Available reports
Patch Instance Details Summary report
The Patch Instance Details Summary report provides instance details gathered for instances that are onboarded to reporting. This is an informational report that helps identify all the instances onboarded, account status, instance details, maintenance window coverage, maintenance window execution time, stack details, and platform type. This report provides the following:
Data on the production and non-production instances of an account. Note: Production and non-production stage is derived from the Account Name and not from the Instance Tags.
Data on the distribution of instances by platform type. Note: 'N/A' platform type is when AWS Systems Manager can't retrieve the platform information.
Data on the distribution of state of instances, and the number of instances running, stopped, or terminating.
| Field Name | Definition |
|---|---|
| Report Datetime | The date and time the report was generated. |
| Account Id | AWS Account ID to which the instance ID belongs |
| Account Name | AWS account name |
| Production Account | Identifier of AMS prod, non-prod accounts, depending on whether account name include value 'PROD', 'NONPROD'. Example: PROD, NONPROD, Not Available |
| Account Status | AMS account status. For example: ACTIVE, INACTIVE |
| AMS account service commitment | PREMIUM, PLUS |
| Landing Zone | Flag for account landing zone type. For example: MALZ, NON-MALZ |
| Access Restrictions | Regions to which access is restricted. For example: US SOIL |
| Instance Id | ID of EC2 instance |
| Instance Name | Name of EC2 instance |
| Instance Platform Type | Operating System (OS) type. For example: Windows, Linux, and so forth |
| Instance Platform Name | Operating System (OS) name. For example: MicrosoftWindowsServer2012R2Standard, RedHatEnterpriseLinuxServer |
| Stack Name | Name of stack that contains instance |
| Stack Type | AMS stack (AMS infrastructure within customer account) or Customer stack (AMS managed infrastructure that supports customer applications). Examples: AMS, CUSTOMER |
| Auto Scaling Group Name | Name of Auto Scaling Group (ASG) that contains the instance |
| Instance Patch Group | Patch group name used to group instances together and apply the same maintenance window. If the patch group is unassigned the value will be "Unassigned" |
| Instance Patch Group Type | Patch group type. DEFAULT: default patch group with the default maintenance window, determined by the CUSTOMER: customer created patch group. NOT_ASSIGNED: no patch group assigned |
| Instance State | State within the EC2 instance lifecycle. Examples: TERMINATED, RUNNING, STOPPING, STOPPED, SHUTTING-DOWN, PENDING.
For more information, see Instance lifecycle. |
| Maintenance Window Coverage | If there is a future Maintenance Window on this instance. Examples: COVERED or NOT_COVERED |
| Maintenance Window Execution Datetime | Next time the maintenance window is expected to execute. If NULL, single window execution, i.e. not recurring |
Patch Details report
AWS Managed Services (AMS) Patch Details report provides patch details and maintenance window coverage of various instances, including:
Data on Patch groups and its types.
Data on Maintenance Windows, duration, cutoff, future dates of maintenance window executions (schedule) and instances impacted in each window.
Data on all the operating systems under the account and number of instances that operating system is installed.
| Field Name | Definition |
|---|---|
| Report Datetime | The date and time the report was generated. |
| Account ID | AWS Account ID to which the instance ID belongs |
| Account Name | AWS account name |
| Instance Id | ID of EC2 instance |
| Production Account | Identifier of AMS prod, non-prod accounts, depending on whether account name include value 'PROD', 'NONPROD'. If data is not available value will be "Not Available" |
| Account Status | AMS account status. For example: ACTIVE, INACTIVE |
| Instance Platform Type | Operating System (OS) type. For example: Windows, Linux |
| Instance Platform Name | Operating System (OS) name. For example: MicrosoftWindowsServer2012R2Standard, RedHatEnterpriseLinuxServer |
| Stack Type | AMS stack (AMS infrastructure within a customer account) or Customer stack (AMS managed infrastructure that supports customer applications). For example: AMS, CUSTOMER |
| Instance Patch Group | Patch group name used to group instances together and apply the same maintenance window. If the patch group is unassigned the value will be "Unassigned" |
| Instance Patch Group Type | Patch group type. DEFAULT: default patch group w/ default maintenance window, determined by CUSTOMER: customer created patch group UNASSIGNED: no patch group assigned |
| Instance State | State within the EC2 instance lifecycle. For example: TERMINATED, RUNNING, STOPPING, STOPPED, SHUTTING-DOWN, PENDING
For more information, see Instance lifecycle. |
| Maintenance Window Id | Maintenance window identifier |
| Maintenance Window State | Possible values are ENABLED or DISABLED. |
| Maintenance Window Type | Maintenance window type |
| Maintenance Window Next Execution Datetime | Next time the maintenance window is expected to execute. If NULL, single window execution, i.e. not recurring |
| Last Execution Maintenance Window | The latest time the maintenance window was executed |
| Maintenance Window Duration (hrs) | The duration of the maintenance window in hours |
| Maintenance Window Coverage | The maintenance window coverage |
| Patch Baseline Id | Patch baseline currently attached to instance |
| Patch Status | Overall patch compliance status. For example: COMPLIANT, NON_COMPLIANT. If there is at least one missing patch, instance is considered noncompliant, otherwise compliant. |
| Compliant - Total | Count of compliant patches (all severities) |
| Noncompliant - Total | Count of noncompliant patches (all severities) |
| Compliant - Critical | Count of compliant patches with "critical" severity |
| Compliant - High | Count of compliant patches with "high" severity |
| Compliant - Medium | Count of compliant patches with "medium" severity |
| Compliant - Low | Count of compliant patches with "low" severity |
| Compliant - Informational | Count of compliant patches with "informational" severity |
| Compliant - Unspecified | Count of compliant patches with "unspecified" severity |
| Noncompliant - Critical | Count of noncompliant patches with "critical" severity |
| Noncompliant - High | Count of noncompliant patches with "high" severity |
| Noncompliant - Medium | Count of noncompliant patches with "medium" severity |
| Noncompliant - Low | Count of noncompliant patches with "low" severity |
| Noncompliant - Informational | Count of noncompliant patches with "informational" severity |
| Noncompliant - Unspecified | Count of noncompliant patches with "unspecified" severity |
Instances That Missed Patches report
AWS Managed Services (AMS) Instances That Missed Patches report provides details on instances that missed patches during the last maintenance window execution, including:
Data on missing patches at the patch ID level.
Data on all the instances which have at least one patch missing along with attributes such as patch severity, unpatched days, range, and release date of the patch.
| Field Name | Definition |
|---|---|
| Report Datetime | The date and time the report was generated. |
| Account ID | AWS Account ID to which the instance ID belongs |
| Account Name | AWS account name |
| Production Account | Identifier of AMS prod, non-prod accounts, depending on whether the account name includes the value 'PROD','NONPROD'. |
| Account Status | AMS account status. For example: ACTIVE or INACTIVE |
| AMS account service tier | PREMIUM or PLUS |
| Instance ID | ID of EC2 instance |
| Instance Platform Type | Operating System (OS) type. For example: Windows |
| Instance State | State of the EC2 instance lifecycle. For example: TERMINATED, RUNNING, STOPPING, STOPPED, SHUTTING-DOWN, PENDING For more information, see Instance lifecycle. |
| Patch ID | ID of released patch. For example: KB3172729 |
| Patch Severity | Severity of patch per publisher. For example: CRITICAL, IMPORTANT, MODERATE, LOW, UNSPECIFIED |
| Patch Classification | Classification of patch per publisher. For example: CRITICALUPDATES, SECURITYUPDATES, UPDATEROLLUPS, UPDATES, FEATUREPACKS |
| Patch Release Datetime (UTC) | Release date of patch per publisher |
| Patch Install State | Install state of patch on instance per SSM. For example: INSTALLED, MISSING, NOT APPLICABLE |
| Days Unpatched | Number of days instance unpatched since last SSM scanning |
| Days Unpatched Range | Bucketing of days unpatched. For example: <30 DAYS, 30-60 DAYS, 60-90 DAYS, 90+ DAYS |
Patching SSM Coverage report
The AMS Patching SSM Coverage report informs you whether or not the EC2 instances in the account have the SSM Agent installed.
| Field Name | Definition |
|---|---|
| Customer Name | Customer name for situations where there are multiple sub-customers |
| Resource Region | AWS Region where the resource is located |
| Account name | The name of the account |
| AWS Account ID | The ID of the AWS account |
| Resource Id | ID of EC2 instance |
| Resource Name | Name of EC2 instance |
| Compliant flag | Indicates if the resource has the SSM Agent installed ("Compliant") or not ("NON_COMPLIANT") |
