Amazon web services EC2 Systems Manager-安装安全修补程序_Amazon Web Services_Amazon Ec2_Systemmanagement

Amazon web services EC2 Systems Manager-安装安全修补程序

amazon-web-services amazon-ec2

Amazon web services EC2 Systems Manager-安装安全修补程序,amazon-web-services,amazon-ec2,systemmanagement,Amazon Web Services,Amazon Ec2,Systemmanagement,我正在尝试将EC2 Systems Manager与维护窗口一起使用，只是为了应用安全补丁。我找不到这样的文件。有没有人已经做了这个，可以给我一个线索我知道AWS为Windows提供了补丁管理器。您可以在EC2 Systems Manager中找到开始补丁的官方文档：这里还提供了一个演练，介绍了入门的整套步骤：我使用AWS CLI和AWS PowerShell工具包添加了一些与您的问题相关的具体示例。当然，您也可以在AWS控制台中执行所有这些操作安装安全修补程序要控制应安装的修补程序，

我正在尝试将EC2 Systems Manager与维护窗口一起使用，只是为了应用安全补丁。我找不到这样的文件。有没有人已经做了这个，可以给我一个线索

我知道AWS为Windows提供了补丁管理器。

您可以在EC2 Systems Manager中找到开始补丁的官方文档：

这里还提供了一个演练，介绍了入门的整套步骤：

我使用AWS CLI和AWS PowerShell工具包添加了一些与您的问题相关的具体示例。当然，您也可以在AWS控制台中执行所有这些操作

安装安全修补程序要控制应安装的修补程序，请使用修补程序基线。修补程序基线由一组规则组成，这些规则定义了哪些修补程序应获得部署批准以及何时应获得批准，以及一组可选的明确批准和拒绝的修补程序

创建修补程序基线在您的情况下，要仅应用安全修补程序，您可以创建如下修补程序基线：

AWS CLI

aws ssm create-patch-baseline --name "Only-Security-Patches"
  --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=CLASSIFICATION,Values=SecurityUpdates}]},ApproveAfterDays=3}]" 
  --description "Security updates for all versions of Windows"

aws ssm register-default-patch-baseline --baseline-id <the id of the patch baseline created above>

aws ssm create-maintenance-window 
  --name "My-Tuesday-Maintenance-Window" 
  --schedule "cron(0 16 ? * TUE *)" 
  --duration 4 
  --cutoff 1
  --allow-unassociated-targets

aws ssm register-task-with-maintenance-window 
  --window-id <the id of your maintenance window>
  --targets "Key=InstanceIds,Values=<comma-separated list of instance ids>" 
  --task-arn "AWS-ApplyPatchBaseline" 
  --service-role-arn "arn:aws:iam::<your account id>:role/MW-Role" 
  --task-type "RUN_COMMAND" 
  --max-concurrency 2 
  --max-errors 1 
  --priority 1 
  --task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'

AWS PowerShell

$rule = New-Object Amazon.SimpleSystemsManagement.Model.PatchRule
$rule.ApproveAfterDays = 3
$ruleFilters = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilterGroup
$classificationFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter
$classificationFilter.Key = "CLASSIFICATION"
$classificationFilter.Values.Add( "SecurityUpdates" )
$ruleFilters.PatchFilters.Add($classificationFilter)
$rule.PatchFilterGroup = $ruleFilters
New-SSMPatchBaseline 
  -Name "Only-Security-Patches" `
  -Description "Security updates for all versions of Windows" `
  -ApprovalRules_PatchRule $rule

Register-SSMDefaultPatchBaseline-BaselineId <the id of the patch baseline created above>

New-SSMMaintenanceWindow `
  -Name "My-Tuesday-Maintenance-Window" `
  -Schedule "cron(0 16 ? * TUE *)" `
  -Duration 4 `
  -Cutoff 1 `
  -AllowUnassociatedTarget $true `

$parameters = @{}
$parameterValues = new-object Amazon.SimpleSystemsManagement.Model.MaintenanceWindowTaskParameterValueExpression
$parameterValues.Values = @("Install")
$parameters.Add("Operation", $parameterValues)

Register-SSMTaskWithMaintenanceWindow `
  -WindowId <the id of your maintenance window> `
  -Target @{ Key="InstanceIds";Values="<comma-separated list of instance ids>" } `
  -TaskArn "AWS-ApplyPatchBaseline" `
  -ServiceRoleArn "arn:aws:iam::<your account id>:role/MW-Role" `
  -TaskType "RUN_COMMAND" `
  -MaxConcurrency 2 `
  -MaxErrors 1 `
  -Priority 1 `
  -TaskParameter $parameters `

定义默认修补程序基线通过使用

补丁组

标记实例，将标记的值设置为所选补丁组的名称，可以控制要用于特定EC2实例的补丁基线。之后，您可以将修补程序组注册到修补程序基线。在本例中，您还可以将新的修补程序基线定义为默认修补程序基线，用于所有未使用

修补程序组标记的实例：
AWS CLI
aws ssm create-patch-baseline --name "Only-Security-Patches"
  --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=CLASSIFICATION,Values=SecurityUpdates}]},ApproveAfterDays=3}]" 
  --description "Security updates for all versions of Windows"

aws ssm register-default-patch-baseline --baseline-id <the id of the patch baseline created above>

aws ssm create-maintenance-window 
  --name "My-Tuesday-Maintenance-Window" 
  --schedule "cron(0 16 ? * TUE *)" 
  --duration 4 
  --cutoff 1
  --allow-unassociated-targets

aws ssm register-task-with-maintenance-window 
  --window-id <the id of your maintenance window>
  --targets "Key=InstanceIds,Values=<comma-separated list of instance ids>" 
  --task-arn "AWS-ApplyPatchBaseline" 
  --service-role-arn "arn:aws:iam::<your account id>:role/MW-Role" 
  --task-type "RUN_COMMAND" 
  --max-concurrency 2 
  --max-errors 1 
  --priority 1 
  --task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'

*AWS PowerShell
$rule = New-Object Amazon.SimpleSystemsManagement.Model.PatchRule
$rule.ApproveAfterDays = 3
$ruleFilters = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilterGroup
$classificationFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter
$classificationFilter.Key = "CLASSIFICATION"
$classificationFilter.Values.Add( "SecurityUpdates" )
$ruleFilters.PatchFilters.Add($classificationFilter)
$rule.PatchFilterGroup = $ruleFilters
New-SSMPatchBaseline 
  -Name "Only-Security-Patches" `
  -Description "Security updates for all versions of Windows" `
  -ApprovalRules_PatchRule $rule

Register-SSMDefaultPatchBaseline-BaselineId <the id of the patch baseline created above>

New-SSMMaintenanceWindow `
  -Name "My-Tuesday-Maintenance-Window" `
  -Schedule "cron(0 16 ? * TUE *)" `
  -Duration 4 `
  -Cutoff 1 `
  -AllowUnassociatedTarget $true `

$parameters = @{}
$parameterValues = new-object Amazon.SimpleSystemsManagement.Model.MaintenanceWindowTaskParameterValueExpression
$parameterValues.Values = @("Install")
$parameters.Add("Operation", $parameterValues)

Register-SSMTaskWithMaintenanceWindow `
  -WindowId <the id of your maintenance window> `
  -Target @{ Key="InstanceIds";Values="<comma-separated list of instance ids>" } `
  -TaskArn "AWS-ApplyPatchBaseline" `
  -ServiceRoleArn "arn:aws:iam::<your account id>:role/MW-Role" `
  -TaskType "RUN_COMMAND" `
  -MaxConcurrency 2 `
  -MaxErrors 1 `
  -Priority 1 `
  -TaskParameter $parameters `

注册修补任务
创建维护窗口后，您现在可以注册要在其中运行的任务，在本例中，我们希望运行AWS ApplyPatchBaseline
命令
请注意，下面的命令假定您已执行步骤来定义要用于维护窗口的IAM角色（我在此处将此角色命名为MW角色），如下所述：
AWS CLI
aws ssm create-patch-baseline --name "Only-Security-Patches"
  --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=CLASSIFICATION,Values=SecurityUpdates}]},ApproveAfterDays=3}]" 
  --description "Security updates for all versions of Windows"

aws ssm register-default-patch-baseline --baseline-id <the id of the patch baseline created above>

aws ssm create-maintenance-window 
  --name "My-Tuesday-Maintenance-Window" 
  --schedule "cron(0 16 ? * TUE *)" 
  --duration 4 
  --cutoff 1
  --allow-unassociated-targets

aws ssm register-task-with-maintenance-window 
  --window-id <the id of your maintenance window>
  --targets "Key=InstanceIds,Values=<comma-separated list of instance ids>" 
  --task-arn "AWS-ApplyPatchBaseline" 
  --service-role-arn "arn:aws:iam::<your account id>:role/MW-Role" 
  --task-type "RUN_COMMAND" 
  --max-concurrency 2 
  --max-errors 1 
  --priority 1 
  --task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'

aws ssm带维护窗口的注册任务
--窗口id
--目标“键=实例ID，值=”
--任务arn“AWS ApplyPatchBaseline”
--服务角色arn“arn:aws:iam:：：角色/MW角色”
--任务类型“运行命令”
--最大并发2
--最大误差1
--优先事项1
--任务参数“{\'操作\'：{\'值\'：[\'安装\']}”

AWS PowerShell
$rule = New-Object Amazon.SimpleSystemsManagement.Model.PatchRule
$rule.ApproveAfterDays = 3
$ruleFilters = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilterGroup
$classificationFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter
$classificationFilter.Key = "CLASSIFICATION"
$classificationFilter.Values.Add( "SecurityUpdates" )
$ruleFilters.PatchFilters.Add($classificationFilter)
$rule.PatchFilterGroup = $ruleFilters
New-SSMPatchBaseline 
  -Name "Only-Security-Patches" `
  -Description "Security updates for all versions of Windows" `
  -ApprovalRules_PatchRule $rule

Register-SSMDefaultPatchBaseline-BaselineId <the id of the patch baseline created above>

New-SSMMaintenanceWindow `
  -Name "My-Tuesday-Maintenance-Window" `
  -Schedule "cron(0 16 ? * TUE *)" `
  -Duration 4 `
  -Cutoff 1 `
  -AllowUnassociatedTarget $true `

$parameters = @{}
$parameterValues = new-object Amazon.SimpleSystemsManagement.Model.MaintenanceWindowTaskParameterValueExpression
$parameterValues.Values = @("Install")
$parameters.Add("Operation", $parameterValues)

Register-SSMTaskWithMaintenanceWindow `
  -WindowId <the id of your maintenance window> `
  -Target @{ Key="InstanceIds";Values="<comma-separated list of instance ids>" } `
  -TaskArn "AWS-ApplyPatchBaseline" `
  -ServiceRoleArn "arn:aws:iam::<your account id>:role/MW-Role" `
  -TaskType "RUN_COMMAND" `
  -MaxConcurrency 2 `
  -MaxErrors 1 `
  -Priority 1 `
  -TaskParameter $parameters `

$parameters=@{}
$parameterValues=新对象Amazon.SimpleSystemsManagement.Model.MaintenanceWindowTaskParameterValueExpression
$parameterValues.Values=@（“安装”）
$parameters.Add（“操作”，$parameterValues）
在维护窗口中注册SSMTask`
-窗口ID`
-Target@{Key=“instanceId”；value=”“}`
-TaskArn“AWS ApplyPatchBaseline”`
-ServiceRoleArn“arn:aws:iam:：：角色/MW角色”`
-任务类型“运行命令”`
-MaxConcurrency 2`
-最大错误1`
-优先事项1`
-TaskParameter$参数`

其他有趣的功能
现在，所有配置都已完成，您可以看到维护窗口执行的历史记录以及正在修补的实例的修补程序符合性状态
维护窗口执行
您可以使用以下命令深入查看维护窗口的执行历史记录：
AWS CLI
aws ssm create-patch-baseline --name "Only-Security-Patches"
  --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=CLASSIFICATION,Values=SecurityUpdates}]},ApproveAfterDays=3}]" 
  --description "Security updates for all versions of Windows"

aws ssm register-default-patch-baseline --baseline-id <the id of the patch baseline created above>

aws ssm create-maintenance-window 
  --name "My-Tuesday-Maintenance-Window" 
  --schedule "cron(0 16 ? * TUE *)" 
  --duration 4 
  --cutoff 1
  --allow-unassociated-targets

aws ssm register-task-with-maintenance-window 
  --window-id <the id of your maintenance window>
  --targets "Key=InstanceIds,Values=<comma-separated list of instance ids>" 
  --task-arn "AWS-ApplyPatchBaseline" 
  --service-role-arn "arn:aws:iam::<your account id>:role/MW-Role" 
  --task-type "RUN_COMMAND" 
  --max-concurrency 2 
  --max-errors 1 
  --priority 1 
  --task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'






AWS PowerShell
$rule = New-Object Amazon.SimpleSystemsManagement.Model.PatchRule
$rule.ApproveAfterDays = 3
$ruleFilters = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilterGroup
$classificationFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter
$classificationFilter.Key = "CLASSIFICATION"
$classificationFilter.Values.Add( "SecurityUpdates" )
$ruleFilters.PatchFilters.Add($classificationFilter)
$rule.PatchFilterGroup = $ruleFilters
New-SSMPatchBaseline 
  -Name "Only-Security-Patches" `
  -Description "Security updates for all versions of Windows" `
  -ApprovalRules_PatchRule $rule

Register-SSMDefaultPatchBaseline-BaselineId <the id of the patch baseline created above>

New-SSMMaintenanceWindow `
  -Name "My-Tuesday-Maintenance-Window" `
  -Schedule "cron(0 16 ? * TUE *)" `
  -Duration 4 `
  -Cutoff 1 `
  -AllowUnassociatedTarget $true `

$parameters = @{}
$parameterValues = new-object Amazon.SimpleSystemsManagement.Model.MaintenanceWindowTaskParameterValueExpression
$parameterValues.Values = @("Install")
$parameters.Add("Operation", $parameterValues)

Register-SSMTaskWithMaintenanceWindow `
  -WindowId <the id of your maintenance window> `
  -Target @{ Key="InstanceIds";Values="<comma-separated list of instance ids>" } `
  -TaskArn "AWS-ApplyPatchBaseline" `
  -ServiceRoleArn "arn:aws:iam::<your account id>:role/MW-Role" `
  -TaskType "RUN_COMMAND" `
  -MaxConcurrency 2 `
  -MaxErrors 1 `
  -Priority 1 `
  -TaskParameter $parameters `






修补程序符合性信息
对实例进行修补后，您可以获得它们的修补程序符合性信息
AWS CLI
aws ssm create-patch-baseline --name "Only-Security-Patches"
  --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=CLASSIFICATION,Values=SecurityUpdates}]},ApproveAfterDays=3}]" 
  --description "Security updates for all versions of Windows"

aws ssm register-default-patch-baseline --baseline-id <the id of the patch baseline created above>

aws ssm create-maintenance-window 
  --name "My-Tuesday-Maintenance-Window" 
  --schedule "cron(0 16 ? * TUE *)" 
  --duration 4 
  --cutoff 1
  --allow-unassociated-targets

aws ssm register-task-with-maintenance-window 
  --window-id <the id of your maintenance window>
  --targets "Key=InstanceIds,Values=<comma-separated list of instance ids>" 
  --task-arn "AWS-ApplyPatchBaseline" 
  --service-role-arn "arn:aws:iam::<your account id>:role/MW-Role" 
  --task-type "RUN_COMMAND" 
  --max-concurrency 2 
  --max-errors 1 
  --priority 1 
  --task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'





AWS PowerShell
$rule = New-Object Amazon.SimpleSystemsManagement.Model.PatchRule
$rule.ApproveAfterDays = 3
$ruleFilters = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilterGroup
$classificationFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter
$classificationFilter.Key = "CLASSIFICATION"
$classificationFilter.Values.Add( "SecurityUpdates" )
$ruleFilters.PatchFilters.Add($classificationFilter)
$rule.PatchFilterGroup = $ruleFilters
New-SSMPatchBaseline 
  -Name "Only-Security-Patches" `
  -Description "Security updates for all versions of Windows" `
  -ApprovalRules_PatchRule $rule

Register-SSMDefaultPatchBaseline-BaselineId <the id of the patch baseline created above>

New-SSMMaintenanceWindow `
  -Name "My-Tuesday-Maintenance-Window" `
  -Schedule "cron(0 16 ? * TUE *)" `
  -Duration 4 `
  -Cutoff 1 `
  -AllowUnassociatedTarget $true `

$parameters = @{}
$parameterValues = new-object Amazon.SimpleSystemsManagement.Model.MaintenanceWindowTaskParameterValueExpression
$parameterValues.Values = @("Install")
$parameters.Add("Operation", $parameterValues)

Register-SSMTaskWithMaintenanceWindow `
  -WindowId <the id of your maintenance window> `
  -Target @{ Key="InstanceIds";Values="<comma-separated list of instance ids>" } `
  -TaskArn "AWS-ApplyPatchBaseline" `
  -ServiceRoleArn "arn:aws:iam::<your account id>:role/MW-Role" `
  -TaskType "RUN_COMMAND" `
  -MaxConcurrency 2 `
  -MaxErrors 1 `
  -Priority 1 `
  -TaskParameter $parameters `





我希望这有助于回答您的问题，如果没有，请让我知道