AWS::SSM::PatchBaseline Rule - AWS CloudFormation

AWS::SSM::PatchBaseline Rule

The Rule property type specifies an approval rule for a Systems Manager patch baseline.

The PatchRules property of the RuleGroup property type contains a list of Rule property types.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "ApproveAfterDays" : Integer, "ApproveUntilDate" : String, "ComplianceLevel" : String, "EnableNonSecurity" : Boolean, "PatchFilterGroup" : PatchFilterGroup }

Properties

ApproveAfterDays

The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of 7 means that patches are approved seven days after they are released.

This parameter is marked as Required: No, but your request must include a value for either ApproveAfterDays or ApproveUntilDate.

Not supported for Debian Server or Ubuntu Server.

Important

Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the Windows Server tab in the topic How security patches are selected in the AWS Systems Manager User Guide.

Required: No

Type: Integer

Minimum: 0

Maximum: 360

Update requires: No interruption

ApproveUntilDate

The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically.

Enter dates in the format YYYY-MM-DD. For example, 2024-12-31.

This parameter is marked as Required: No, but your request must include a value for either ApproveUntilDate or ApproveAfterDays.

Not supported for Debian Server or Ubuntu Server.

Important

Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the Windows Server tab in the topic How security patches are selected in the AWS Systems Manager User Guide.

Required: No

Type: String

Minimum: 1

Maximum: 10

Update requires: No interruption

ComplianceLevel

A compliance severity level for all approved patches in a patch baseline. Valid compliance severity levels include the following: UNSPECIFIED, CRITICAL, HIGH, MEDIUM, LOW, and INFORMATIONAL.

Required: No

Type: String

Allowed values: CRITICAL | HIGH | MEDIUM | LOW | INFORMATIONAL | UNSPECIFIED

Update requires: No interruption

EnableNonSecurity

For managed nodes identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository. The default value is false. Applies to Linux managed nodes only.

Required: No

Type: Boolean

Update requires: No interruption

PatchFilterGroup

The patch filter group that defines the criteria for the rule.

Required: No

Type: PatchFilterGroup

Update requires: No interruption

See also

  • PatchRule in the AWS Systems Manager API Reference.