchGroup
tags to instances that aren't yet configured for use with Systems Manager. If an
EC2 instance you expect to see in Patch Manager isn't listed after applying
the Patch Group or Key = PatchGroup tag, see
Troubleshooting managed node
availability for
troubleshooting tips.
Run the following command to add the PatchGroup tag to an EC2
instance.
aws ec2 create-tags --resources"i-1234567890abcdef0"--tags "Key=PatchGroup,Value=GroupValue"
Task 2: Add managed nodes to a patch group using tags
Run the following command to add the PatchGroup tag to a
managed node.
Task 3: Add a patch group to a patch baseline
Run the following command to associate a PatchGroup tag value
to the specified patch baseline.
The system returns information like the following.
{
"PatchGroup": "Development",
"BaselineId": "pb-0c10e65780EXAMPLE"
}
Register a patch group "web servers" with a patch baseline
The system returns information like the following.
{
"PatchGroup":"Web Servers",
"BaselineId":"pb-0c10e65780EXAMPLE"
}
Register a patch group "Backend" with the Amazon-provided patch baseline
The system returns information like the following.
{
"PatchGroup":"Backend",
"BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}
Display patch group registrations
aws ssm describe-patch-groups --region us-east-2
The system returns information like the following.
{ "PatchGroupPatchBaselineMappings":[ { "PatchGroup":"Backend", "BaselineIdentity":{ "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":false, "BaselineDescription":"Default Patch Baseline Provided by Amazon.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" } }, { "PatchGroup":"Web Servers", "BaselineIdentity":{ "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":true, "BaselineDescription":"Windows Server 2012 R2, Important and Critical updates", "BaselineId":"pb-0c10e65780EXAMPLE" } } ] }
Deregister a patch group from a patch baseline
The system returns information like the following.
{
"PatchGroup":"Production",
"BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}
Amazon CLI commands for viewing patch summaries and details
Sample commands for viewing patch summaries and details
- Get all patches defined by a patch baseline
- Get all patches for AmazonLinux2018.03 that have a Classification SECURITY and Severity of Critical
- Get all patches for Windows Server 2012 that have a MSRC severity of Critical
- Get all available patches
- Get patch summary states per-managed node
- Get patch compliance details for a managed node
- View patching compliance results (Amazon CLI)
Get all patches defined by a patch baseline
Note
This command is supported for Windows Server patch baselines only.
The system returns information like the following.
{ "NextToken":"--token string truncated--", "EffectivePatches":[ { "PatchStatus":{ "ApprovalDate":1384711200.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2876331", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 R2 Preview (KB2876331)", "ReleaseDate":1384279200.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2876331", "MsrcNumber":"MS13-089", "Id":"e74ccc76-85f0-4881-a738-59e9fc9a336d" } }, { "PatchStatus":{ "ApprovalDate":1428858000.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2919355", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"Windows Server 2012 R2 Update is a cumulative set of security updates, critical updates and updates. You must install Windows Server 2012 R2 Update to ensure that your computer can continue to receive future Windows Updates, including security updates. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.", "Classification":"SecurityUpdates", "Title":"Windows Server 2012 R2 Update (KB2919355)", "ReleaseDate":1428426000.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2919355", "MsrcNumber":"MS14-018", "Id":"8452bac0-bf53-4fbd-915d-499de08c338b" } } ---output truncated---
Get
all patches for AmazonLinux2018.03 that have a Classification
SECURITY and Severity of Critical
The system returns information like the following.
{ "Patches": [ { "AdvisoryIds": ["ALAS-2011-1"], "BugzillaIds": [ "1234567" ], "Classification": "SECURITY", "CVEIds": [ "CVE-2011-3192"], "Name": "zziplib", "Epoch": "0", "Version": "2.71", "Release": "1.3.amzn1", "Arch": "i686", "Product": "AmazonLinux2018.03", "ReleaseDate": 1590519815, "Severity": "CRITICAL" } ] } ---output truncated---
Get all
patches for Windows Server 2012 that have a MSRC severity of
Critical
The system returns information like the following.
{ "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2727528", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 (KB2727528)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2727528", "MsrcNumber":"MS12-072", "Id":"1eb507be-2040-4eeb-803d-abc55700b715" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2729462", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2729462)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2729462", "MsrcNumber":"MS12-074", "Id":"af873760-c97c-4088-ab7e-5219e120eab4" } ---output truncated---
Get all available patches
aws ssm describe-available-patches --region us-east-2
The system returns information like the following.
{ "NextToken":"--token string truncated--", "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2032276", "ProductFamily":"Windows", "Product":"WindowsServer2008R2", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2008 R2 x64 Edition (KB2032276)", "ReleaseDate":1279040400.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2032276", "MsrcNumber":"MS10-043", "Id":"8692029b-a3a2-4a87-a73b-8ea881b4b4d6" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2124261", "ProductFamily":"Windows", "Product":"Windows7", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows 7 (KB2124261)", "ReleaseDate":1284483600.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2124261", "MsrcNumber":"MS10-065", "Id":"12ef1bed-0dd2-4633-b3ac-60888aa8ba33" } ---output truncated---
Get patch summary states per-managed node
The per-managed node summary gives you the number of patches in the following states per node: "NotApplicable", "Missing", "Failed", "InstalledOther" and "Installed".
The system returns information like the following.
{ "InstancePatchStates":[ { "InstanceId": "i-08ee91c0b17045407", "PatchGroup": "", "BaselineId": "pb-0c10e65780EXAMPLE", "SnapshotId": "6d03d6c5-f79d-41d0-8d0e-00a9aEXAMPLE", "InstalledCount": 50, "InstalledOtherCount": 353, "InstalledPendingRebootCount": 0, "InstalledRejectedCount": 0, "MissingCount": 0, "FailedCount": 0, "UnreportedNotApplicableCount": -1, "NotApplicableCount": 671, "OperationStartTime": "2020-01-24T12:37:56-08:00", "OperationEndTime": "2020-01-24T12:37:59-08:00", "Operation": "Scan", "RebootOption": "NoReboot" }, { "InstanceId": "i-09a618aec652973a9", "PatchGroup": "", "BaselineId": "pb-0c10e65780EXAMPLE", "SnapshotId": "c7e0441b-1eae-411b-8aa7-973e6EXAMPLE", "InstalledCount": 36, "InstalledOtherCount": 396, "InstalledPendingRebootCount": 0, "InstalledRejectedCount": 0, "MissingCount": 3, "FailedCount": 0, "UnreportedNotApplicableCount": -1, "NotApplicableCount": 420, "OperationStartTime": "2020-01-24T12:37:34-08:00", "OperationEndTime": "2020-01-24T12:37:37-08:00", "Operation": "Scan", "RebootOption": "NoReboot" } ---output truncated---
Get patch compliance details for a managed node
aws ssm describe-instance-patches --instance-id i-08ee91c0b17045407
The system returns information like the following.
{ "NextToken":"--token string truncated--", "Patches":[ { "Title": "bind-libs.x86_64:32:9.8.2-0.68.rc1.60.amzn1", "KBId": "bind-libs.x86_64", "Classification": "Security", "Severity": "Important", "State": "Installed", "InstalledTime": "2019-08-26T11:05:24-07:00" }, { "Title": "bind-utils.x86_64:32:9.8.2-0.68.rc1.60.amzn1", "KBId": "bind-utils.x86_64", "Classification": "Security", "Severity": "Important", "State": "Installed", "InstalledTime": "2019-08-26T11:05:32-07:00" }, { "Title": "dhclient.x86_64:12:4.1.1-53.P1.28.amzn1", "KBId": "dhclient.x86_64", "Classification": "Security", "Severity": "Important", "State": "Installed", "InstalledTime": "2019-08-26T11:05:31-07:00" }, ---output truncated---
View patching compliance results (Amazon CLI)
To view patch compliance results for a single managed node
Run the following command in the Amazon Command Line Interface (Amazon CLI) to view patch compliance results for a single managed node.
aws ssm describe-instance-patch-states --instance-idinstance-id
Replace instance-id with the ID of the managed node
for which you want to view results, in the format i-02573cafcfEXAMPLE
or mi-0282f7c436EXAMPLE.
The systems returns information like the following.
{ "InstancePatchStates": [ { "InstanceId": "i-02573cafcfEXAMPLE", "PatchGroup": "mypatchgroup", "BaselineId": "pb-0c10e65780EXAMPLE", "SnapshotId": "a3f5ff34-9bc4-4d2c-a665-4d1c1EXAMPLE", "CriticalNonCompliantCount": 2, "SecurityNonCompliantCount": 2, "OtherNonCompliantCount": 1, "InstalledCount": 123, "InstalledOtherCount": 334, "InstalledPendingRebootCount": 0, "InstalledRejectedCount": 0, "MissingCount": 1, "FailedCount": 2, "UnreportedNotApplicableCount": 11, "NotApplicableCount": 2063, "OperationStartTime": "2021-05-03T11:00:56-07:00", "OperationEndTime": "2021-05-03T11:01:09-07:00", "Operation": "Scan", "LastNoRebootInstallOperationTime": "2020-06-14T12:17:41-07:00", "RebootOption": "RebootIfNeeded" } ] }
To view a patch count summary for all EC2 instances in a Region
The describe-instance-patch-states supports retrieving results
for just one managed instance at a time. However, using a custom script with the
describe-instance-patch-states command, you can generate a more
granular report.
For example, if the jq
filter toolInstalledPendingReboot.
aws ssm describe-instance-patch-states \ --instance-ids $(aws ec2 describe-instances --regionregion| jq '.Reservations[].Instances[] | .InstanceId' | tr '\n|"' ' ') \ --output text --query 'InstancePatchStates[*].{Instance:InstanceId, InstalledPendingRebootCount:InstalledPendingRebootCount}'
region represents the identifier for an Amazon Web Services Region
supported by Amazon Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of
supported region values, see the Region column in Systems Manager service endpoints in the
Amazon Web Services General Reference.
For example:
aws ssm describe-instance-patch-states \ --instance-ids $(aws ec2 describe-instances --region us-east-2 | jq '.Reservations[].Instances[] | .InstanceId' | tr '\n|"' ' ') \ --output text --query 'InstancePatchStates[*].{Instance:InstanceId, InstalledPendingRebootCount:InstalledPendingRebootCount}'
The system returns information like the following.
1 i-02573cafcfEXAMPLE 0 i-0471e04240EXAMPLE 3 i-07782c72faEXAMPLE 6 i-083b678d37EXAMPLE 0 i-03a530a2d4EXAMPLE 1 i-01f68df0d0EXAMPLE 0 i-0a39c0f214EXAMPLE 7 i-0903a5101eEXAMPLE 7 i-03823c2fedEXAMPLE
In addition to InstalledPendingRebootCount, the list of count
types you can search for include the following:
-
CriticalNonCompliantCount -
SecurityNonCompliantCount -
OtherNonCompliantCount -
UnreportedNotApplicableCount -
InstalledPendingRebootCount -
FailedCount -
NotApplicableCount -
InstalledRejectedCount -
InstalledOtherCount -
MissingCount -
InstalledCount
Amazon CLI commands for scanning and patching managed nodes
After running the following commands to scan for patch compliance or install patches, you can use commands in the Amazon CLI commands for viewing patch summaries and details section to view information about patch status and compliance.
Sample commands
Scan managed nodes for patch compliance (Amazon CLI)
To scan specific managed nodes for patch compliance
Run the following command.
The system returns information like the following.
{ "Command": { "CommandId": "a04ed06c-8545-40f4-87c2-a0babEXAMPLE", "DocumentName": "AWS-RunPatchBaseline", "DocumentVersion": "$DEFAULT", "Comment": "", "ExpiresAfter": 1621974475.267, "Parameters": { "Operation": [ "Scan" ] }, "InstanceIds": [], "Targets": [ { "Key": "InstanceIds", "Values": [ "i-02573cafcfEXAMPLE, i-0471e04240EXAMPLE" ] } ], "RequestedDateTime": 1621952275.267, "Status": "Pending", "StatusDetails": "Pending", "TimeoutSeconds": 600, ---output truncated--- } }
To scan managed nodes for patch compliance by patch group tag
Run the following command.
The system returns information like the following.
{ "Command": { "CommandId": "87a448ee-8adc-44e0-b4d1-6b429EXAMPLE", "DocumentName": "AWS-RunPatchBaseline", "DocumentVersion": "$DEFAULT", "Comment": "", "ExpiresAfter": 1621974983.128, "Parameters": { "Operation": [ "Scan" ] }, "InstanceIds": [], "Targets": [ { "Key": "tag:PatchGroup", "Values": [ "Web servers" ] } ], "RequestedDateTime": 1621952783.128, "Status": "Pending", "StatusDetails": "Pending", "TimeoutSeconds": 600, ---output truncated--- } }
Install patches on managed nodes (Amazon CLI)
To install patches on specific managed nodes
Run the following command.
Note
The target managed nodes reboot as needed to complete patch installation. For more information, see About the AWS-RunPatchBaseline SSM document.
The system returns information like the following.
{ "Command": { "CommandId": "5f403234-38c4-439f-a570-93623EXAMPLE", "DocumentName": "AWS-RunPatchBaseline", "DocumentVersion": "$DEFAULT", "Comment": "", "ExpiresAfter": 1621975301.791, "Parameters": { "Operation": [ "Install" ] }, "InstanceIds": [], "Targets": [ { "Key": "InstanceIds", "Values": [ "i-02573cafcfEXAMPLE, i-0471e04240EXAMPLE" ] } ], "RequestedDateTime": 1621953101.791, "Status": "Pending", "StatusDetails": "Pending", "TimeoutSeconds": 600, ---output truncated--- } }
To install patches on managed nodes in a specific patch group
Run the following command.
The system returns information like the following.
{ "Command": { "CommandId": "fa44b086-7d36-4ad5-ac8d-627ecEXAMPLE", "DocumentName": "AWS-RunPatchBaseline", "DocumentVersion": "$DEFAULT", "Comment": "", "ExpiresAfter": 1621975407.865, "Parameters": { "Operation": [ "Install" ] }, "InstanceIds": [], "Targets": [ { "Key": "tag:PatchGroup", "Values": [ "Web servers" ] } ], "RequestedDateTime": 1621953207.865, "Status": "Pending", "StatusDetails": "Pending", "TimeoutSeconds": 600, ---output truncated--- } }