The aws:ssm/patchBaseline:PatchBaseline resource, part of the Pulumi AWS provider, defines patch approval criteria for SSM-managed instances: which patches to install, when to approve them, and where to source them. This guide focuses on three capabilities: explicit patch approval by KB number, rule-based filtering by product and severity, and custom patch repositories for Linux.
Patch baselines define criteria but don’t apply patches directly. They work with SSM patch groups and maintenance windows to control when patches reach instances. The examples are intentionally small. Combine them with your own patch groups and maintenance windows.
Approve specific patches by KB number
Teams managing Windows servers often start with a minimal baseline that explicitly approves known patches by their KB identifiers.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const production = new aws.ssm.PatchBaseline("production", {
name: "patch-baseline",
approvedPatches: ["KB123456"],
});
import pulumi
import pulumi_aws as aws
production = aws.ssm.PatchBaseline("production",
name="patch-baseline",
approved_patches=["KB123456"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ssm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ssm.NewPatchBaseline(ctx, "production", &ssm.PatchBaselineArgs{
Name: pulumi.String("patch-baseline"),
ApprovedPatches: pulumi.StringArray{
pulumi.String("KB123456"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var production = new Aws.Ssm.PatchBaseline("production", new()
{
Name = "patch-baseline",
ApprovedPatches = new[]
{
"KB123456",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var production = new PatchBaseline("production", PatchBaselineArgs.builder()
.name("patch-baseline")
.approvedPatches("KB123456")
.build());
}
}
resources:
production:
type: aws:ssm:PatchBaseline
properties:
name: patch-baseline
approvedPatches:
- KB123456
The approvedPatches property lists specific KB numbers that SSM will install on managed nodes. This approach gives you direct control over which updates reach your fleet, useful when you need to test patches before broader deployment.
Filter patches by product and severity
Production environments typically combine explicit patch control with automatic approval rules that filter by product version, classification, and severity.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const production = new aws.ssm.PatchBaseline("production", {
name: "patch-baseline",
description: "Patch Baseline Description",
approvedPatches: [
"KB123456",
"KB456789",
],
rejectedPatches: ["KB987654"],
globalFilters: [
{
key: "PRODUCT",
values: ["WindowsServer2008"],
},
{
key: "CLASSIFICATION",
values: ["ServicePacks"],
},
{
key: "MSRC_SEVERITY",
values: ["Low"],
},
],
approvalRules: [
{
approveAfterDays: 7,
complianceLevel: "HIGH",
patchFilters: [
{
key: "PRODUCT",
values: ["WindowsServer2016"],
},
{
key: "CLASSIFICATION",
values: [
"CriticalUpdates",
"SecurityUpdates",
"Updates",
],
},
{
key: "MSRC_SEVERITY",
values: [
"Critical",
"Important",
"Moderate",
],
},
],
},
{
approveAfterDays: 7,
patchFilters: [{
key: "PRODUCT",
values: ["WindowsServer2012"],
}],
},
],
});
import pulumi
import pulumi_aws as aws
production = aws.ssm.PatchBaseline("production",
name="patch-baseline",
description="Patch Baseline Description",
approved_patches=[
"KB123456",
"KB456789",
],
rejected_patches=["KB987654"],
global_filters=[
{
"key": "PRODUCT",
"values": ["WindowsServer2008"],
},
{
"key": "CLASSIFICATION",
"values": ["ServicePacks"],
},
{
"key": "MSRC_SEVERITY",
"values": ["Low"],
},
],
approval_rules=[
{
"approve_after_days": 7,
"compliance_level": "HIGH",
"patch_filters": [
{
"key": "PRODUCT",
"values": ["WindowsServer2016"],
},
{
"key": "CLASSIFICATION",
"values": [
"CriticalUpdates",
"SecurityUpdates",
"Updates",
],
},
{
"key": "MSRC_SEVERITY",
"values": [
"Critical",
"Important",
"Moderate",
],
},
],
},
{
"approve_after_days": 7,
"patch_filters": [{
"key": "PRODUCT",
"values": ["WindowsServer2012"],
}],
},
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ssm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ssm.NewPatchBaseline(ctx, "production", &ssm.PatchBaselineArgs{
Name: pulumi.String("patch-baseline"),
Description: pulumi.String("Patch Baseline Description"),
ApprovedPatches: pulumi.StringArray{
pulumi.String("KB123456"),
pulumi.String("KB456789"),
},
RejectedPatches: pulumi.StringArray{
pulumi.String("KB987654"),
},
GlobalFilters: ssm.PatchBaselineGlobalFilterArray{
&ssm.PatchBaselineGlobalFilterArgs{
Key: pulumi.String("PRODUCT"),
Values: pulumi.StringArray{
pulumi.String("WindowsServer2008"),
},
},
&ssm.PatchBaselineGlobalFilterArgs{
Key: pulumi.String("CLASSIFICATION"),
Values: pulumi.StringArray{
pulumi.String("ServicePacks"),
},
},
&ssm.PatchBaselineGlobalFilterArgs{
Key: pulumi.String("MSRC_SEVERITY"),
Values: pulumi.StringArray{
pulumi.String("Low"),
},
},
},
ApprovalRules: ssm.PatchBaselineApprovalRuleArray{
&ssm.PatchBaselineApprovalRuleArgs{
ApproveAfterDays: pulumi.Int(7),
ComplianceLevel: pulumi.String("HIGH"),
PatchFilters: ssm.PatchBaselineApprovalRulePatchFilterArray{
&ssm.PatchBaselineApprovalRulePatchFilterArgs{
Key: pulumi.String("PRODUCT"),
Values: pulumi.StringArray{
pulumi.String("WindowsServer2016"),
},
},
&ssm.PatchBaselineApprovalRulePatchFilterArgs{
Key: pulumi.String("CLASSIFICATION"),
Values: pulumi.StringArray{
pulumi.String("CriticalUpdates"),
pulumi.String("SecurityUpdates"),
pulumi.String("Updates"),
},
},
&ssm.PatchBaselineApprovalRulePatchFilterArgs{
Key: pulumi.String("MSRC_SEVERITY"),
Values: pulumi.StringArray{
pulumi.String("Critical"),
pulumi.String("Important"),
pulumi.String("Moderate"),
},
},
},
},
&ssm.PatchBaselineApprovalRuleArgs{
ApproveAfterDays: pulumi.Int(7),
PatchFilters: ssm.PatchBaselineApprovalRulePatchFilterArray{
&ssm.PatchBaselineApprovalRulePatchFilterArgs{
Key: pulumi.String("PRODUCT"),
Values: pulumi.StringArray{
pulumi.String("WindowsServer2012"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var production = new Aws.Ssm.PatchBaseline("production", new()
{
Name = "patch-baseline",
Description = "Patch Baseline Description",
ApprovedPatches = new[]
{
"KB123456",
"KB456789",
},
RejectedPatches = new[]
{
"KB987654",
},
GlobalFilters = new[]
{
new Aws.Ssm.Inputs.PatchBaselineGlobalFilterArgs
{
Key = "PRODUCT",
Values = new[]
{
"WindowsServer2008",
},
},
new Aws.Ssm.Inputs.PatchBaselineGlobalFilterArgs
{
Key = "CLASSIFICATION",
Values = new[]
{
"ServicePacks",
},
},
new Aws.Ssm.Inputs.PatchBaselineGlobalFilterArgs
{
Key = "MSRC_SEVERITY",
Values = new[]
{
"Low",
},
},
},
ApprovalRules = new[]
{
new Aws.Ssm.Inputs.PatchBaselineApprovalRuleArgs
{
ApproveAfterDays = 7,
ComplianceLevel = "HIGH",
PatchFilters = new[]
{
new Aws.Ssm.Inputs.PatchBaselineApprovalRulePatchFilterArgs
{
Key = "PRODUCT",
Values = new[]
{
"WindowsServer2016",
},
},
new Aws.Ssm.Inputs.PatchBaselineApprovalRulePatchFilterArgs
{
Key = "CLASSIFICATION",
Values = new[]
{
"CriticalUpdates",
"SecurityUpdates",
"Updates",
},
},
new Aws.Ssm.Inputs.PatchBaselineApprovalRulePatchFilterArgs
{
Key = "MSRC_SEVERITY",
Values = new[]
{
"Critical",
"Important",
"Moderate",
},
},
},
},
new Aws.Ssm.Inputs.PatchBaselineApprovalRuleArgs
{
ApproveAfterDays = 7,
PatchFilters = new[]
{
new Aws.Ssm.Inputs.PatchBaselineApprovalRulePatchFilterArgs
{
Key = "PRODUCT",
Values = new[]
{
"WindowsServer2012",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineGlobalFilterArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var production = new PatchBaseline("production", PatchBaselineArgs.builder()
.name("patch-baseline")
.description("Patch Baseline Description")
.approvedPatches(
"KB123456",
"KB456789")
.rejectedPatches("KB987654")
.globalFilters(
PatchBaselineGlobalFilterArgs.builder()
.key("PRODUCT")
.values("WindowsServer2008")
.build(),
PatchBaselineGlobalFilterArgs.builder()
.key("CLASSIFICATION")
.values("ServicePacks")
.build(),
PatchBaselineGlobalFilterArgs.builder()
.key("MSRC_SEVERITY")
.values("Low")
.build())
.approvalRules(
PatchBaselineApprovalRuleArgs.builder()
.approveAfterDays(7)
.complianceLevel("HIGH")
.patchFilters(
PatchBaselineApprovalRulePatchFilterArgs.builder()
.key("PRODUCT")
.values("WindowsServer2016")
.build(),
PatchBaselineApprovalRulePatchFilterArgs.builder()
.key("CLASSIFICATION")
.values(
"CriticalUpdates",
"SecurityUpdates",
"Updates")
.build(),
PatchBaselineApprovalRulePatchFilterArgs.builder()
.key("MSRC_SEVERITY")
.values(
"Critical",
"Important",
"Moderate")
.build())
.build(),
PatchBaselineApprovalRuleArgs.builder()
.approveAfterDays(7)
.patchFilters(PatchBaselineApprovalRulePatchFilterArgs.builder()
.key("PRODUCT")
.values("WindowsServer2012")
.build())
.build())
.build());
}
}
resources:
production:
type: aws:ssm:PatchBaseline
properties:
name: patch-baseline
description: Patch Baseline Description
approvedPatches:
- KB123456
- KB456789
rejectedPatches:
- KB987654
globalFilters:
- key: PRODUCT
values:
- WindowsServer2008
- key: CLASSIFICATION
values:
- ServicePacks
- key: MSRC_SEVERITY
values:
- Low
approvalRules:
- approveAfterDays: 7
complianceLevel: HIGH
patchFilters:
- key: PRODUCT
values:
- WindowsServer2016
- key: CLASSIFICATION
values:
- CriticalUpdates
- SecurityUpdates
- Updates
- key: MSRC_SEVERITY
values:
- Critical
- Important
- Moderate
- approveAfterDays: 7
patchFilters:
- key: PRODUCT
values:
- WindowsServer2012
Approval rules automatically approve patches matching your filters after a specified delay. The approveAfterDays property controls the waiting period; patchFilters define which patches qualify. Global filters exclude patches baseline-wide, while rejectedPatches blocks specific KB numbers. Multiple approval rules let you handle different products with different criteria.
Patch Windows OS and Microsoft applications
Organizations running Microsoft Office alongside Windows need baselines that cover both OS patches and application updates.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const windowsOsApps = new aws.ssm.PatchBaseline("windows_os_apps", {
name: "WindowsOSAndMicrosoftApps",
description: "Patch both Windows and Microsoft apps",
operatingSystem: "WINDOWS",
approvalRules: [
{
approveAfterDays: 7,
patchFilters: [
{
key: "CLASSIFICATION",
values: [
"CriticalUpdates",
"SecurityUpdates",
],
},
{
key: "MSRC_SEVERITY",
values: [
"Critical",
"Important",
],
},
],
},
{
approveAfterDays: 7,
patchFilters: [
{
key: "PATCH_SET",
values: ["APPLICATION"],
},
{
key: "PRODUCT",
values: [
"Office 2013",
"Office 2016",
],
},
],
},
],
});
import pulumi
import pulumi_aws as aws
windows_os_apps = aws.ssm.PatchBaseline("windows_os_apps",
name="WindowsOSAndMicrosoftApps",
description="Patch both Windows and Microsoft apps",
operating_system="WINDOWS",
approval_rules=[
{
"approve_after_days": 7,
"patch_filters": [
{
"key": "CLASSIFICATION",
"values": [
"CriticalUpdates",
"SecurityUpdates",
],
},
{
"key": "MSRC_SEVERITY",
"values": [
"Critical",
"Important",
],
},
],
},
{
"approve_after_days": 7,
"patch_filters": [
{
"key": "PATCH_SET",
"values": ["APPLICATION"],
},
{
"key": "PRODUCT",
"values": [
"Office 2013",
"Office 2016",
],
},
],
},
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ssm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ssm.NewPatchBaseline(ctx, "windows_os_apps", &ssm.PatchBaselineArgs{
Name: pulumi.String("WindowsOSAndMicrosoftApps"),
Description: pulumi.String("Patch both Windows and Microsoft apps"),
OperatingSystem: pulumi.String("WINDOWS"),
ApprovalRules: ssm.PatchBaselineApprovalRuleArray{
&ssm.PatchBaselineApprovalRuleArgs{
ApproveAfterDays: pulumi.Int(7),
PatchFilters: ssm.PatchBaselineApprovalRulePatchFilterArray{
&ssm.PatchBaselineApprovalRulePatchFilterArgs{
Key: pulumi.String("CLASSIFICATION"),
Values: pulumi.StringArray{
pulumi.String("CriticalUpdates"),
pulumi.String("SecurityUpdates"),
},
},
&ssm.PatchBaselineApprovalRulePatchFilterArgs{
Key: pulumi.String("MSRC_SEVERITY"),
Values: pulumi.StringArray{
pulumi.String("Critical"),
pulumi.String("Important"),
},
},
},
},
&ssm.PatchBaselineApprovalRuleArgs{
ApproveAfterDays: pulumi.Int(7),
PatchFilters: ssm.PatchBaselineApprovalRulePatchFilterArray{
&ssm.PatchBaselineApprovalRulePatchFilterArgs{
Key: pulumi.String("PATCH_SET"),
Values: pulumi.StringArray{
pulumi.String("APPLICATION"),
},
},
&ssm.PatchBaselineApprovalRulePatchFilterArgs{
Key: pulumi.String("PRODUCT"),
Values: pulumi.StringArray{
pulumi.String("Office 2013"),
pulumi.String("Office 2016"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var windowsOsApps = new Aws.Ssm.PatchBaseline("windows_os_apps", new()
{
Name = "WindowsOSAndMicrosoftApps",
Description = "Patch both Windows and Microsoft apps",
OperatingSystem = "WINDOWS",
ApprovalRules = new[]
{
new Aws.Ssm.Inputs.PatchBaselineApprovalRuleArgs
{
ApproveAfterDays = 7,
PatchFilters = new[]
{
new Aws.Ssm.Inputs.PatchBaselineApprovalRulePatchFilterArgs
{
Key = "CLASSIFICATION",
Values = new[]
{
"CriticalUpdates",
"SecurityUpdates",
},
},
new Aws.Ssm.Inputs.PatchBaselineApprovalRulePatchFilterArgs
{
Key = "MSRC_SEVERITY",
Values = new[]
{
"Critical",
"Important",
},
},
},
},
new Aws.Ssm.Inputs.PatchBaselineApprovalRuleArgs
{
ApproveAfterDays = 7,
PatchFilters = new[]
{
new Aws.Ssm.Inputs.PatchBaselineApprovalRulePatchFilterArgs
{
Key = "PATCH_SET",
Values = new[]
{
"APPLICATION",
},
},
new Aws.Ssm.Inputs.PatchBaselineApprovalRulePatchFilterArgs
{
Key = "PRODUCT",
Values = new[]
{
"Office 2013",
"Office 2016",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var windowsOsApps = new PatchBaseline("windowsOsApps", PatchBaselineArgs.builder()
.name("WindowsOSAndMicrosoftApps")
.description("Patch both Windows and Microsoft apps")
.operatingSystem("WINDOWS")
.approvalRules(
PatchBaselineApprovalRuleArgs.builder()
.approveAfterDays(7)
.patchFilters(
PatchBaselineApprovalRulePatchFilterArgs.builder()
.key("CLASSIFICATION")
.values(
"CriticalUpdates",
"SecurityUpdates")
.build(),
PatchBaselineApprovalRulePatchFilterArgs.builder()
.key("MSRC_SEVERITY")
.values(
"Critical",
"Important")
.build())
.build(),
PatchBaselineApprovalRuleArgs.builder()
.approveAfterDays(7)
.patchFilters(
PatchBaselineApprovalRulePatchFilterArgs.builder()
.key("PATCH_SET")
.values("APPLICATION")
.build(),
PatchBaselineApprovalRulePatchFilterArgs.builder()
.key("PRODUCT")
.values(
"Office 2013",
"Office 2016")
.build())
.build())
.build());
}
}
resources:
windowsOsApps:
type: aws:ssm:PatchBaseline
name: windows_os_apps
properties:
name: WindowsOSAndMicrosoftApps
description: Patch both Windows and Microsoft apps
operatingSystem: WINDOWS
approvalRules:
- approveAfterDays: 7
patchFilters:
- key: CLASSIFICATION
values:
- CriticalUpdates
- SecurityUpdates
- key: MSRC_SEVERITY
values:
- Critical
- Important
- approveAfterDays: 7
patchFilters:
- key: PATCH_SET
values:
- APPLICATION
- key: PRODUCT
values:
- Office 2013
- Office 2016
The PATCH_SET filter distinguishes between operating system patches and application patches. Setting it to APPLICATION with specific PRODUCT values targets Office versions. This baseline applies both OS security updates and Office patches using separate approval rules.
Configure custom patch repositories for Linux
Linux environments may need to pull patches from internal mirrors rather than default AWS sources.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const al201709 = new aws.ssm.PatchBaseline("al_2017_09", {
approvalRules: [{}],
name: "Amazon-Linux-2017.09",
description: "My patch repository for Amazon Linux 2017.09",
operatingSystem: "AMAZON_LINUX",
sources: [{
name: "My-AL2017.09",
products: ["AmazonLinux2017.09"],
configuration: `[amzn-main]
name=amzn-main-Base
mirrorlist=http://repo./awsregion./awsdomain//releasever/main/mirror.list
mirrorlist_expire=300
metadata_expire=300
priority=10
failovermethod=priority
fastestmirror_enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga
enabled=1
retries=3
timeout=5
report_instanceid=yes
`,
}],
});
import pulumi
import pulumi_aws as aws
al201709 = aws.ssm.PatchBaseline("al_2017_09",
approval_rules=[{}],
name="Amazon-Linux-2017.09",
description="My patch repository for Amazon Linux 2017.09",
operating_system="AMAZON_LINUX",
sources=[{
"name": "My-AL2017.09",
"products": ["AmazonLinux2017.09"],
"configuration": """[amzn-main]
name=amzn-main-Base
mirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list
mirrorlist_expire=300
metadata_expire=300
priority=10
failovermethod=priority
fastestmirror_enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga
enabled=1
retries=3
timeout=5
report_instanceid=yes
""",
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ssm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ssm.NewPatchBaseline(ctx, "al_2017_09", &ssm.PatchBaselineArgs{
ApprovalRules: ssm.PatchBaselineApprovalRuleArray{
&ssm.PatchBaselineApprovalRuleArgs{},
},
Name: pulumi.String("Amazon-Linux-2017.09"),
Description: pulumi.String("My patch repository for Amazon Linux 2017.09"),
OperatingSystem: pulumi.String("AMAZON_LINUX"),
Sources: ssm.PatchBaselineSourceArray{
&ssm.PatchBaselineSourceArgs{
Name: pulumi.String("My-AL2017.09"),
Products: pulumi.StringArray{
pulumi.String("AmazonLinux2017.09"),
},
Configuration: pulumi.String(`[amzn-main]
name=amzn-main-Base
mirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list
mirrorlist_expire=300
metadata_expire=300
priority=10
failovermethod=priority
fastestmirror_enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga
enabled=1
retries=3
timeout=5
report_instanceid=yes
`),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var al201709 = new Aws.Ssm.PatchBaseline("al_2017_09", new()
{
ApprovalRules = new[]
{
null,
},
Name = "Amazon-Linux-2017.09",
Description = "My patch repository for Amazon Linux 2017.09",
OperatingSystem = "AMAZON_LINUX",
Sources = new[]
{
new Aws.Ssm.Inputs.PatchBaselineSourceArgs
{
Name = "My-AL2017.09",
Products = new[]
{
"AmazonLinux2017.09",
},
Configuration = @"[amzn-main]
name=amzn-main-Base
mirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list
mirrorlist_expire=300
metadata_expire=300
priority=10
failovermethod=priority
fastestmirror_enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga
enabled=1
retries=3
timeout=5
report_instanceid=yes
",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssm.PatchBaseline;
import com.pulumi.aws.ssm.PatchBaselineArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineApprovalRuleArgs;
import com.pulumi.aws.ssm.inputs.PatchBaselineSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var al201709 = new PatchBaseline("al201709", PatchBaselineArgs.builder()
.approvalRules(PatchBaselineApprovalRuleArgs.builder()
.build())
.name("Amazon-Linux-2017.09")
.description("My patch repository for Amazon Linux 2017.09")
.operatingSystem("AMAZON_LINUX")
.sources(PatchBaselineSourceArgs.builder()
.name("My-AL2017.09")
.products("AmazonLinux2017.09")
.configuration("""
[amzn-main]
name=amzn-main-Base
mirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list
mirrorlist_expire=300
metadata_expire=300
priority=10
failovermethod=priority
fastestmirror_enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga
enabled=1
retries=3
timeout=5
report_instanceid=yes
""")
.build())
.build());
}
}
resources:
al201709:
type: aws:ssm:PatchBaseline
name: al_2017_09
properties:
approvalRules:
- {}
name: Amazon-Linux-2017.09
description: My patch repository for Amazon Linux 2017.09
operatingSystem: AMAZON_LINUX
sources:
- name: My-AL2017.09
products:
- AmazonLinux2017.09
configuration: |
[amzn-main]
name=amzn-main-Base
mirrorlist=http://repo./$awsregion./$awsdomain//$releasever/main/mirror.list
mirrorlist_expire=300
metadata_expire=300
priority=10
failovermethod=priority
fastestmirror_enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-ga
enabled=1
retries=3
timeout=5
report_instanceid=yes
The sources property points Amazon Linux instances to custom repositories. The configuration string uses yum repository format, specifying mirror lists and GPG keys. This applies only to Linux; operatingSystem must match the repository type.
Beyond these examples
These snippets focus on specific patch baseline features: explicit patch approval and rejection, rule-based filtering by product and severity, and custom patch repositories for Linux. They’re intentionally minimal rather than full patch management solutions.
The examples may reference pre-existing infrastructure such as SSM-managed EC2 instances (Windows or Linux), and custom patch repositories for Linux examples. They focus on defining patch criteria rather than provisioning the patch management workflow.
To keep things focused, common patch management patterns are omitted, including:
- Patch group associations (requires separate PatchGroup resource)
- Maintenance window scheduling (requires MaintenanceWindow resources)
- Compliance reporting and monitoring
- Cross-account baseline sharing
These omissions are intentional: the goal is to illustrate how each baseline feature is wired, not provide drop-in patch management modules. See the SSM Patch Baseline resource reference for all available configuration options.
Let's configure AWS Systems Manager Patch Baselines
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration Requirements
What's required when creating a patch baseline?
You must specify at least one of
approvedPatches or approvalRules. Both are marked optional, but the patch baseline requires one to be configured.Can I use both approvedPatches and approvalRules together?
No,
approvedPatches cannot be specified with approvalRules. Choose either explicit patch lists or rule-based selection.Operating System & Platform-Specific Features
Can I change the operating system after creating a patch baseline?
No,
operatingSystem is immutable. Changing it requires recreating the resource.What operating systems are supported and what's the default?
Supported values are
ALMA_LINUX, AMAZON_LINUX, AMAZON_LINUX_2, AMAZON_LINUX_2022, AMAZON_LINUX_2023, CENTOS, DEBIAN, MACOS, ORACLE_LINUX, RASPBIAN, REDHAT_ENTERPRISE_LINUX, ROCKY_LINUX, SUSE, UBUNTU, and WINDOWS. The default is WINDOWS.Which properties are Linux-only?
approvedPatchesEnableNonSecurity and sources apply to Linux instances only.Which properties are Windows-only?
availableSecurityUpdatesComplianceStatus is supported for Windows Server managed nodes only.Patch Selection & Filtering
What are the limits for approval rules and global filters?
You can specify up to 10 approval rules and up to 4 global filters per patch baseline.
What filter keys can I use with global filters?
Valid keys are
PRODUCT, CLASSIFICATION, MSRC_SEVERITY, and PATCH_ID.How do I specify an alternate patch source repository?
Use the
sources configuration block with name, products, and configuration fields. This applies to Linux instances only.How do I patch both Windows OS and Microsoft applications?
Create multiple
approvalRules: one for OS patches using CLASSIFICATION and MSRC_SEVERITY filters, and another for applications using PATCH_SET set to APPLICATION with PRODUCT filters for specific apps.Compliance & Actions
What's the default compliance level for approved patches?
The default value for
approvedPatchesComplianceLevel is UNSPECIFIED. Valid values are CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, and UNSPECIFIED.What actions can I take on rejected patches?
Use
rejectedPatchesAction with either ALLOW_AS_DEPENDENCY (allow as dependency for other patches) or BLOCK (completely block the patch).