Identifying noncompliant managed nodes - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Identifying noncompliant managed nodes

Out-of-compliance managed nodes are identified when either of two Amazon Systems Manager documents (SSM documents) are run. These SSM documents reference the appropriate patch baseline for each managed node in Patch Manager, a capability of Amazon Systems Manager. They then evaluate the patch state of the managed node and then make compliance results available to you.

There are two SSM documents that are used to identify or update noncompliant managed nodes: AWS-RunPatchBaseline and AWS-RunPatchBaselineAssociation. Each one is used by different processes, and their compliance results are available through different channels. The following table outlines the differences between these documents.

Note

Patch compliance data from Patch Manager can be sent to Amazon Security Hub. Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status. It also monitors the patching status of your fleet. For more information, see Integrating Patch Manager with Amazon Security Hub.

AWS-RunPatchBaseline AWS-RunPatchBaselineAssociation
Processes that use the document

Patch on demand - You can scan or patch managed nodes on demand using the Patch now option. For information, see Patching managed nodes on demand.

Systems Manager Quick Setup patch policies – You can create a patching configuration in Quick Setup, a capability of Amazon Systems Manager, that can scan for or install missing patches on separate schedules for an entire organization, a subset of organizational units, or a single Amazon Web Services account. For information, see Configure patching for instances in an organization.

Run a command – You can manually run AWS-RunPatchBaseline in an operation in Run Command, a capability of Amazon Systems Manager. For information, see Running commands from the console.

Maintenance window – You can create a maintenance window that uses the SSM document AWS-RunPatchBaseline in a Run Command task type. For information, see Walkthrough: Creating a maintenance window for patching (console).

Systems Manager Quick Setup Host Management – You can enable a Host Management configuration option in Quick Setup to scan your managed instances for patch compliance each day. For information, see Set up Amazon EC2 host management.

Systems Manager Explorer – When you allow Explorer, a capability of Amazon Systems Manager, it regularly scans your managed instances for patch compliance and reports results in the Explorer dashboard.

Format of the patch scan result data

After AWS-RunPatchBaseline runs, Patch Manager sends an AWS:PatchSummary object to Inventory, a capability of Amazon Systems Manager.

After AWS-RunPatchBaselineAssociation runs, Patch Manager sends an AWS:ComplianceItem object to Systems Manager Inventory.

Viewing patch compliance reports in the console

You can view patch compliance information for processes that use AWS-RunPatchBaseline in Systems Manager Configuration Compliance and Working with managed nodes. For more information, see Viewing patch compliance results.

If you use Quick Setup to scan your managed instances for patch compliance, you can see the compliance report in Systems Manager State Manager, which is accessible using a View results button in Quick Setup.

If you use Explorer to scan your managed instances for patch compliance, you can see the compliance report in both Explorer and Systems Manager OpsCenter.

Amazon CLI commands for viewing patch compliance results

For processes that use AWS-RunPatchBaseline, you can use the following Amazon CLI commands to view summary information about patches on a managed node.

For processes that use AWS-RunPatchBaselineAssociation, you can use the following Amazon CLI command to view summary information about patches on an instance.

Patching operations

For processes that use AWS-RunPatchBaseline, you specify whether you want the operation to run a Scan operation only, or a Scan and install operation.

If your goal is to identify noncompliant managed nodes and not remediate them, run only a Scan operation.

Quick Setup and Explorer processes, which use AWS-RunPatchBaselineAssociation, run only a Scan operation.
More info

About the AWS-RunPatchBaseline SSM document

About the AWS-RunPatchBaselineAssociation SSM document

For information about the various patch compliance states you might see reported, see Understanding patch compliance state values

For information about remediating managed nodes that are out of patch compliance, see Patching noncompliant managed nodes.