Identifying noncompliant managed nodes

Out-of-compliance managed nodes are identified when either of two Amazon Systems Manager documents (SSM documents) are run. These SSM documents reference the appropriate patch baseline for each managed node in Patch Manager, a capability of Amazon Systems Manager. They then evaluate the patch state of the managed node and then make compliance results available to you.

There are two SSM documents that are used to identify or update noncompliant managed nodes: AWS-RunPatchBaseline and AWS-RunPatchBaselineAssociation. Each one is used by different processes, and their compliance results are available through different channels. The following table outlines the differences between these documents.

Note

Patch compliance data from Patch Manager can be sent to Amazon Security Hub. Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status. It also monitors the patching status of your fleet. For more information, see Integrating Patch Manager with Amazon Security Hub.

	`AWS-RunPatchBaseline`	`AWS-RunPatchBaselineAssociation`
Processes that use the document	Patch on demand - You can scan or patch managed nodes on demand using the Patch now option. For information, see Patching managed nodes on demand. Systems Manager Quick Setup patch policies – You can create a patching configuration in Quick Setup, a capability of Amazon Systems Manager, that can scan for or install missing patches on separate schedules for an entire organization, a subset of organizational units, or a single Amazon Web Services account. For information, see Configure patching for instances in an organization. Run a command – You can manually run `AWS-RunPatchBaseline` in an operation in Run Command, a capability of Amazon Systems Manager. For information, see Running commands from the console. Maintenance window – You can create a maintenance window that uses the SSM document `AWS-RunPatchBaseline` in a Run Command task type. For information, see Walkthrough: Creating a maintenance window for patching (console).	Systems Manager Quick Setup Host Management – You can enable a Host Management configuration option in Quick Setup to scan your managed instances for patch compliance each day. For information, see Set up Amazon EC2 host management. Systems Manager Explorer – When you allow Explorer, a capability of Amazon Systems Manager, it regularly scans your managed instances for patch compliance and reports results in the Explorer dashboard.
Format of the patch scan result data	After `AWS-RunPatchBaseline` runs, Patch Manager sends an `AWS:PatchSummary` object to Inventory, a capability of Amazon Systems Manager.	After `AWS-RunPatchBaselineAssociation` runs, Patch Manager sends an `AWS:ComplianceItem` object to Systems Manager Inventory.
Viewing patch compliance reports in the console	You can view patch compliance information for processes that use `AWS-RunPatchBaseline` in Systems Manager Configuration Compliance and Working with managed nodes. For more information, see Viewing patch compliance results.	If you use Quick Setup to scan your managed instances for patch compliance, you can see the compliance report in Systems Manager State Manager, which is accessible using a View results button in Quick Setup. If you use Explorer to scan your managed instances for patch compliance, you can see the compliance report in both Explorer and Systems Manager OpsCenter.
Amazon CLI commands for viewing patch compliance results	For processes that use `AWS-RunPatchBaseline`, you can use the following Amazon CLI commands to view summary information about patches on a managed node. describe-instance-patch-states describe-instance-patch-states-for-patch-group describe-patch-group-state	For processes that use `AWS-RunPatchBaselineAssociation`, you can use the following Amazon CLI command to view summary information about patches on an instance. list-compliance-items
Patching operations	For processes that use `AWS-RunPatchBaseline`, you specify whether you want the operation to run a `Scan` operation only, or a `Scan and install` operation. If your goal is to identify noncompliant managed nodes and not remediate them, run only a `Scan` operation.	Quick Setup and Explorer processes, which use `AWS-RunPatchBaselineAssociation`, run only a `Scan` operation.
More info	About the AWS-RunPatchBaseline SSM document	About the AWS-RunPatchBaselineAssociation SSM document

For information about the various patch compliance states you might see reported, see Understanding patch compliance state values

For information about remediating managed nodes that are out of patch compliance, see Patching noncompliant managed nodes.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Remediating noncompliant managed nodes

Understanding patch compliance state values