CreatePatchBaseline 搭配 AWS SDK或 使用 CLI - AWS Systems Manager

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

CreatePatchBaseline 搭配 AWS SDK或 使用 CLI

下列程式碼範例示範如何使用 CreatePatchBaseline

CLI
AWS CLI

範例 1:建立具有自動核准的修補程式基準

下列create-patch-baseline範例會為 Windows Server 建立修補程式基準,在 Microsoft 發佈修補程式七天後核准生產環境的修補程式。

aws ssm create-patch-baseline \
    --name "Windows-Production-Baseline-AutoApproval" \
    --operating-system "WINDOWS" \
    --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Critical,Important,Moderate]},{Key=CLASSIFICATION,Values=[SecurityUpdates,Updates,UpdateRollups,CriticalUpdates]}]},ApproveAfterDays=7}]" \
    --description "Baseline containing all updates approved for Windows Server production systems"

輸出:

{
    "BaselineId": "pb-045f10b4f3EXAMPLE"
}

範例 2:建立具有核准截止日期的修補程式基準

下列create-patch-baseline範例會為 Windows Server 建立修補程式基準,以核准 2020 年 7 月 7 日或之前發行的生產環境的所有修補程式。

aws ssm create-patch-baseline \
    --name "Windows-Production-Baseline-AutoApproval" \
    --operating-system "WINDOWS" \
    --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Critical,Important,Moderate]},{Key=CLASSIFICATION,Values=[SecurityUpdates,Updates,UpdateRollups,CriticalUpdates]}]},ApproveUntilDate=2020-07-07}]" \
    --description "Baseline containing all updates approved for Windows Server production systems"

輸出:

{
    "BaselineId": "pb-045f10b4f3EXAMPLE"
}

範例 3:使用存放在JSON檔案中的核准規則建立修補程式基準

下列create-patch-baseline範例會建立 Amazon Linux 2017.09 的修補程式基準,該基準會在發佈 7 天後核准生產環境的修補程式、指定修補程式基準的核准規則,以及指定修補程式的自訂儲存庫。

aws ssm create-patch-baseline \
    --cli-input-json file://my-amazon-linux-approval-rules-and-repo.json

my-amazon-linux-approval-rules-and-repo.json 的內容:

{
    "Name": "Amazon-Linux-2017.09-Production-Baseline",
    "Description": "My approval rules patch baseline for Amazon Linux 2017.09 instances",
    "OperatingSystem": "AMAZON_LINUX",
    "Tags": [
        {
            "Key": "Environment",
            "Value": "Production"
        }
    ],
    "ApprovalRules": {
        "PatchRules": [
            {
                "ApproveAfterDays": 7,
                "EnableNonSecurity": true,
                "PatchFilterGroup": {
                    "PatchFilters": [
                        {
                            "Key": "SEVERITY",
                            "Values": [
                                "Important",
                                "Critical"
                            ]
                        },
                        {
                            "Key": "CLASSIFICATION",
                            "Values": [
                                "Security",
                                "Bugfix"
                            ]
                        },
                        {
                            "Key": "PRODUCT",
                            "Values": [
                                "AmazonLinux2017.09"
                            ]
                        }
                    ]
                }
            }
        ]
    },
    "Sources": [
        {
            "Name": "My-AL2017.09",
            "Products": [
                "AmazonLinux2017.09"
            ],
            "Configuration": "[amzn-main] \nname=amzn-main-Base\nmirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list //nmirrorlist_expire=300//nmetadata_expire=300 \npriority=10 \nfailovermethod=priority \nfastestmirror_enabled=0 \ngpgcheck=1 \ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga \nenabled=1 \nretries=3 \ntimeout=5\nreport_instanceid=yes"
        }
    ]
}

範例 4:建立修補基準,指定已核准和拒絕的修補

下列create-patch-baseline範例明確指定要核准和拒絕的修補程式,作為預設核准規則的例外狀況。

aws ssm create-patch-baseline \
    --name "Amazon-Linux-2017.09-Alpha-Baseline" \
    --description "My custom approve/reject patch baseline for Amazon Linux 2017.09 instances" \
    --operating-system "AMAZON_LINUX" \
    --approved-patches "CVE-2018-1234567,example-pkg-EE-2018*.amzn1.noarch" \
    --approved-patches-compliance-level "HIGH" \
    --approved-patches-enable-non-security \
    --tags "Key=Environment,Value=Alpha"

如需詳細資訊,請參閱 AWS Systems Manager 使用者指南中的建立自訂修補程式基準

PowerShell
適用於 的工具 PowerShell

範例 1:此範例會針對在生產環境中執行 Windows Server 2019 的受管執行個體,建立修補基準,在 Microsoft 發行修補程式的七天後核准修補程式。

$rule = New-Object Amazon.SimpleSystemsManagement.Model.PatchRule
$rule.ApproveAfterDays = 7

$ruleFilters = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilterGroup

$patchFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter
$patchFilter.Key="PRODUCT"
$patchFilter.Values="WindowsServer2019"

$severityFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter
$severityFilter.Key="MSRC_SEVERITY"
$severityFilter.Values.Add("Critical")
$severityFilter.Values.Add("Important")
$severityFilter.Values.Add("Moderate")

$classificationFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter
$classificationFilter.Key = "CLASSIFICATION"
$classificationFilter.Values.Add( "SecurityUpdates" )
$classificationFilter.Values.Add( "Updates" )
$classificationFilter.Values.Add( "UpdateRollups" )
$classificationFilter.Values.Add( "CriticalUpdates" )

$ruleFilters.PatchFilters.Add($severityFilter)
$ruleFilters.PatchFilters.Add($classificationFilter)
$ruleFilters.PatchFilters.Add($patchFilter)
$rule.PatchFilterGroup = $ruleFilters

New-SSMPatchBaseline -Name "Production-Baseline-Windows2019" -Description "Baseline containing all updates approved for production systems" -ApprovalRules_PatchRule $rule

輸出:

pb-0z4z6221c4296b23z

  • 如需API詳細資訊,請參閱 AWS Tools for PowerShell Cmdlet 參考 CreatePatchBaseline中的 。

如需開發人員指南和程式碼範例的完整清單 AWS SDK,請參閱 搭配 使用 Systems Manager AWS SDK。本主題也包含有關入門的資訊,以及先前SDK版本的詳細資訊。