使用 Patch Manager (AmazonCLI) - Amazon Web Services Systems Manager
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 Patch Manager (AmazonCLI)

此节包含下列示例:Amazon命令行界面 (AmazonCLI) 命令,您可以使用它们执行 Patch Manager 的配置任务,该功能是Amazon Web Services Systems Manager。

有关使用AmazonCLI 通过使用自定义补丁基准对服务器环境进行修补,请参阅演练:修补服务器环境(AmazonCLI)

有关使用AmazonCLIAmazon Web Services Systems Manager任务,请参阅Amazon Web Services Systems Manager的 部分AmazonCLI 命令参考

Amazon用于修补程序基准的 CLI 命令

创建补丁基准

以下命令将创建一个补丁基准,该补丁基准将在发布 Windows Server 2012 R2 的关键和重要安全更新后 5 天内批准所有这些更新。还为已批准和已拒绝的补丁列表指定了补丁。此外,补丁基准已标记来指示它适用于生产环境。

Linux & macOS
aws ssm create-patch-baseline \ --name "Windows-Server-2012R2" \ --tags "Key=Environment,Value=Production" \ --description "Windows Server 2012 R2, Important and Critical security updates" \ --approved-patches "KB2032276,MS10-048" \ --rejected-patches "KB2124261" \ --rejected-patches-action "ALLOW_AS_DEPENDENCY" \ --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Important,Critical]},{Key=CLASSIFICATION,Values=SecurityUpdates},{Key=PRODUCT,Values=WindowsServer2012R2}]},ApproveAfterDays=5}]"
Windows
aws ssm create-patch-baseline ^ --name "Windows-Server-2012R2" ^ --tags "Key=Environment,Value=Production" ^ --description "Windows Server 2012 R2, Important and Critical security updates" ^ --approved-patches "KB2032276,MS10-048" ^ --rejected-patches "KB2124261" ^ --rejected-patches-action "ALLOW_AS_DEPENDENCY" ^ --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Important,Critical]},{Key=CLASSIFICATION,Values=SecurityUpdates},{Key=PRODUCT,Values=WindowsServer2012R2}]},ApproveAfterDays=5}]"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE"
}

创建对不同操作系统版本使用自定义存储库的补丁基准

仅适用于 Linux 实例。以下命令显示如何指定要用于 Amazon Linux 操作系统的补丁存储库。此示例使用 Amazon Linux 2017.09 上默认启用的源存储库,但可以调整为您为实例配置的不同源存储库。

注意

为了更好地说明这一更为复杂的命令,我们将 --cli-input-json 选项与存储在外部 JSON 文件中的其他选项结合使用。

  1. 创建一个名称类似于的 JSON 文件my-patch-repository.json并将以下内容添加到其中。

    { "Description": "My patch repository for Amazon Linux 2017.09", "Name": "Amazon-Linux-2017.09", "OperatingSystem": "AMAZON_LINUX", "ApprovalRules": { "PatchRules": [ { "ApproveAfterDays": 7, "EnableNonSecurity": true, "PatchFilterGroup": { "PatchFilters": [ { "Key": "SEVERITY", "Values": [ "Important", "Critical" ] }, { "Key": "CLASSIFICATION", "Values": [ "Security", "Bugfix" ] }, { "Key": "PRODUCT", "Values": [ "AmazonLinux2017.09" ] } ] } } ] }, "Sources": [ { "Name": "My-AL2017.09", "Products": [ "AmazonLinux2017.09" ], "Configuration": "[amzn-main] \nname=amzn-main-Base\nmirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list //nmirrorlist_expire=300//nmetadata_expire=300 \npriority=10 \nfailovermethod=priority \nfastestmirror_enabled=0 \ngpgcheck=1 \ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga \nenabled=1 \nretries=3 \ntimeout=5\nreport_instanceid=yes" } ] }
  2. 在保存文件的目录中,运行以下命令。

    aws ssm create-patch-baseline --cli-input-json file://my-patch-repository.json

    系统将返回类似于以下内容的信息。

    {
        "BaselineId": "pb-12343b962ba63wxya"
    }

更新补丁基准

以下命令将两个带已拒绝状态的补丁和一个带已批准状态的补丁添加到现有补丁基准。

注意

有关已批准的补丁和拒绝的补丁列表的已接受格式的信息,请参阅关于已批准补丁和已拒绝补丁列表的软件包名称格式

Linux & macOS
aws ssm update-patch-baseline \ --baseline-id pb-0c10e65780EXAMPLE \ --rejected-patches "KB2032276" "MS10-048" \ --approved-patches "KB2124261"
Windows
aws ssm update-patch-baseline ^ --baseline-id pb-0c10e65780EXAMPLE ^ --rejected-patches "KB2032276" "MS10-048" ^ --approved-patches "KB2124261"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE",
   "Name":"Windows-Server-2012R2",
   "RejectedPatches":[
      "KB2032276",
      "MS10-048"
   ],
   "GlobalFilters":{
      "PatchFilters":[

      ]
   },
   "ApprovalRules":{
      "PatchRules":[
         {
            "PatchFilterGroup":{
               "PatchFilters":[
                  {
                     "Values":[
                        "Important",
                        "Critical"
                     ],
                     "Key":"MSRC_SEVERITY"
                  },
                  {
                     "Values":[
                        "SecurityUpdates"
                     ],
                     "Key":"CLASSIFICATION"
                  },
                  {
                     "Values":[
                        "WindowsServer2012R2"
                     ],
                     "Key":"PRODUCT"
                  }
               ]
            },
            "ApproveAfterDays":5
         }
      ]
   },
   "ModifiedDate":1481001494.035,
   "CreatedDate":1480997823.81,
   "ApprovedPatches":[
      "KB2124261"
   ],
   "Description":"Windows Server 2012 R2, Important and Critical security updates"
}

重命名补丁基准

Linux & macOS
aws ssm update-patch-baseline \ --baseline-id pb-0c10e65780EXAMPLE \ --name "Windows-Server-2012-R2-Important-and-Critical-Security-Updates"
Windows
aws ssm update-patch-baseline ^ --baseline-id pb-0c10e65780EXAMPLE ^ --name "Windows-Server-2012-R2-Important-and-Critical-Security-Updates"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE",
   "Name":"Windows-Server-2012-R2-Important-and-Critical-Security-Updates",
   "RejectedPatches":[
      "KB2032276",
      "MS10-048"
   ],
   "GlobalFilters":{
      "PatchFilters":[

      ]
   },
   "ApprovalRules":{
      "PatchRules":[
         {
            "PatchFilterGroup":{
               "PatchFilters":[
                  {
                     "Values":[
                        "Important",
                        "Critical"
                     ],
                     "Key":"MSRC_SEVERITY"
                  },
                  {
                     "Values":[
                        "SecurityUpdates"
                     ],
                     "Key":"CLASSIFICATION"
                  },
                  {
                     "Values":[
                        "WindowsServer2012R2"
                     ],
                     "Key":"PRODUCT"
                  }
               ]
            },
            "ApproveAfterDays":5
         }
      ]
   },
   "ModifiedDate":1481001795.287,
   "CreatedDate":1480997823.81,
   "ApprovedPatches":[
      "KB2124261"
   ],
   "Description":"Windows Server 2012 R2, Important and Critical security updates"
}

删除补丁基准

aws ssm delete-patch-baseline --baseline-id "pb-0c10e65780EXAMPLE"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE"
}

列出所有补丁基准

aws ssm describe-patch-baselines

系统将返回类似于以下内容的信息。

{
   "BaselineIdentities":[
      {
         "BaselineName":"AWS-DefaultPatchBaseline",
         "DefaultBaseline":true,
         "BaselineDescription":"Default Patch Baseline Provided by Amazon.",
         "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
      },
      {
         "BaselineName":"Windows-Server-2012R2",
         "DefaultBaseline":false,
         "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates",
         "BaselineId":"pb-0c10e65780EXAMPLE"
      }
   ]
}

下面是另一个命令,该命令将列出Amazon Web Services 区域。

Linux & macOS
aws ssm describe-patch-baselines \ --region us-east-2 \ --filters "Key=OWNER,Values=[All]"
Windows
aws ssm describe-patch-baselines ^ --region us-east-2 ^ --filters "Key=OWNER,Values=[All]"

系统将返回类似于以下内容的信息。

{
   "BaselineIdentities":[
      {
         "BaselineName":"AWS-DefaultPatchBaseline",
         "DefaultBaseline":true,
         "BaselineDescription":"Default Patch Baseline Provided by Amazon.",
         "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
      },
      {
         "BaselineName":"Windows-Server-2012R2",
         "DefaultBaseline":false,
         "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates",
         "BaselineId":"pb-0c10e65780EXAMPLE"
      }
   ]
}

列出所有Amazon提供的补丁基准

Linux & macOS
aws ssm describe-patch-baselines \ --region us-east-2 \ --filters "Key=OWNER,Values=[AWS]"
Windows
aws ssm describe-patch-baselines ^ --region us-east-2 ^ --filters "Key=OWNER,Values=[AWS]"

系统将返回类似于以下内容的信息。

{
   "BaselineIdentities":[
      {
         "BaselineName":"AWS-DefaultPatchBaseline",
         "DefaultBaseline":true,
         "BaselineDescription":"Default Patch Baseline Provided by Amazon.",
         "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
      }
   ]
}

列出我的补丁基准

Linux & macOS
aws ssm describe-patch-baselines \ --region us-east-2 \ --filters "Key=OWNER,Values=[Self]"
Windows
aws ssm describe-patch-baselines ^ --region us-east-2 ^ --filters "Key=OWNER,Values=[Self]"

系统将返回类似于以下内容的信息。

{
   "BaselineIdentities":[
      {
         "BaselineName":"Windows-Server-2012R2",
         "DefaultBaseline":false,
         "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates",
         "BaselineId":"pb-0c10e65780EXAMPLE"
      }
   ]
}

显示补丁基准

aws ssm get-patch-baseline --baseline-id pb-0c10e65780EXAMPLE
注意

对于自定义补丁基准,您可以指定补丁基准 ID 或完整 Amazon 资源名称 (ARN)。对于Amazon提供的补丁基准,则必须指定完整 ARN。例如:arn:aws:ssm:us-east-1:075727635805:patchbaseline/pb-03e3f588eec25344c

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE",
   "Name":"Windows-Server-2012R2",
   "PatchGroups":[
      "Web Servers"
   ],
   "RejectedPatches":[

   ],
   "GlobalFilters":{
      "PatchFilters":[

      ]
   },
   "ApprovalRules":{
      "PatchRules":[
         {
            "PatchFilterGroup":{
               "PatchFilters":[
                  {
                     "Values":[
                        "Important",
                        "Critical"
                     ],
                     "Key":"MSRC_SEVERITY"
                  },
                  {
                     "Values":[
                        "SecurityUpdates"
                     ],
                     "Key":"CLASSIFICATION"
                  },
                  {
                     "Values":[
                        "WindowsServer2012R2"
                     ],
                     "Key":"PRODUCT"
                  }
               ]
            },
            "ApproveAfterDays":5
         }
      ]
   },
   "ModifiedDate":1480997823.81,
   "CreatedDate":1480997823.81,
   "ApprovedPatches":[

   ],
   "Description":"Windows Server 2012 R2, Important and Critical security updates"
}

获取默认补丁基准

aws ssm get-default-patch-baseline --region us-east-2

系统将返回类似于以下内容的信息。

{
   "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}

将自定义补丁基准设置为默认基准

Linux & macOS
aws ssm register-default-patch-baseline \ --region us-east-2 \ --baseline-id "pb-0c10e65780EXAMPLE"
Windows
aws ssm register-default-patch-baseline ^ --region us-east-2 ^ --baseline-id "pb-0c10e65780EXAMPLE"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE"
}

重置Amazon补丁基准作为默认基准

Linux & macOS
aws ssm register-default-patch-baseline \ --region us-east-2 \ --baseline-id "arn:aws:ssm:us-east-2:733109147000:patchbaseline/pb-0574b43a65ea646ed"
Windows
aws ssm register-default-patch-baseline ^ --region us-east-2 ^ --baseline-id "arn:aws:ssm:us-east-2:733109147000:patchbaseline/pb-0574b43a65ea646ed"

系统将返回类似于以下内容的信息。

{
   "BaselineId":"pb-0c10e65780EXAMPLE"
}

标记补丁基准

Linux & macOS
aws ssm add-tags-to-resource \ --resource-type "PatchBaseline" \ --resource-id "pb-0c10e65780EXAMPLE" \ --tags "Key=Project,Value=Testing"
Windows
aws ssm add-tags-to-resource ^ --resource-type "PatchBaseline" ^ --resource-id "pb-0c10e65780EXAMPLE" ^ --tags "Key=Project,Value=Testing"

列出补丁基准的标签

Linux & macOS
aws ssm list-tags-for-resource \ --resource-type "PatchBaseline" \ --resource-id "pb-0c10e65780EXAMPLE"
Windows
aws ssm list-tags-for-resource ^ --resource-type "PatchBaseline" ^ --resource-id "pb-0c10e65780EXAMPLE"

从补丁基准删除标签

Linux & macOS
aws ssm remove-tags-from-resource \ --resource-type "PatchBaseline" \ --resource-id "pb-0c10e65780EXAMPLE" \ --tag-keys "Project"
Windows
aws ssm remove-tags-from-resource ^ --resource-type "PatchBaseline" ^ --resource-id "pb-0c10e65780EXAMPLE" ^ --tag-keys "Project"

Amazon用于修补程序组的 CLI 命令

创建补丁组

为了帮助您组织修补工作,我们建议您使用标签将实例添加到补丁组。补丁组需要使用标签键 Patch Group。您可以指定任何标签值,但标签键必须为补丁组。有关补丁组的更多信息,请参阅 关于补丁组

使用标签对实例进行分组后,请将补丁组值添加到补丁基准。通过将补丁组注册到补丁基准,您可以确保在修补操作期间安装正确的补丁。

Task 1:使用标签将 EC2 实例添加到补丁组

注意

在使用 Amazon Elastic Compute Cloud (Amazon EC2) 控制台和AmazonCLI,则可以应用Key = Patch Group标签到尚未配置为与 Systems Manager 一起使用的实例。如果您希望在修补程序管理器中看到的 EC2 实例在应用Patch Group标签,请参阅Amazon EC2 托管实例可用性疑难解答故障排除提示。

运行以下命令将 Patch Group 标签添加到 EC2 实例。

aws ec2 create-tags --resources "i-1234567890abcdef0" --tags "Key=Patch Group,Value=GroupValue"

Task 2:使用标签将托管实例添加到补丁组

运行以下命令将 Patch Group 标签添加到托管实例。

Linux & macOS
aws ssm add-tags-to-resource \ --resource-type "ManagedInstance" \ --resource-id "mi-0123456789abcdefg" \ --tags "Key=Patch Group,Value=GroupValue"
Windows
aws ssm add-tags-to-resource ^ --resource-type "ManagedInstance" ^ --resource-id "mi-0123456789abcdefg" ^ --tags "Key=Patch Group,Value=GroupValue"

Task 3:将补丁组添加到补丁基准

运行以下命令将 Patch Group 标签值关联到指定的补丁基准。

Linux & macOS
aws ssm register-patch-baseline-for-patch-group \ --baseline-id "pb-0123456789abcdef0" \ --patch-group "Development"
Windows
aws ssm register-patch-baseline-for-patch-group ^ --baseline-id "pb-0123456789abcdef0" ^ --patch-group "Development"

系统将返回类似于以下内容的信息。

{
  "PatchGroup": "Development",
  "BaselineId": "pb-0123456789abcdef0"
}

将补丁组“Web 服务器”注册到补丁基准

Linux & macOS
aws ssm register-patch-baseline-for-patch-group \ --baseline-id "pb-0c10e65780EXAMPLE" \ --patch-group "Web Servers"
Windows
aws ssm register-patch-baseline-for-patch-group ^ --baseline-id "pb-0c10e65780EXAMPLE" ^ --patch-group "Web Servers"

系统将返回类似于以下内容的信息。

{
   "PatchGroup":"Web Servers",
   "BaselineId":"pb-0c10e65780EXAMPLE"
}

将补丁组 “后端” 注册到Amazon提供的补丁基准

Linux & macOS
aws ssm register-patch-baseline-for-patch-group \ --region us-east-2 \ --baseline-id "arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" \ --patch-group "Backend"
Windows
aws ssm register-patch-baseline-for-patch-group ^ --region us-east-2 ^ --baseline-id "arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" ^ --patch-group "Backend"

系统将返回类似于以下内容的信息。

{
   "PatchGroup":"Backend",
   "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}

显示补丁组注册

aws ssm describe-patch-groups --region us-east-2

系统将返回类似于以下内容的信息。

{
   "PatchGroupPatchBaselineMappings":[
      {
         "PatchGroup":"Backend",
         "BaselineIdentity":{
            "BaselineName":"AWS-DefaultPatchBaseline",
            "DefaultBaseline":false,
            "BaselineDescription":"Default Patch Baseline Provided by Amazon.",
            "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
         }
      },
      {
         "PatchGroup":"Web Servers",
         "BaselineIdentity":{
            "BaselineName":"Windows-Server-2012R2",
            "DefaultBaseline":true,
            "BaselineDescription":"Windows Server 2012 R2, Important and Critical updates",
            "BaselineId":"pb-0c10e65780EXAMPLE"
         }
      }
   ]
}

从补丁基准取消注册补丁组

Linux & macOS
aws ssm deregister-patch-baseline-for-patch-group \ --region us-east-2 \ --patch-group "Production" \ --baseline-id "arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
Windows
aws ssm deregister-patch-baseline-for-patch-group ^ --region us-east-2 ^ --patch-group "Production" ^ --baseline-id "arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"

系统将返回类似于以下内容的信息。

{
   "PatchGroup":"Production",
   "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}

Amazon用于查看修补程序摘要和详细信息的 CLI 命令

获取补丁基准定义的所有补丁

注意

此命令受支持Windows Server仅限补丁基准。

Linux & macOS
aws ssm describe-effective-patches-for-patch-baseline \ --region us-east-2 \ --baseline-id "pb-0c10e65780EXAMPLE"
Windows
aws ssm describe-effective-patches-for-patch-baseline ^ --region us-east-2 ^ --baseline-id "pb-0c10e65780EXAMPLE"

系统将返回类似于以下内容的信息。

{
   "NextToken":"--token string truncated--",
   "EffectivePatches":[
      {
         "PatchStatus":{
            "ApprovalDate":1384711200.0,
            "DeploymentStatus":"APPROVED"
         },
         "Patch":{
            "ContentUrl":"https://support.microsoft.com/en-us/kb/2876331",
            "ProductFamily":"Windows",
            "Product":"WindowsServer2012R2",
            "Vendor":"Microsoft",
            "Description":"A security issue has been identified in a Microsoft software 
               product that could affect your system. You can help protect your system 
               by installing this update from Microsoft. For a complete listing of the 
               issues that are included in this update, see the associated Microsoft 
               Knowledge Base article. After you install this update, you may have to 
               restart your system.",
            "Classification":"SecurityUpdates",
            "Title":"Security Update for Windows Server 2012 R2 Preview (KB2876331)",
            "ReleaseDate":1384279200.0,
            "MsrcClassification":"Critical",
            "Language":"All",
            "KbNumber":"KB2876331",
            "MsrcNumber":"MS13-089",
            "Id":"e74ccc76-85f0-4881-a738-59e9fc9a336d"
         }
      },
      {
         "PatchStatus":{
            "ApprovalDate":1428858000.0,
            "DeploymentStatus":"APPROVED"
         },
         "Patch":{
            "ContentUrl":"https://support.microsoft.com/en-us/kb/2919355",
            "ProductFamily":"Windows",
            "Product":"WindowsServer2012R2",
            "Vendor":"Microsoft",
            "Description":"Windows Server 2012 R2 Update is a cumulative 
               set of security updates, critical updates and updates. You 
               must install Windows Server 2012 R2 Update to ensure that 
               your computer can continue to receive future Windows Updates, 
               including security updates. For a complete listing of the 
               issues that are included in this update, see the associated 
               Microsoft Knowledge Base article for more information. After 
               you install this item, you may have to restart your computer.",
            "Classification":"SecurityUpdates",
            "Title":"Windows Server 2012 R2 Update (KB2919355)",
            "ReleaseDate":1428426000.0,
            "MsrcClassification":"Critical",
            "Language":"All",
            "KbNumber":"KB2919355",
            "MsrcNumber":"MS14-018",
            "Id":"8452bac0-bf53-4fbd-915d-499de08c338b"
         }
      }
     ---output truncated---

获取亚马逊 2018.03 中具有分类的所有补丁SECURITY和严重性CRITICAL

Linux & macOS
aws ssm describe-available-patches \ --region us-east-2 \ --filters Key=PRODUCT,Values=AmazonLinux2018.03 Key=SEVERITY,Values=CRITICAL
Windows
aws ssm describe-available-patches ^ --region us-east-2 ^ --filters Key=PRODUCT,Values=AmazonLinux2018.03 Key=SEVERITY,Values=CRITICAL

系统将返回类似于以下内容的信息。

{
    "Patches": [
        {
            "AdvisoryIds": ["ALAS-2011-1"],
            "BugzillaIds": [ "1234567" ],
            "Classification": "SECURITY",
            "CVEIds": [ "CVE-2011-3192"],
            "Name": "zziplib",
            "Epoch": "0",
            "Version": "2.71",
            "Release": "1.3.amzn1",
            "Arch": "i686",
            "Product": "AmazonLinux2018.03",
            "ReleaseDate": 1590519815,
            "Severity": "CRITICAL"
        }
    ]
}     
---output truncated---

获取 Windows Server 2012 的所有补丁,其 MSRC 严重性为“严重”

Linux & macOS
aws ssm describe-available-patches \ --region us-east-2 \ --filters Key=PRODUCT,Values=WindowsServer2012 Key=MSRC_SEVERITY,Values=Critical
Windows
aws ssm describe-available-patches ^ --region us-east-2 ^ --filters Key=PRODUCT,Values=WindowsServer2012 Key=MSRC_SEVERITY,Values=Critical

系统将返回类似于以下内容的信息。

{
   "Patches":[
      {
         "ContentUrl":"https://support.microsoft.com/en-us/kb/2727528",
         "ProductFamily":"Windows",
         "Product":"WindowsServer2012",
         "Vendor":"Microsoft",
         "Description":"A security issue has been identified that could 
           allow an unauthenticated remote attacker to compromise your 
           system and gain control over it. You can help protect your 
           system by installing this update from Microsoft. After you 
           install this update, you may have to restart your system.",
         "Classification":"SecurityUpdates",
         "Title":"Security Update for Windows Server 2012 (KB2727528)",
         "ReleaseDate":1352829600.0,
         "MsrcClassification":"Critical",
         "Language":"All",
         "KbNumber":"KB2727528",
         "MsrcNumber":"MS12-072",
         "Id":"1eb507be-2040-4eeb-803d-abc55700b715"
      },
      {
         "ContentUrl":"https://support.microsoft.com/en-us/kb/2729462",
         "ProductFamily":"Windows",
         "Product":"WindowsServer2012",
         "Vendor":"Microsoft",
         "Description":"A security issue has been identified that could 
           allow an unauthenticated remote attacker to compromise your 
           system and gain control over it. You can help protect your 
           system by installing this update from Microsoft. After you 
           install this update, you may have to restart your system.",
         "Classification":"SecurityUpdates",
         "Title":"Security Update for Microsoft .NET Framework 3.5 on 
           Windows 8 and Windows Server 2012 for x64-based Systems (KB2729462)",
         "ReleaseDate":1352829600.0,
         "MsrcClassification":"Critical",
         "Language":"All",
         "KbNumber":"KB2729462",
         "MsrcNumber":"MS12-074",
         "Id":"af873760-c97c-4088-ab7e-5219e120eab4"
      }
     
---output truncated---

获取所有可用补丁

aws ssm describe-available-patches --region us-east-2

系统将返回类似于以下内容的信息。

{
   "NextToken":"--token string truncated--",
   "Patches":[
      {
         "ContentUrl":"https://support.microsoft.com/en-us/kb/2032276",
         "ProductFamily":"Windows",
         "Product":"WindowsServer2008R2",
         "Vendor":"Microsoft",
         "Description":"A security issue has been identified that could allow an 
           unauthenticated remote attacker to compromise your system and gain 
           control over it. You can help protect your system by installing this 
           update from Microsoft. After you install this update, you may have to
           restart your system.",
         "Classification":"SecurityUpdates",
         "Title":"Security Update for Windows Server 2008 R2 x64 Edition (KB2032276)",
         "ReleaseDate":1279040400.0,
         "MsrcClassification":"Important",
         "Language":"All",
         "KbNumber":"KB2032276",
         "MsrcNumber":"MS10-043",
         "Id":"8692029b-a3a2-4a87-a73b-8ea881b4b4d6"
      },
      {
         "ContentUrl":"https://support.microsoft.com/en-us/kb/2124261",
         "ProductFamily":"Windows",
         "Product":"Windows7",
         "Vendor":"Microsoft",
         "Description":"A security issue has been identified that could allow 
           an unauthenticated remote attacker to compromise your system and gain 
           control over it. You can help protect your system by installing this 
           update from Microsoft. After you install this update, you may have 
           to restart your system.",
         "Classification":"SecurityUpdates",
         "Title":"Security Update for Windows 7 (KB2124261)",
         "ReleaseDate":1284483600.0,
         "MsrcClassification":"Important",
         "Language":"All",
         "KbNumber":"KB2124261",
         "MsrcNumber":"MS10-065",
         "Id":"12ef1bed-0dd2-4633-b3ac-60888aa8ba33"
      }
      ---output truncated---

获取每个实例的修补摘要状态

每实例摘要为您提供每个实例处于以下状态的补丁数:“NotApplicable Application”、“Missing、“Missing”、“Missing、“Missing、“MisInstalledOther issing、Missing、“Missing、“Missing

Linux & macOS
aws ssm describe-instance-patch-states \ --instance-ids i-08ee91c0b17045407 i-09a618aec652973a9
Windows
aws ssm describe-instance-patch-states ^ --instance-ids i-08ee91c0b17045407 i-09a618aec652973a9

系统将返回类似于以下内容的信息。

{
   "InstancePatchStates":[
      {
            "InstanceId": "i-08ee91c0b17045407",
            "PatchGroup": "",
            "BaselineId": "pb-0e392de35e7c563b7",
            "SnapshotId": "6d03d6c5-f79d-41d0-8d0e-00a9aEXAMPLE",
            "InstalledCount": 50,
            "InstalledOtherCount": 353,
            "InstalledPendingRebootCount": 0,
            "InstalledRejectedCount": 0,
            "MissingCount": 0,
            "FailedCount": 0,
            "UnreportedNotApplicableCount": -1,
            "NotApplicableCount": 671,
            "OperationStartTime": "2020-01-24T12:37:56-08:00",
            "OperationEndTime": "2020-01-24T12:37:59-08:00",
            "Operation": "Scan",
            "RebootOption": "NoReboot"
        },
        {
            "InstanceId": "i-09a618aec652973a9",
            "PatchGroup": "",
            "BaselineId": "pb-07e6d4e9bc703f2e3",
            "SnapshotId": "c7e0441b-1eae-411b-8aa7-973e6EXAMPLE",
            "InstalledCount": 36,
            "InstalledOtherCount": 396,
            "InstalledPendingRebootCount": 0,
            "InstalledRejectedCount": 0,
            "MissingCount": 3,
            "FailedCount": 0,
            "UnreportedNotApplicableCount": -1,
            "NotApplicableCount": 420,
            "OperationStartTime": "2020-01-24T12:37:34-08:00",
            "OperationEndTime": "2020-01-24T12:37:37-08:00",
            "Operation": "Scan",
            "RebootOption": "NoReboot"
        }
     ---output truncated---

获取实例的补丁合规性详细信息

aws ssm describe-instance-patches --instance-id i-08ee91c0b17045407

系统将返回类似于以下内容的信息。

{
   "NextToken":"--token string truncated--",
   "Patches":[
      {
            "Title": "bind-libs.x86_64:32:9.8.2-0.68.rc1.60.amzn1",
            "KBId": "bind-libs.x86_64",
            "Classification": "Security",
            "Severity": "Important",
            "State": "Installed",
            "InstalledTime": "2019-08-26T11:05:24-07:00"
        },
        {
            "Title": "bind-utils.x86_64:32:9.8.2-0.68.rc1.60.amzn1",
            "KBId": "bind-utils.x86_64",
            "Classification": "Security",
            "Severity": "Important",
            "State": "Installed",
            "InstalledTime": "2019-08-26T11:05:32-07:00"
        },
        {
            "Title": "dhclient.x86_64:12:4.1.1-53.P1.28.amzn1",
            "KBId": "dhclient.x86_64",
            "Classification": "Security",
            "Severity": "Important",
            "State": "Installed",
            "InstalledTime": "2019-08-26T11:05:31-07:00"
        },
    ---output truncated---

查看修补程序合规性结果 (AmazonCLI)

查看单个实例的补丁合规性结果

在中运行以下命令Amazon命令行界面 (AmazonCLI)查看单个实例的修补程序合规性结果。

aws ssm describe-instance-patch-states --instance-id instance-id

Replaceinstance-id,其格式为要查看其结果的托管实例的 ID,格式为i-02573cafcfEXAMPLE或者mi-0282f7c436EXAMPLE

系统将返回类似于以下内容的信息。

{
    "InstancePatchStates": [
        {
            "InstanceId": "i-02573cafcfEXAMPLE",
            "PatchGroup": "mypatchgroup",
            "BaselineId": "pb-0c10e65780EXAMPLE",            
            "SnapshotId": "a3f5ff34-9bc4-4d2c-a665-4d1c1EXAMPLE",
            "CriticalNonCompliantCount": 2,
            "SecurityNonCompliantCount": 2,
            "OtherNonCompliantCount": 1,
            "InstalledCount": 123,
            "InstalledOtherCount": 334,
            "InstalledPendingRebootCount": 0,
            "InstalledRejectedCount": 0,
            "MissingCount": 1,
            "FailedCount": 2,
            "UnreportedNotApplicableCount": 11,
            "NotApplicableCount": 2063,
            "OperationStartTime": "2021-05-03T11:00:56-07:00",
            "OperationEndTime": "2021-05-03T11:01:09-07:00",
            "Operation": "Scan",
            "LastNoRebootInstallOperationTime": "2020-06-14T12:17:41-07:00",
            "RebootOption": "RebootIfNeeded"
        }
    ]
}

查看区域中所有 EC2 实例的补丁计数摘要

这些区域有:describe-instance-patch-states支持一次只检索一个托管实例的结果。但是,使用带有describe-instance-patch-states命令,您可以生成更精细的报告。

例如,如果jq 筛选工具安装在本地计算机上,您可以运行以下命令来识别特定Amazon Web Services 区域具有一个状态InstalledPendingReboot

aws ssm describe-instance-patch-states \ --instance-ids $(aws ec2 describe-instances --region region | jq '.Reservations[].Instances[] | .InstanceId' | tr '\n|"' ' ') \ --output text --query 'InstancePatchStates[*].{Instance:InstanceId, InstalledPendingRebootCount:InstalledPendingRebootCount}'

区域表示Amazon Web Services 区域支持Amazon Web Services Systems Manager之外的压缩算法(例如us-east-2对应于美国东部(俄亥俄)区域。有关受支持的列表区域值,请参阅区域” 中的列Systems Manager 服务终端节点中的Amazon Web Services 一般参考

例如:

aws ssm describe-instance-patch-states \ --instance-ids $(aws ec2 describe-instances --region us-east-2 | jq '.Reservations[].Instances[] | .InstanceId' | tr '\n|"' ' ') \ --output text --query 'InstancePatchStates[*].{Instance:InstanceId, InstalledPendingRebootCount:InstalledPendingRebootCount}'

系统将返回类似于以下内容的信息。

1       i-02573cafcfEXAMPLE
0       i-0471e04240EXAMPLE
3       i-07782c72faEXAMPLE
6       i-083b678d37EXAMPLE
0       i-03a530a2d4EXAMPLE
1       i-01f68df0d0EXAMPLE
0       i-0a39c0f214EXAMPLE
7       i-0903a5101eEXAMPLE
7       i-03823c2fedEXAMPLE

除了InstalledPendingRebootCount,您可以搜索的计数类型列表包括以下内容:

  • CriticalNonCompliantCount

  • SecurityNonCompliantCount

  • OtherNonCompliantCount

  • UnreportedNotApplicableCount

  • InstalledPendingRebootCount

  • FailedCount

  • NotApplicableCount

  • InstalledRejectedCount

  • InstalledOtherCount

  • MissingCount

  • InstalledCount

Amazon用于扫描和修补实例的 CLI 命令

运行以下命令扫描修补程序合规性或安装修补程序后,您可以使用Amazon用于查看修补程序摘要和详细信息的 CLI 命令部分查看有关修补程序状态和合规性的信息。

扫描实例以查找补丁合规性 (AmazonCLI)

扫描特定实例的修补程序合规性

运行以下命令。

Linux & macOS
aws ssm send-command \ --document-name 'AWS-RunPatchBaseline' \ --targets Key=InstanceIds,Values='i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE' \ --parameters 'Operation=Scan' \ --timeout-seconds 600
Windows
aws ssm send-command ^ --document-name "AWS-RunPatchBaseline" ^ --targets Key=InstanceIds,Values="i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE" ^ --parameters "Operation=Scan" ^ --timeout-seconds 600

系统将返回类似于以下内容的信息。

{
    "Command": {
        "CommandId": "a04ed06c-8545-40f4-87c2-a0babEXAMPLE",
        "DocumentName": "AWS-RunPatchBaseline",
        "DocumentVersion": "$DEFAULT",
        "Comment": "",
        "ExpiresAfter": 1621974475.267,
        "Parameters": {
            "Operation": [
                "Scan"
            ]
        },
        "InstanceIds": [],
        "Targets": [
            {
                "Key": "InstanceIds",
                "Values": [
                    "i-02573cafcfEXAMPLE,
                     i-0471e04240EXAMPLE"
                ]
            }
        ],
        "RequestedDateTime": 1621952275.267,
        "Status": "Pending",
        "StatusDetails": "Pending",
        "TimeoutSeconds": 600,

    ---output truncated---

    }
}

按修补程序组标记扫描实例的修补程序合规性

运行以下命令。

Linux & macOS
aws ssm send-command \ --document-name 'AWS-RunPatchBaseline' \ --targets Key='tag:Patch Group',Values='Web servers' \ --parameters 'Operation=Scan' \ --timeout-seconds 600
Windows
aws ssm send-command ^ --document-name "AWS-RunPatchBaseline" ^ --targets Key="tag:Patch Group",Values="Web servers" ^ --parameters "Operation=Scan" ^ --timeout-seconds 600

系统将返回类似于以下内容的信息。

{
    "Command": {
        "CommandId": "87a448ee-8adc-44e0-b4d1-6b429EXAMPLE",
        "DocumentName": "AWS-RunPatchBaseline",
        "DocumentVersion": "$DEFAULT",
        "Comment": "",
        "ExpiresAfter": 1621974983.128,
        "Parameters": {
            "Operation": [
                "Scan"
            ]
        },
        "InstanceIds": [],
        "Targets": [
            {
                "Key": "tag:Patch Group",
                "Values": [
                    "Web servers"
                ]
            }
        ],
        "RequestedDateTime": 1621952783.128,
        "Status": "Pending",
        "StatusDetails": "Pending",
        "TimeoutSeconds": 600,

    ---output truncated---

    }
}

在托管实例上安装修补程序 (AmazonCLI)

在特定实例上安装修补程序

运行以下命令。

注意

目标实例根据需要重新启动以完成修补程序安装。有关更多信息,请参阅 关于AWS-RunPatchBaselineSSM 文档

Linux & macOS
aws ssm send-command \ --document-name 'AWS-RunPatchBaseline' \ --targets Key=InstanceIds,Values='i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE' \ --parameters 'Operation=Install' \ --timeout-seconds 600
Windows
aws ssm send-command ^ --document-name "AWS-RunPatchBaseline" ^ --targets Key=InstanceIds,Values="i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE" ^ --parameters "Operation=Install" ^ --timeout-seconds 600

系统将返回类似于以下内容的信息。

{
    "Command": {
        "CommandId": "5f403234-38c4-439f-a570-93623EXAMPLE",
        "DocumentName": "AWS-RunPatchBaseline",
        "DocumentVersion": "$DEFAULT",
        "Comment": "",
        "ExpiresAfter": 1621975301.791,
        "Parameters": {
            "Operation": [
                "Install"
            ]
        },
        "InstanceIds": [],
        "Targets": [
            {
                "Key": "InstanceIds",
                "Values": [
                    "i-02573cafcfEXAMPLE,
                     i-0471e04240EXAMPLE"
                ]
            }
        ],
        "RequestedDateTime": 1621953101.791,
        "Status": "Pending",
        "StatusDetails": "Pending",
        "TimeoutSeconds": 600,

    ---output truncated---

    }
}

在特定修补程序组中的实例上安装修补程序

运行以下命令。

Linux & macOS
aws ssm send-command \ --document-name 'AWS-RunPatchBaseline' \ --targets Key='tag:Patch Group',Values='Web servers' \ -parameters 'Operation=Install' \ --timeout-seconds 600
Windows
aws ssm send-command ^ --document-name "AWS-RunPatchBaseline" ^ --targets Key="tag:Patch Group",Values="Web servers" ^ --parameters "Operation=Install" ^ --timeout-seconds 600

系统将返回类似于以下内容的信息。

{
    "Command": {
        "CommandId": "fa44b086-7d36-4ad5-ac8d-627ecEXAMPLE",
        "DocumentName": "AWS-RunPatchBaseline",
        "DocumentVersion": "$DEFAULT",
        "Comment": "",
        "ExpiresAfter": 1621975407.865,
        "Parameters": {
            "Operation": [
                "Install"
            ]
        },
        "InstanceIds": [],
        "Targets": [
            {
                "Key": "tag:Patch Group",
                "Values": [
                    "Web servers"
                ]
            }
        ],
        "RequestedDateTime": 1621953207.865,
        "Status": "Pending",
        "StatusDetails": "Pending",
        "TimeoutSeconds": 600,

    ---output truncated---

    }
}