How can I see the patches that Patch Manager will install on my Amazon EC2 instance?

Last updated: 2021-06-07

I want to see the patches that AWS Systems Manager Patch Manager will install on my Amazon Elastic Compute Cloud (Amazon EC2) instances. How can I do that?

Short description

Systems Manager Patch Manager allows you to orchestrate your patching operations. You can scan instances to only view a report of missing patches, or you can scan and automatically install all missing patches.

Patch Manager uses patch baselines, which include rules to auto-approve patches within days of their release. Patch baselines also include a list of approved and rejected patches. During a Scan operation, Patch Manager determines the instance patch compliance state based on the patch baseline. For more information about how patch baselines define the patches that will install on your instances, see About predefined and custom patch baselines.

Patch Manager provides predefined patch baselines that can be customized for each supported operating system (OS). If the predefined patch baselines don’t meet your requirements, you can create your own custom patch baselines. Custom patch baselines allow you more control over the patches that are approved or rejected for your environment. You can also choose to use a patch group to associate instances with a specific patch baseline.

Resolution

Before you begin, confirm that you meet the Patch Manager prerequisites.

Review or create a patch baseline

Review the predefined patch baseline for each OS that you use. If the default baseline doesn’t meet your needs, create a custom patch baseline to define a standard set of patches for the selected instance type.

If you choose to create a custom patch baseline, then set the custom baseline as the default patch baseline.

(Optional) Organize instances into patch groups

You can choose to organize your instances into patch groups using Amazon EC2 tags.

Note: The AWS-RunPatchBaseline Systems Manager RunCommand document performs patching operations on instances for security and other types of updates. If a patch group isn’t specified, the document uses the patch baseline currently specified as the default for an OS type. If a patch group is specified, the document uses the patch baselines associated with the patch group.

Run the Scan operation

Choose an AWS Systems Manager tool to run a Scan operation. For Operation, select Scan.

Note: To generate the patch states report, "AWS-RunPatchBaseline" document must run at least once on the instance.

View the list of patches that Patch Manager will install

Using the Systems Manager console

You can use the Patch Manager Reporting tab in the Systems Manager console to find the patch compliance states reported by the AWS-RunPatchBaseline.

  1. Open the Systems Manager console, and then choose Patch Manager from the navigation pane.
  2. From the Reporting tab, select the instance that you want to see missing patches for.
  3. From the bottom pane, choose the Missing patches count hyperlink to see the list of missing patches.
  4. (Optional) To generate patch compliance reports, see Generating .csv patch compliance reports (console).

Using the AWS Command Line Interface (AWS CLI)

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Before you begin, verify that you have AWS Identity and Access Management (IAM) permissions for the DescribeInstancePatches API.

You can use the describe-instance-patches command to find the patch compliance states reported by the AWS-RunPatchBaseline.

Run the following command to get an overall count report of the patch compliance states, including the missing count. Replace InstanceID with your EC2 instance ID.

aws ssm describe-instance-patch-states --instance-ids "InstanceID"

To isolate the patches that are approved in the baseline but that aren’t installed on the instance, apply the Missing state filter. The output lists the missing patches. Replace InstanceID with your Amazon EC2 instance ID, and RegionID with your AWS Region.

aws ssm describe-instance-patches --instance-id "InstanceID" --filters Key=State,Values=Missing --region RegionID