Why is patch manager ignoring OS scope when scanning/patching instances?


My goal is to scan/path instances in a patch group and only impact instances that match the specified operating system in my patch policy definition. SSM Patch manager ignores the rules in the patch baseline and impacts all instances in the group. What am I missing here?

I spun up two ubuntu instances with versions 18.04 and 16.04 and created a patch group that included these two instances. Next, I created a custom patch policy and set the OS to Ubuntu and the product name to Ubuntu 18.04 and set the other entries to all.

I used the run command document "AWS-RunPatchBaseline" in scan mode to scan the above mentioned patch group.

I can see in the output both the instances were scanned even though only Ubuntu 18.04 was mentioned in the patch baseline. How do i ensure that only the particular OS version is scanned or patched in case there are two instances with same Operating System but have different versions..?

Payload section of my runcommand output indicates the document seems to not factor in the OS version:
Patch Baseline: {'accountId': '*', 'baselineId': 'pb-061ce09db20eee31e', 'name': 'pp_ubuntu_18', 'globalFilters': {'filters': []}, 'approvalRules': {'rules': [{'approveAfterDays': 0, 'filterGroup': {'filters': [{'key': 'PRODUCT', 'values': ['Ubuntu18.04']}, {'key': 'SECTION', 'values': ['']}, {'key': 'PRIORITY', 'values': ['']}]}, 'complianceLevel': 'UNSPECIFIED', 'enableNonSecurity': False}]}, 'approvedPatches': [], 'approvedPatchesComplianceLevel': 'UNSPECIFIED', 'approvedPatchesEnableNonSecurity': False, 'rejectedPatches': [], 'rejectedPatchesAction': 'ALLOW_AS_DEPENDENCY', 'createdTime': 1562154060.257, 'modifiedTime': 1562154060.257, 'description': 'pp_ubuntu_18', 'operatingSystem': 'UBUNTU', 'sources': []}

Full output:



Reading package lists...

Building dependency tree...

Reading state information...

python3-apt is already the newest version (1.1.0~beta1ubuntu0.16.04.5).

0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Using python binary: 'python3'

07/03/2019 14:32:59 root [INFO]: Downloading payload from https://s3.dualstack.us-east-1.amazonaws.com/aws-ssm-us-east-1/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.21.tar.gz

07/03/2019 14:33:00 root [INFO]: Running with snapshot id = and operation = Scan

07/03/2019 14:33:00 root [INFO]: Instance Id: i-********

07/03/2019 14:33:00 root [INFO]: Region: us-east-1

07/03/2019 14:33:00 root [INFO]: Product: Ubuntu16.04

07/03/2019 14:33:00 root [INFO]: Patch Group: ubuntu_servers

07/03/2019 14:33:00 root [INFO]: Operation type: Scan

07/03/2019 14:33:00 root [INFO]: Snapshot Id: 8e6377dd-6a5b-459e-b1ff-a1944588dd7a

07/03/2019 14:33:00 root [INFO]: Patch Baseline: {'rejectedPatchesAction': 'ALLOW_AS_DEPENDENCY', 'modifiedTime': 1562154060.257, 'approvalRules': {'rules': [{'filterGroup': {'filters': [{'key': 'PRODUCT', 'values': ['Ubuntu18.04']}, {'key': 'SECTION', 'values': ['']}, {'key': 'PRIORITY', 'values': ['']}]}, 'approveAfterDays': 0, 'complianceLevel': 'UNSPECIFIED', 'enableNonSecurity': False}]}, 'description': 'pp_ubuntu_18', 'sources': [], 'createdTime': 1562154060.257, 'operatingSystem': 'UBUNTU', 'accountId': '**********', 'name': 'pp_ubuntu_18', 'approvedPatchesEnableNonSecurity': False, 'approvedPatches': [], 'approvedPatchesComplianceLevel': 'UNSPECIFIED', 'rejectedPatches': [], 'globalFilters': {'filters': []}, 'baselineId': 'pb-061ce09db20eee31e'}

2019-07-03 14:33:00,859 root [INFO]: Starting APT patching operation.

2019-07-03 14:33:00,859 root [INFO]: Loading patch snapshot from snapshot.json

2019-07-03 14:33:00,918 root [INFO]: Searching for sources for product: Ubuntu16.04

2019-07-03 14:33:01,109 root [INFO]: Re-synchronizing the package index files from their sources.

Hit http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial InRelease

Hit http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial-updates InRelease

Hit http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial-backports InRelease

Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]

Fetched 109 kB in 0s (0 B/s)

2019-07-03 14:33:16,165 root [INFO]:

asked 5 years ago393 views
1 Answer

Thank you for using Patch Manager. The ApprovalRules and GlobalFilters (
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchFilter.html) define which patches should be included in a patch baseline NOT which Operating System (OS) to be targeted. For targeting OS, there is just UBUNTU not individual versions like Ubuntu18.04, Ubunutu16.04 (https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#systemsmanager-CreatePatchBaseline-request-OperatingSystem).
So, in your case "two ubuntu instances with versions 18.04 and 16.04", with only one patch group "ubuntu_servers". Both the instances with tag - Patch Group : ubuntu_servers and having OS - "Ubuntu" will be targeted (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-patchgroups.html). So you would need to create a separate patch baseline for ubuntu 16.04 and link a new patch group (attached to the ubuntu 16.04 instances) to that baseline.
Please reach out if there are any doubts.

  • Kalhan

Edited by: Kalhan-AWS on Jul 5, 2019 3:35 PM

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions