HEX
Server: Apache/2.4.41 (Ubuntu)
System: Linux ip-172-31-42-149 5.15.0-1084-aws #91~20.04.1-Ubuntu SMP Fri May 2 07:00:04 UTC 2025 aarch64
User: ubuntu (1000)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
Upload Files
File: //usr/local/aws-cli/v2/dist/awscli/examples/ssm/create-patch-baseline.rst
**Example 1: To create a patch baseline with auto-approval**

The following ``create-patch-baseline`` example creates a patch baseline for Windows Server that approves patches for a production environment seven days after they are released by Microsoft. ::

    aws ssm create-patch-baseline \
        --name "Windows-Production-Baseline-AutoApproval" \
        --operating-system "WINDOWS" \
        --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Critical,Important,Moderate]},{Key=CLASSIFICATION,Values=[SecurityUpdates,Updates,UpdateRollups,CriticalUpdates]}]},ApproveAfterDays=7}]" \
        --description "Baseline containing all updates approved for Windows Server production systems"

Output::

    {
        "BaselineId": "pb-045f10b4f3EXAMPLE"
    }
 
**Example 2: To create a patch baseline with an approval cutoff date**

The following ``create-patch-baseline`` example creates a patch baseline for Windows Server that approves all patches for a production environment that are released on or before July 7, 2020. ::

    aws ssm create-patch-baseline \
        --name "Windows-Production-Baseline-AutoApproval" \
        --operating-system "WINDOWS" \
        --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=MSRC_SEVERITY,Values=[Critical,Important,Moderate]},{Key=CLASSIFICATION,Values=[SecurityUpdates,Updates,UpdateRollups,CriticalUpdates]}]},ApproveUntilDate=2020-07-07}]" \
        --description "Baseline containing all updates approved for Windows Server production systems"

Output::

    {
        "BaselineId": "pb-045f10b4f3EXAMPLE"
    }

**Example 3: To create a patch baseline with approval rules stored in a JSON file**

The following ``create-patch-baseline`` example creates a patch baseline for Amazon Linux 2017.09 that approves patches for a production environment seven days after they are released, specifies approval rules for the patch baseline, and specifies a custom repository for patches.  ::

    aws ssm create-patch-baseline \
        --cli-input-json file://my-amazon-linux-approval-rules-and-repo.json 

Contents of ``my-amazon-linux-approval-rules-and-repo.json``::

    {
        "Name": "Amazon-Linux-2017.09-Production-Baseline",
        "Description": "My approval rules patch baseline for Amazon Linux 2017.09 instances",
        "OperatingSystem": "AMAZON_LINUX",
        "Tags": [
            {
                "Key": "Environment",
                "Value": "Production"
            }
        ],
        "ApprovalRules": {
            "PatchRules": [
                {
                    "ApproveAfterDays": 7,
                    "EnableNonSecurity": true,
                    "PatchFilterGroup": {
                        "PatchFilters": [
                            {
                                "Key": "SEVERITY",
                                "Values": [
                                    "Important",
                                    "Critical"
                                ]
                            },
                            {
                                "Key": "CLASSIFICATION",
                                "Values": [
                                    "Security",
                                    "Bugfix"
                                ]
                            },
                            {
                                "Key": "PRODUCT",
                                "Values": [
                                    "AmazonLinux2017.09"
                                ]
                            }
                        ]
                    }
                }
            ]
        },
        "Sources": [
            {
                "Name": "My-AL2017.09",
                "Products": [
                    "AmazonLinux2017.09"
                ],
                "Configuration": "[amzn-main] \nname=amzn-main-Base\nmirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list //nmirrorlist_expire=300//nmetadata_expire=300 \npriority=10 \nfailovermethod=priority \nfastestmirror_enabled=0 \ngpgcheck=1 \ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga \nenabled=1 \nretries=3 \ntimeout=5\nreport_instanceid=yes"
            }
        ]
    }

**Example 4: To create a patch baseline that specifies approved and rejected patches**

The following ``create-patch-baseline`` example explicitly specifies patches to approve and reject as exception to the default approval rules. ::

    aws ssm create-patch-baseline \
        --name "Amazon-Linux-2017.09-Alpha-Baseline" \
        --description "My custom approve/reject patch baseline for Amazon Linux 2017.09 instances" \
        --operating-system "AMAZON_LINUX" \
        --approved-patches "CVE-2018-1234567,example-pkg-EE-2018*.amzn1.noarch" \
        --approved-patches-compliance-level "HIGH" \
        --approved-patches-enable-non-security \
        --tags "Key=Environment,Value=Alpha" 
      
For more information, see `Create a Custom Patch Baseline <https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-baseline-console.html>`__ in the *AWS Systems Manager User Guide*.