Top / Amazon Web Service / AWS Systems Manager / Patch Baseline

AWS Systems Manager Patch Baseline

This page shows how to write Terraform and CloudFormation for Systems Manager Patch Baseline and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_ssm_patch_baseline (Terraform)

The Patch Baseline in Systems Manager can be configured in Terraform with the resource name aws_ssm_patch_baseline. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L7
resource "aws_ssm_patch_baseline" "test-baseline" {
  name             = "test-amazon-linux"
  description      = "Approves all Amazon Linux operating system patches that are classified as Security, Bugfix or Recommended"
  operating_system = "AMAZON_LINUX"

  global_filter {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides an SSM Patch Baseline resource

NOTE on Patch Baselines: The approved_patches and approval_rule are both marked as optional fields, but the Patch Baseline requires that at least one of them is specified.

>> from Terraform Registry

AWS::SSM::PatchBaseline (CloudFormation)

The PatchBaseline in SSM can be configured in CloudFormation with the resource name AWS::SSM::PatchBaseline. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

rhel_approve_all.yml#L5
    Type: "AWS::SSM::PatchBaseline"
    Properties:
      Name: "Custom-Patch-Baseline"
      Description: "Custom Patch Baseline"
      OperatingSystem: "REDHAT_ENTERPRISE_LINUX"
      PatchGroups:
centos_approve_all.yml#L5
    Type: "AWS::SSM::PatchBaseline"
    Properties:
      Name: "Custom-Patch-Baseline"
      Description: "Custom Patch Baseline"
      OperatingSystem: "CENTOS"
      PatchGroups:
amazon_linux2_approve_all.yml#L5
    Type: "AWS::SSM::PatchBaseline"
    Properties:
      Name: "Custom-Patch-Baseline"
      Description: "Custom Patch Baseline"
      OperatingSystem: "AMAZON_LINUX_2"
      PatchGroups:
windows_approve_all.yml#L5
    Type: "AWS::SSM::PatchBaseline"
    Properties:
      Name: "Custom-Patch-Baseline"
      Description: "Custom Patch Baseline"
      OperatingSystem: "WINDOWS"
      PatchGroups:
enable-ssm-patch.yml#L16
    Type: AWS::SSM::PatchBaseline
    Properties:
      ApprovalRules:
        PatchRules:
          - ApproveAfterDays: 7
            PatchFilterGroup:
ssm-PatchBaseline.json#L712
            "Type": "AWS::SSM::PatchBaseline",
            "Condition": "CreateDevRHEL",
            "Properties": {
                "OperatingSystem": "REDHAT_ENTERPRISE_LINUX",
                "PatchGroups": [
                    "RHEL-Dev"
MyAmazonLinuxPatchBaseline.json#L5
            "Type": "AWS::SSM::PatchBaseline",
            "Properties": {
                "OperatingSystem": "AMAZON_LINUX",
                "ApprovedPatches": [],
                "PatchGroups": [],
                "Description": "Create Patch Baselines for Amazon Linux",
resourcemodel.json#L4
      "Type": "AWS::SSM::PatchBaseline",
      "Properties": {
        "Name": "mywindownsPatchBaseline-1",
        "Description": "Baseline containing all updates approved for Windows instances",
        "OperatingSystem": "WINDOWS",
        "PatchGroups": [
CF_DeploySSMResource.json#L203
            "Type": "AWS::SSM::PatchBaseline",
            "Properties": {
                "Name": "WindowsApprovedPatches",
                "Description": "Baseline containing all updates approved for Windows instances",
                "OperatingSystem": "WINDOWS",
                "PatchGroups": [
CF_DeployNoRebootSSMResource_NewPB.json#L197
            "Type": "AWS::SSM::PatchBaseline",
            "Properties": {
                "Name": "WindowsApprovedPatches",
                "Description": "Baseline containing all updates approved for Windows instances",
                "OperatingSystem": "WINDOWS",
                "PatchGroups": [

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::SSM::PatchBaseline resource defines the basic information for an AWS Systems Manager patch baseline. A patch baseline defines which patches are approved for installation on your instances. For more information, see CreatePatchBaseline in the AWS Systems Manager API Reference.

>> from AWS CloudFormation Documentation

The Other Related AWS Systems Manager Resources

Frequently asked questions

What is AWS Systems Manager Patch Baseline?

AWS Systems Manager Patch Baseline is a resource for Systems Manager of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Systems Manager Patch Baseline?

For Terraform, the csa-bconnors/ssm-tf-demo source code example is useful. See the Terraform Example section for further details.

For CloudFormation, the mobious999/Cloudformation, mobious999/Cloudformation and mobious999/Cloudformation source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents