Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

SSM Compliance Shows Non-Compliant After Maintenance Window with AWS-RunPatchBaseline on Windows EC2

0

I have a weekly Maintenance Window configured to run on my Windows EC2 instance, using the AWS-RunPatchBaseline SSM document to apply patches. However, after the maintenance window completes, the instance still shows as non-compliant in the SSM Compliance section.

What could be causing this issue on a Windows instance? How can I ensure that patches are applied correctly and that the instance reports as compliant after the scheduled maintenance run?

Topics
Management & GovernanceCompute
Tags
Amazon EC2AWS Systems ManagerWindows
Language
English
asked 10 months ago100 views
1 Answer
0

  1. Missing Reboot

    • Cause: Some Windows patches require a reboot to complete installation.
    • Fix: Make sure the RebootOption parameter is set to RebootIfNeeded in the AWS-RunPatchBaseline task.

  2. Patch Baseline Configuration

    • Cause: Your patch baseline might only include limited classifications (e.g., only critical or security patches).
    • Fix: Check your patch baseline settings to ensure it includes all necessary classifications and severities.

  3. Stale Compliance Data

    • Cause: SSM Compliance relies on scan data that might not be refreshed after patching.
    • Fix: Ensure that patch compliance and inventory scans are triggered after patching. You can automate this using the AWS-GatherSoftwareInventory SSM document.

  4. Maintenance Window Task Misconfiguration

    • Cause: The task may be running with incorrect parameters or under the wrong targets.
    • Fix: Double-check that the maintenance window task is targeting the correct instance(s) and that parameters like Operation=Install are set properly.

  5. Pending Updates Outside Baseline

    • Cause: The instance may have updates available that are not covered by the selected patch baseline.
    • Fix: Review the list of missing patches in the SSM console to confirm if they are excluded by the baseline.

  6. Agent Issues

    • Cause: An outdated or malfunctioning SSM Agent can fail to report compliance correctly.
    • Fix: Ensure the SSM Agent is up to date and running on the instance.
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content