透過 AWS CLI 使用 Patch Manager 資源
此部分您可用來執行 Patch Manager (AWS Systems Manager 的一項功能) 設定任務的 AWS Command Line Interface (AWS CLI) 命令範例。
如需有關使用 AWS CLI 利用自訂修補基準來修補伺服器環境的說明,請參閱教學課程:使用 AWS CLI 修補伺服器環境。
如需針對 AWS Systems Manager 任務使用 AWS CLI 的詳細資訊,請參閱《AWS CLI 命令參考》的 AWS Systems Manager 章節。
修補基準的 AWS CLI 命令
修補基準的範例命令
建立修補基準
以下命令建立修補基準,在 Windows Server 2012 R2 5 的所有重大和重要安全性更新發行 5 日之後,核准這些更新。也已針對「已核准」和「已拒絕」修補程式清單指定修補程式。此外,修補基準已加上標籤,以表示其用於生產環境。
系統會傳回相關資訊,如下所示。
{
"BaselineId":"pb-0c10e65780EXAMPLE"
}
建立包含不同作業系統版本之自訂儲存庫的修補基準
僅適用於 Linux 受管節點。以下命令說明如何指定修補程式儲存庫,以用於特定版本的 Amazon Linux 作業系統。此範例使用 Amazon Linux 2017.09 預設啟用的來源儲存庫,但可適應您已為受管節點設定的不同來源儲存庫。
注意
為了更好的展示這個更為複雜的命令,我們使用 --cli-input-json 選項以及存放外部 JSON 檔案的其他選項。
-
以類似
my-patch-repository.json的名稱建立 JSON 檔案,並將以下內容新增至該檔案:{ "Description": "My patch repository for Amazon Linux 2017.09", "Name": "Amazon-Linux-2017.09", "OperatingSystem": "AMAZON_LINUX", "ApprovalRules": { "PatchRules": [ { "ApproveAfterDays": 7, "EnableNonSecurity": true, "PatchFilterGroup": { "PatchFilters": [ { "Key": "SEVERITY", "Values": [ "Important", "Critical" ] }, { "Key": "CLASSIFICATION", "Values": [ "Security", "Bugfix" ] }, { "Key": "PRODUCT", "Values": [ "AmazonLinux2017.09" ] } ] } } ] }, "Sources": [ { "Name": "My-AL2017.09", "Products": [ "AmazonLinux2017.09" ], "Configuration": "[amzn-main] \nname=amzn-main-Base\nmirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list //nmirrorlist_expire=300//nmetadata_expire=300 \npriority=10 \nfailovermethod=priority \nfastestmirror_enabled=0 \ngpgcheck=1 \ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga \nenabled=1 \nretries=3 \ntimeout=5\nreport_instanceid=yes" } ] } -
在您儲存該檔案的目錄中執行下列命令。
aws ssm create-patch-baseline --cli-input-json file://my-patch-repository.json系統會傳回相關資訊,如下所示。
{ "BaselineId": "pb-0c10e65780EXAMPLE" }
更新修補基準
以下命令新增兩個修補程式以拒絕現有的修補基準,另一個修補程式核准現有的修補基準。
注意
如需已核准修補程式和已拒絕修補程式清單之可接受格式的相關資訊,請參閱 已核准與遭拒的修補程式清單的套件名稱格式。
系統會傳回相關資訊,如下所示。
{ "BaselineId":"pb-0c10e65780EXAMPLE", "Name":"Windows-Server-2012R2", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001494.035, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }
重新命名修補基準
系統會傳回相關資訊,如下所示。
{ "BaselineId":"pb-0c10e65780EXAMPLE", "Name":"Windows-Server-2012-R2-Important-and-Critical-Security-Updates", "RejectedPatches":[ "KB2032276", "MS10-048" ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1481001795.287, "CreatedDate":1480997823.81, "ApprovedPatches":[ "KB2124261" ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }
刪除修補基準
aws ssm delete-patch-baseline --baseline-id "pb-0c10e65780EXAMPLE"
系統會傳回相關資訊,如下所示。
{
"BaselineId":"pb-0c10e65780EXAMPLE"
}
列出所有修補基準
aws ssm describe-patch-baselines
系統會傳回相關資訊,如下所示。
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-0c10e65780EXAMPLE" } ] }
以下是另一個命令,列出 AWS 區域 中的所有修補基準。
系統會傳回相關資訊,如下所示。
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" }, { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-0c10e65780EXAMPLE" } ] }
列出所有 AWS 提供的修補基準
系統會傳回相關資訊,如下所示。
{ "BaselineIdentities":[ { "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":true, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" } ] }
列出我的修補基準
系統會傳回相關資訊,如下所示。
{ "BaselineIdentities":[ { "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":false, "BaselineDescription":"Windows Server 2012 R2, Important and Critical security updates", "BaselineId":"pb-0c10e65780EXAMPLE" } ] }
顯示修補基準
aws ssm get-patch-baseline --baseline-id pb-0c10e65780EXAMPLE
注意
若為自訂修補基準,您可以指定修補基準 ID 或完整的 Amazon Resource Name (ARN)。若為 AWS 提供的修補基準,您必須指定完整的 ARN。例如: arn:aws:ssm:us-east-2:075727635805:patchbaseline/pb-0c10e65780EXAMPLE。
系統會傳回相關資訊,如下所示。
{ "BaselineId":"pb-0c10e65780EXAMPLE", "Name":"Windows-Server-2012R2", "PatchGroups":[ "Web Servers" ], "RejectedPatches":[ ], "GlobalFilters":{ "PatchFilters":[ ] }, "ApprovalRules":{ "PatchRules":[ { "PatchFilterGroup":{ "PatchFilters":[ { "Values":[ "Important", "Critical" ], "Key":"MSRC_SEVERITY" }, { "Values":[ "SecurityUpdates" ], "Key":"CLASSIFICATION" }, { "Values":[ "WindowsServer2012R2" ], "Key":"PRODUCT" } ] }, "ApproveAfterDays":5 } ] }, "ModifiedDate":1480997823.81, "CreatedDate":1480997823.81, "ApprovedPatches":[ ], "Description":"Windows Server 2012 R2, Important and Critical security updates" }
取得預設的修補基準
aws ssm get-default-patch-baseline --region us-east-2
系統會傳回相關資訊,如下所示。
{
"BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}
將自訂修補基準設定為預設
系統會傳回相關資訊,如下所示。
{
"BaselineId":"pb-0c10e65780EXAMPLE"
}
將 AWS 修補基準重設為預設值
系統會傳回相關資訊,如下所示。
{
"BaselineId":"pb-0c10e65780EXAMPLE"
}
標記修補基準
列出修補基準的標記
從修補基準移除標記
修補程式群組的 AWS CLI 命令
修補程式群組的範例命令
建立修補程式群組
為了協助您組織修補工作,建議您使用標籤將受管節點新增至修補程式群組。修補程式群組需要使用標籤索引鍵 Patch Group 或 PatchGroup。如果您已在 EC2 執行個體中繼資料中允許標籤,則必須使用 PatchGroup (不留空格)。您可以指定任何標籤值,但標籤索引鍵必須是 Patch Group 或 PatchGroup。如需有關修補程式群組的詳細資訊,請參閱修補程式群組。
使用標籤將受管節點分組後,請將修補程式群組值新增至修補基準。透過使用修補基準註冊修補程式群組,您可以確保在修補操作期間安裝正確的修補程式。
任務 1:使用標籤將 EC2 執行個體新增至修補程式群組
注意
使用 Amazon Elastic Compute Cloud (Amazon EC2) 主控台和 AWS CLI 時,可以將 Key = Patch Group 或 Key = PatchGroup 標籤套用至尚未設定為搭配 Systems Manager 使用的執行個體。如果套用 Patch Group 或 Key = PatchGroup 標籤後您預期在 Patch Manager 中看到的 EC2 執行個體未列出,請參閱 疑難排解受管節點的可用性 以取得故障診斷秘訣。
執行以下命令來將 PatchGroup 標籤新增到 EC2 執行個體。
aws ec2 create-tags --resources"i-1234567890abcdef0"--tags "Key=PatchGroup,Value=GroupValue"
任務 2:使用標籤將受管節點新增至修補程式群組
執行以下命令,來將 PatchGroup 標籤新增到受管節點。
任務 3:將修補程式群組新增至修補基準
執行以下命令,來將 PatchGroup 標籤值與指定的修補程式基線建立關聯。
系統會傳回相關資訊,如下所示。
{
"PatchGroup": "Development",
"BaselineId": "pb-0c10e65780EXAMPLE"
}
向修補程式群組「Web Servers」註冊修補基準
系統會傳回相關資訊,如下所示。
{
"PatchGroup":"Web Servers",
"BaselineId":"pb-0c10e65780EXAMPLE"
}
將 AWS 提供的修補基準登錄至「Backend」修補程式群組
系統會傳回相關資訊,如下所示。
{
"PatchGroup":"Backend",
"BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}
顯示修補程式群組登錄
aws ssm describe-patch-groups --region us-east-2
系統會傳回相關資訊,如下所示。
{ "PatchGroupPatchBaselineMappings":[ { "PatchGroup":"Backend", "BaselineIdentity":{ "BaselineName":"AWS-DefaultPatchBaseline", "DefaultBaseline":false, "BaselineDescription":"Default Patch Baseline Provided by AWS.", "BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE" } }, { "PatchGroup":"Web Servers", "BaselineIdentity":{ "BaselineName":"Windows-Server-2012R2", "DefaultBaseline":true, "BaselineDescription":"Windows Server 2012 R2, Important and Critical updates", "BaselineId":"pb-0c10e65780EXAMPLE" } } ] }
從修補基準重新登錄修補程式群組
系統會傳回相關資訊,如下所示。
{
"PatchGroup":"Production",
"BaselineId":"arn:aws:ssm:us-east-2:111122223333:patchbaseline/pb-0c10e65780EXAMPLE"
}
用於檢視修補程式摘要和詳細資訊的 AWS CLI 命令
用於檢視修補程式摘要和詳細資訊的範例命令
取得修補基準定義的所有修補程式
注意
此命令僅支援 Windows Server 修補基準。
系統會傳回相關資訊,如下所示。
{ "NextToken":"--token string truncated--", "EffectivePatches":[ { "PatchStatus":{ "ApprovalDate":1384711200.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2876331", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 R2 Preview (KB2876331)", "ReleaseDate":1384279200.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2876331", "MsrcNumber":"MS13-089", "Id":"e74ccc76-85f0-4881-a738-59e9fc9a336d" } }, { "PatchStatus":{ "ApprovalDate":1428858000.0, "DeploymentStatus":"APPROVED" }, "Patch":{ "ContentUrl":"https://support.microsoft.com/en-us/kb/2919355", "ProductFamily":"Windows", "Product":"WindowsServer2012R2", "Vendor":"Microsoft", "Description":"Windows Server 2012 R2 Update is a cumulative set of security updates, critical updates and updates. You must install Windows Server 2012 R2 Update to ensure that your computer can continue to receive future Windows Updates, including security updates. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.", "Classification":"SecurityUpdates", "Title":"Windows Server 2012 R2 Update (KB2919355)", "ReleaseDate":1428426000.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2919355", "MsrcNumber":"MS14-018", "Id":"8452bac0-bf53-4fbd-915d-499de08c338b" } } ---output truncated---
為擁有 SECURITY 分類和 Critical 嚴重性的 AmazonLinux2018.03 取得全部修補程式。
系統會傳回相關資訊,如下所示。
{ "Patches": [ { "AdvisoryIds": ["ALAS-2011-1"], "BugzillaIds": [ "1234567" ], "Classification": "SECURITY", "CVEIds": [ "CVE-2011-3192"], "Name": "zziplib", "Epoch": "0", "Version": "2.71", "Release": "1.3.amzn1", "Arch": "i686", "Product": "AmazonLinux2018.03", "ReleaseDate": 1590519815, "Severity": "CRITICAL" } ] } ---output truncated---
為 Windows Server 2012 取得 CriticalMSRC 嚴重性的所有修補程式
系統會傳回相關資訊,如下所示。
{ "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2727528", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2012 (KB2727528)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2727528", "MsrcNumber":"MS12-072", "Id":"1eb507be-2040-4eeb-803d-abc55700b715" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2729462", "ProductFamily":"Windows", "Product":"WindowsServer2012", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2729462)", "ReleaseDate":1352829600.0, "MsrcClassification":"Critical", "Language":"All", "KbNumber":"KB2729462", "MsrcNumber":"MS12-074", "Id":"af873760-c97c-4088-ab7e-5219e120eab4" } ---output truncated---
取得所有可用的修補程式
aws ssm describe-available-patches --region us-east-2
系統會傳回相關資訊,如下所示。
{ "NextToken":"--token string truncated--", "Patches":[ { "ContentUrl":"https://support.microsoft.com/en-us/kb/2032276", "ProductFamily":"Windows", "Product":"WindowsServer2008R2", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows Server 2008 R2 x64 Edition (KB2032276)", "ReleaseDate":1279040400.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2032276", "MsrcNumber":"MS10-043", "Id":"8692029b-a3a2-4a87-a73b-8ea881b4b4d6" }, { "ContentUrl":"https://support.microsoft.com/en-us/kb/2124261", "ProductFamily":"Windows", "Product":"Windows7", "Vendor":"Microsoft", "Description":"A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.", "Classification":"SecurityUpdates", "Title":"Security Update for Windows 7 (KB2124261)", "ReleaseDate":1284483600.0, "MsrcClassification":"Important", "Language":"All", "KbNumber":"KB2124261", "MsrcNumber":"MS10-065", "Id":"12ef1bed-0dd2-4633-b3ac-60888aa8ba33" } ---output truncated---
取得每個受管節點的修補程式摘要狀態
各受管節點摘要提供各節點處於以下狀態的修補程式數量:"NotApplicable"、"Missing"、"Failed"、"InstalledOther" 和 "Installed"。
系統會傳回相關資訊,如下所示。
{ "InstancePatchStates":[ { "InstanceId": "i-08ee91c0b17045407", "PatchGroup": "", "BaselineId": "pb-0c10e65780EXAMPLE", "SnapshotId": "6d03d6c5-f79d-41d0-8d0e-00a9aEXAMPLE", "InstalledCount": 50, "InstalledOtherCount": 353, "InstalledPendingRebootCount": 0, "InstalledRejectedCount": 0, "MissingCount": 0, "FailedCount": 0, "UnreportedNotApplicableCount": -1, "NotApplicableCount": 671, "OperationStartTime": "2020-01-24T12:37:56-08:00", "OperationEndTime": "2020-01-24T12:37:59-08:00", "Operation": "Scan", "RebootOption": "NoReboot" }, { "InstanceId": "i-09a618aec652973a9", "PatchGroup": "", "BaselineId": "pb-0c10e65780EXAMPLE", "SnapshotId": "c7e0441b-1eae-411b-8aa7-973e6EXAMPLE", "InstalledCount": 36, "InstalledOtherCount": 396, "InstalledPendingRebootCount": 0, "InstalledRejectedCount": 0, "MissingCount": 3, "FailedCount": 0, "UnreportedNotApplicableCount": -1, "NotApplicableCount": 420, "OperationStartTime": "2020-01-24T12:37:34-08:00", "OperationEndTime": "2020-01-24T12:37:37-08:00", "Operation": "Scan", "RebootOption": "NoReboot" } ---output truncated---
取得受管節點的修補程式合規詳細資訊
aws ssm describe-instance-patches --instance-id i-08ee91c0b17045407
系統會傳回相關資訊,如下所示。
{ "NextToken":"--token string truncated--", "Patches":[ { "Title": "bind-libs.x86_64:32:9.8.2-0.68.rc1.60.amzn1", "KBId": "bind-libs.x86_64", "Classification": "Security", "Severity": "Important", "State": "Installed", "InstalledTime": "2019-08-26T11:05:24-07:00" }, { "Title": "bind-utils.x86_64:32:9.8.2-0.68.rc1.60.amzn1", "KBId": "bind-utils.x86_64", "Classification": "Security", "Severity": "Important", "State": "Installed", "InstalledTime": "2019-08-26T11:05:32-07:00" }, { "Title": "dhclient.x86_64:12:4.1.1-53.P1.28.amzn1", "KBId": "dhclient.x86_64", "Classification": "Security", "Severity": "Important", "State": "Installed", "InstalledTime": "2019-08-26T11:05:31-07:00" }, ---output truncated---
檢視修補程式合規結果 (AWS CLI)
為單一受管節點檢視修補程式合規結果
在 AWS Command Line Interface (AWS CLI) 中執行下列命令,以檢視單一受管節點的修補程式合規結果。
aws ssm describe-instance-patch-states --instance-idinstance-id
使用您想要檢視結果之受管節點的 ID 取代 instance-id,格式為 i-02573cafcfEXAMPLE 或 mi-0282f7c436EXAMPLE。
系統傳回的資訊如下。
{ "InstancePatchStates": [ { "InstanceId": "i-02573cafcfEXAMPLE", "PatchGroup": "mypatchgroup", "BaselineId": "pb-0c10e65780EXAMPLE", "SnapshotId": "a3f5ff34-9bc4-4d2c-a665-4d1c1EXAMPLE", "CriticalNonCompliantCount": 2, "SecurityNonCompliantCount": 2, "OtherNonCompliantCount": 1, "InstalledCount": 123, "InstalledOtherCount": 334, "InstalledPendingRebootCount": 0, "InstalledRejectedCount": 0, "MissingCount": 1, "FailedCount": 2, "UnreportedNotApplicableCount": 11, "NotApplicableCount": 2063, "OperationStartTime": "2021-05-03T11:00:56-07:00", "OperationEndTime": "2021-05-03T11:01:09-07:00", "Operation": "Scan", "LastNoRebootInstallOperationTime": "2020-06-14T12:17:41-07:00", "RebootOption": "RebootIfNeeded" } ] }
檢視區域中所有 EC2 執行個體的修補程式計數摘要
describe-instance-patch-states 支援一次只擷取一個受管執行個體的結果。不過,使用具有 describe-instance-patch-states 命令的自訂指令碼,您可以產生更精密的報告。
例如,如果在本地計算機上安裝了 jq 篩選工具InstalledPendingReboot 的 EC2 執行個體。
aws ssm describe-instance-patch-states \ --instance-ids $(aws ec2 describe-instances --regionregion| jq '.Reservations[].Instances[] | .InstanceId' | tr '\n|"' ' ') \ --output text --query 'InstancePatchStates[*].{Instance:InstanceId, InstalledPendingRebootCount:InstalledPendingRebootCount}'
region 代表 AWS Systems Manager 支援之 AWS 區域 的識別符,例如 us-east-2 代表美國東部 (俄亥俄) 區域。如需支援的 region 值的清單,請參閱《Amazon Web Services 一般參考》中 Systems Manager 服務端點一節的區域資料欄。
例如:
aws ssm describe-instance-patch-states \ --instance-ids $(aws ec2 describe-instances --region us-east-2 | jq '.Reservations[].Instances[] | .InstanceId' | tr '\n|"' ' ') \ --output text --query 'InstancePatchStates[*].{Instance:InstanceId, InstalledPendingRebootCount:InstalledPendingRebootCount}'
系統會傳回相關資訊,如下所示。
1 i-02573cafcfEXAMPLE 0 i-0471e04240EXAMPLE 3 i-07782c72faEXAMPLE 6 i-083b678d37EXAMPLE 0 i-03a530a2d4EXAMPLE 1 i-01f68df0d0EXAMPLE 0 i-0a39c0f214EXAMPLE 7 i-0903a5101eEXAMPLE 7 i-03823c2fedEXAMPLE
除了 InstalledPendingRebootCount,您可以搜尋的計數類型清單包括下列項目:
-
CriticalNonCompliantCount -
SecurityNonCompliantCount -
OtherNonCompliantCount -
UnreportedNotApplicableCount -
InstalledPendingRebootCount -
FailedCount -
NotApplicableCount -
InstalledRejectedCount -
InstalledOtherCount -
MissingCount -
InstalledCount
用於掃描和修補受管節點的 AWS CLI 命令
執行下列命令以掃描檢查修補程式是否合規或安裝修補程式之後,您可以使用 用於檢視修補程式摘要和詳細資訊的 AWS CLI 命令 區段中的命令,以檢視修補程式狀態和合規的相關資訊。
掃描受管節點,檢查修補程式是否合規 (AWS CLI)
掃描特定受管節點,檢查修補程式是否合規
執行下列命令。
系統會傳回相關資訊,如下所示。
{ "Command": { "CommandId": "a04ed06c-8545-40f4-87c2-a0babEXAMPLE", "DocumentName": "AWS-RunPatchBaseline", "DocumentVersion": "$DEFAULT", "Comment": "", "ExpiresAfter": 1621974475.267, "Parameters": { "Operation": [ "Scan" ] }, "InstanceIds": [], "Targets": [ { "Key": "InstanceIds", "Values": [ "i-02573cafcfEXAMPLE, i-0471e04240EXAMPLE" ] } ], "RequestedDateTime": 1621952275.267, "Status": "Pending", "StatusDetails": "Pending", "TimeoutSeconds": 600, ---output truncated--- } }
依修補程式群組標籤掃描受管節點,檢查修補程式是否合規
執行下列命令。
系統會傳回相關資訊,如下所示。
{ "Command": { "CommandId": "87a448ee-8adc-44e0-b4d1-6b429EXAMPLE", "DocumentName": "AWS-RunPatchBaseline", "DocumentVersion": "$DEFAULT", "Comment": "", "ExpiresAfter": 1621974983.128, "Parameters": { "Operation": [ "Scan" ] }, "InstanceIds": [], "Targets": [ { "Key": "tag:PatchGroup", "Values": [ "Web servers" ] } ], "RequestedDateTime": 1621952783.128, "Status": "Pending", "StatusDetails": "Pending", "TimeoutSeconds": 600, ---output truncated--- } }
在受管節點上安裝修補程式 (AWS CLI)
在特定受管節點上安裝修補程式
執行下列命令。
注意
視需要重新啟動目標受管節點,以完成修補程式安裝。如需詳細資訊,請參閱用於修補的 SSM 命令文件:AWS-RunPatchBaseline。
系統會傳回相關資訊,如下所示。
{ "Command": { "CommandId": "5f403234-38c4-439f-a570-93623EXAMPLE", "DocumentName": "AWS-RunPatchBaseline", "DocumentVersion": "$DEFAULT", "Comment": "", "ExpiresAfter": 1621975301.791, "Parameters": { "Operation": [ "Install" ] }, "InstanceIds": [], "Targets": [ { "Key": "InstanceIds", "Values": [ "i-02573cafcfEXAMPLE, i-0471e04240EXAMPLE" ] } ], "RequestedDateTime": 1621953101.791, "Status": "Pending", "StatusDetails": "Pending", "TimeoutSeconds": 600, ---output truncated--- } }
在特定修補程式群組的受管節點上安裝修補程式
執行下列命令。
系統會傳回相關資訊,如下所示。
{ "Command": { "CommandId": "fa44b086-7d36-4ad5-ac8d-627ecEXAMPLE", "DocumentName": "AWS-RunPatchBaseline", "DocumentVersion": "$DEFAULT", "Comment": "", "ExpiresAfter": 1621975407.865, "Parameters": { "Operation": [ "Install" ] }, "InstanceIds": [], "Targets": [ { "Key": "tag:PatchGroup", "Values": [ "Web servers" ] } ], "RequestedDateTime": 1621953207.865, "Status": "Pending", "StatusDetails": "Pending", "TimeoutSeconds": 600, ---output truncated--- } }
