By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesVPC Endpoint PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

AWS Systems Manager

Custom Patch Baseline

Configure an AWS Systems Manager Custom Patch Baseline and Patch Groups. Custom Patch Baselines allow custom rules for selecting which patches are applied to instances and operating systems.

Patches to be installed are defined based on rules (up to 10), which include the following options:

  • Operating System: Windows, Amazon Linux, Ubuntu Server, and so on.
  • Product: For example, RHEL 6.5, Amazon Linux 2014.09, Windows Server 2012, Windows Server 2012 R2, and so on.
  • Classification: For example, critical updates, security updates, and so on.
  • Severity: For example, critical, important, and so on.
  • Auto-approval delay: The number of days to wait after the patch was released, before the patch is automatically approved for patching

Patch groups are Tags assigned to Instances, but must have the key Patch Group. The values can be anything. (Default configuration has the value custom-patch-group)

Optionally, enable Set as Default Patch Baseline to make the new Patch Baseline the default one for all instances. It is recommended to review the patch rules carefully before selecting this option. (A CloudFormation custom resource is included to enable this option)

Items
1
Size
0.8 KB
Missing Parameters
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  PatchBasline:
    Type: "AWS::SSM::PatchBaseline"
    Properties:
      Name: "custom-patch-baseline"
      Description: "Custom patch baseline"
      OperatingSystem: "WINDOWS"
      PatchGroups:
        - "custom-patch-group"
      ApprovalRules:
        PatchRules:
          - ApproveAfterDays: "7"
            PatchFilterGroup:
              PatchFilters:
                - Key: "PRODUCT"
                  Values:
                    - "*"
                - Key: "CLASSIFICATION"
                  Values: []
                - Key: "MSRC_SEVERITY"
                  Values: []
                - Key: "PATCH_SET"
                  Values:
                    - "OS"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

 
 
* Required field