Use CreatePatchBaseline with a CLI
The following code examples show how to use CreatePatchBaseline.
- CLI
-
- AWS CLI
-
Example 1: To create a patch baseline with auto-approval
The following
create-patch-baselineexample creates a patch baseline for Windows Server that approves patches for a production environment seven days after they are released by Microsoft.aws ssm create-patch-baseline \ --name"Windows-Production-Baseline-AutoApproval"\ --operating-system"WINDOWS"\ --approval-rules"PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Critical,Important,Moderate]},{Key=CLASSIFICATION,Values=[SecurityUpdates,Updates,UpdateRollups,CriticalUpdates]}]},ApproveAfterDays=7}]"\ --description"Baseline containing all updates approved for Windows Server production systems"Output:
{ "BaselineId": "pb-045f10b4f3EXAMPLE" }Example 2: To create a patch baseline with an approval cutoff date
The following
create-patch-baselineexample creates a patch baseline for Windows Server that approves all patches for a production environment that are released on or before July 7, 2020.aws ssm create-patch-baseline \ --name"Windows-Production-Baseline-AutoApproval"\ --operating-system"WINDOWS"\ --approval-rules"PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Critical,Important,Moderate]},{Key=CLASSIFICATION,Values=[SecurityUpdates,Updates,UpdateRollups,CriticalUpdates]}]},ApproveUntilDate=2020-07-07}]"\ --description"Baseline containing all updates approved for Windows Server production systems"Output:
{ "BaselineId": "pb-045f10b4f3EXAMPLE" }Example 3: To create a patch baseline with approval rules stored in a JSON file
The following
create-patch-baselineexample creates a patch baseline for Amazon Linux 2017.09 that approves patches for a production environment seven days after they are released, specifies approval rules for the patch baseline, and specifies a custom repository for patches.aws ssm create-patch-baseline \ --cli-input-jsonfile://my-amazon-linux-approval-rules-and-repo.jsonContents of
my-amazon-linux-approval-rules-and-repo.json:{ "Name": "Amazon-Linux-2017.09-Production-Baseline", "Description": "My approval rules patch baseline for Amazon Linux 2017.09 instances", "OperatingSystem": "AMAZON_LINUX", "Tags": [ { "Key": "Environment", "Value": "Production" } ], "ApprovalRules": { "PatchRules": [ { "ApproveAfterDays": 7, "EnableNonSecurity": true, "PatchFilterGroup": { "PatchFilters": [ { "Key": "SEVERITY", "Values": [ "Important", "Critical" ] }, { "Key": "CLASSIFICATION", "Values": [ "Security", "Bugfix" ] }, { "Key": "PRODUCT", "Values": [ "AmazonLinux2017.09" ] } ] } } ] }, "Sources": [ { "Name": "My-AL2017.09", "Products": [ "AmazonLinux2017.09" ], "Configuration": "[amzn-main] \nname=amzn-main-Base\nmirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list //nmirrorlist_expire=300//nmetadata_expire=300 \npriority=10 \nfailovermethod=priority \nfastestmirror_enabled=0 \ngpgcheck=1 \ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga \nenabled=1 \nretries=3 \ntimeout=5\nreport_instanceid=yes" } ] }Example 4: To create a patch baseline that specifies approved and rejected patches
The following
create-patch-baselineexample explicitly specifies patches to approve and reject as exception to the default approval rules.aws ssm create-patch-baseline \ --name"Amazon-Linux-2017.09-Alpha-Baseline"\ --description"My custom approve/reject patch baseline for Amazon Linux 2017.09 instances"\ --operating-system"AMAZON_LINUX"\ --approved-patches"CVE-2018-1234567,example-pkg-EE-2018*.amzn1.noarch"\ --approved-patches-compliance-level"HIGH"\ --approved-patches-enable-non-security \ --tags"Key=Environment,Value=Alpha"For more information, see Create a Custom Patch Baseline in the AWS Systems Manager User Guide.
-
For API details, see CreatePatchBaseline
in AWS CLI Command Reference.
-
- PowerShell
-
- Tools for PowerShell
-
Example 1: This example creates a patch baseline that approves patches, seven days after they are released by Microsoft, for managed instances running Windows Server 2019 in a production environment.
$rule = New-Object Amazon.SimpleSystemsManagement.Model.PatchRule $rule.ApproveAfterDays = 7 $ruleFilters = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilterGroup $patchFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter $patchFilter.Key="PRODUCT" $patchFilter.Values="WindowsServer2019" $severityFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter $severityFilter.Key="MSRC_SEVERITY" $severityFilter.Values.Add("Critical") $severityFilter.Values.Add("Important") $severityFilter.Values.Add("Moderate") $classificationFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter $classificationFilter.Key = "CLASSIFICATION" $classificationFilter.Values.Add( "SecurityUpdates" ) $classificationFilter.Values.Add( "Updates" ) $classificationFilter.Values.Add( "UpdateRollups" ) $classificationFilter.Values.Add( "CriticalUpdates" ) $ruleFilters.PatchFilters.Add($severityFilter) $ruleFilters.PatchFilters.Add($classificationFilter) $ruleFilters.PatchFilters.Add($patchFilter) $rule.PatchFilterGroup = $ruleFilters New-SSMPatchBaseline -Name "Production-Baseline-Windows2019" -Description "Baseline containing all updates approved for production systems" -ApprovalRules_PatchRule $ruleOutput:
pb-0z4z6221c4296b23z-
For API details, see CreatePatchBaseline in AWS Tools for PowerShell Cmdlet Reference.
-
For a complete list of AWS SDK developer guides and code examples, see Using this service with an AWS SDK. This topic also includes information about getting started and details about previous SDK versions.
