合规性演练 (AWS CLI) - AWS Systems Manager
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

合规性演练 (AWS CLI)

以下过程为您演示了使用 AWS Command Line Interface (AWS CLI) 调用 AWS Systems Manager 的过程。PutComplianceItemsAPI 操作,将自定义合规性元数据分配给资源。您也可以使用此 API 操作手动将补丁或关联合规性元数据分配给某个实例,如以下演练中所示。有关自定义合规性的更多信息,请参阅关于自定义合规性

将自定义合规性元数据分配给托管实例 (AWS CLI)

  1. 如果您尚未安装和配置 AWS Command Line Interface (AWS CLI)。

    想要了解有关信息,请参阅安装或升级 AWS 命令行工具

  2. 运行以下命令,将自定义合规性元数据分配给某个实例。当前,仅支持 ManagedInstance 资源类型。

    Linux & macOS
    aws ssm put-compliance-items \ --resource-id instance_ID \ --resource-type ManagedInstance \ --compliance-type Custom:user-defined_string \ --execution-summary ExecutionTime=user-defined_time_and/or_date_value \ --items Id=user-defined_ID,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT
    Windows
    aws ssm put-compliance-items ^ --resource-id instance_ID ^ --resource-type ManagedInstance ^ --compliance-type Custom:user-defined_string ^ --execution-summary ExecutionTime=user-defined_time_and/or_date_value ^ --items Id=user-defined_ID,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT
  3. 重复上一步以将其他自定义合规性元数据分配给一个或多个实例。您也可以使用以下命令将补丁或关联合规性元数据手动分配给托管实例:

    关联合规性元数据

    Linux & macOS
    aws ssm put-compliance-items \ --resource-id instance_ID \ --resource-type ManagedInstance \ --compliance-type Association \ --execution-summary ExecutionTime=user-defined_time_and/or_date_value \ --items Id=user-defined_ID,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT
    Windows
    aws ssm put-compliance-items ^ --resource-id instance_ID ^ --resource-type ManagedInstance ^ --compliance-type Association ^ --execution-summary ExecutionTime=user-defined_time_and/or_date_value ^ --items Id=user-defined_ID,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT

    补丁合规性元数据

    Linux & macOS
    aws ssm put-compliance-items \ --resource-id instance_ID \ --resource-type ManagedInstance \ --compliance-type Patch \ --execution-summary ExecutionTime=user-defined_time_and/or_date_value,ExecutionId=user-defined_ID,ExecutionType=Command \ --items Id=for_example, KB12345,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT,Details="{PatchGroup=name_of_group,PatchSeverity=the_patch_severity, for example, CRITICAL}"
    Windows
    aws ssm put-compliance-items ^ --resource-id instance_ID ^ --resource-type ManagedInstance ^ --compliance-type Patch ^ --execution-summary ExecutionTime=user-defined_time_and/or_date_value,ExecutionId=user-defined_ID,ExecutionType=Command ^ --items Id=for_example, KB12345,Title=user-defined_title,Severity=one_or_more_comma-separated_severities:CRITICAL, MAJOR, MINOR,INFORMATIONAL, or UNSPECIFIED,Status=COMPLIANT or NON_COMPLIANT,Details="{PatchGroup=name_of_group,PatchSeverity=the_patch_severity, for example, CRITICAL}"
  4. 运行以下命令,查看特定托管实例的合规性项目列表。使用筛选条件深入了解特定合规性数据。

    Linux & macOS
    aws ssm list-compliance-items \ --resource-ids instance_ID \ --resource-types ManagedInstance \ --filters one_or_more_filters
    Windows
    aws ssm list-compliance-items ^ --resource-ids instance_ID ^ --resource-types ManagedInstance ^ --filters one_or_more_filters

    以下示例向您演示如何将此命令与筛选条件结合使用。

    Linux & macOS
    aws ssm list-compliance-items \ --resource-ids i-02573cafcfEXAMPLE \ --resource-type ManagedInstance \ --filters Key=DocumentName,Values=AWS-RunPowerShellScript Key=Status,Values=NON_COMPLIANT,Type=NotEqual Key=Id,Values=cee20ae7-6388-488e-8be1-a88ccEXAMPLE Key=Severity,Values=UNSPECIFIED
    Windows
    aws ssm list-compliance-items ^ --resource-ids i-02573cafcfEXAMPLE ^ --resource-type ManagedInstance ^ --filters Key=DocumentName,Values=AWS-RunPowerShellScript Key=Status,Values=NON_COMPLIANT,Type=NotEqual Key=Id,Values=cee20ae7-6388-488e-8be1-a88ccEXAMPLE Key=Severity,Values=UNSPECIFIED
    Linux & macOS
    aws ssm list-resource-compliance-summaries \ --filters Key=OverallSeverity,Values=UNSPECIFIED
    Windows
    aws ssm list-resource-compliance-summaries ^ --filters Key=OverallSeverity,Values=UNSPECIFIED
    Linux & macOS
    aws ssm list-resource-compliance-summaries \ --filters Key=OverallSeverity,Values=UNSPECIFIED Key=ComplianceType,Values=Association Key=InstanceId,Values=i-02573cafcfEXAMPLE
    Windows
    aws ssm list-resource-compliance-summaries ^ --filters Key=OverallSeverity,Values=UNSPECIFIED Key=ComplianceType,Values=Association Key=InstanceId,Values=i-02573cafcfEXAMPLE
  5. 运行以下命令查看合规性状态的摘要。使用筛选条件深入了解特定合规性数据。

    aws ssm list-resource-compliance-summaries --filters One or more filters.

    以下示例向您演示如何将此命令与筛选条件结合使用。

    Linux & macOS
    aws ssm list-resource-compliance-summaries \ --filters Key=ExecutionType,Values=Command
    Windows
    aws ssm list-resource-compliance-summaries ^ --filters Key=ExecutionType,Values=Command
    Linux & macOS
    aws ssm list-resource-compliance-summaries \ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=OverallSeverity,Values=CRITICAL
    Windows
    aws ssm list-resource-compliance-summaries ^ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=OverallSeverity,Values=CRITICAL
  6. 运行以下命令查看某个合规性类型的合规资源和不合规资源的摘要计数。使用筛选条件深入了解特定合规性数据。

    aws ssm list-compliance-summaries --filters One or more filters.

    以下示例向您演示如何将此命令与筛选条件结合使用。

    Linux & macOS
    aws ssm list-compliance-summaries \ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=PatchGroup,Values=TestGroup
    Windows
    aws ssm list-compliance-summaries ^ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=PatchGroup,Values=TestGroup
    Linux & macOS
    aws ssm list-compliance-summaries \ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=ExecutionId,Values=4adf0526-6aed-4694-97a5-14522EXAMPLE
    Windows
    aws ssm list-compliance-summaries ^ --filters Key=AWS:InstanceInformation.PlatformType,Values=Windows Key=ExecutionId,Values=4adf0526-6aed-4694-97a5-14522EXAMPLE