[JAWS-UG CLI] Amazon EC2 Systems Manager 入門 (4) MaintenanceWindowsとPatchBaseline

More than 1 year has passed since last update.


この記事について

JAWS-UG CLI専門支部 #81 Amazon EC2 Systems Manager 入門で実施するハンズオン用の手順書です。


前提条件


必要な権限

作業にあたっては、以下の権限を有したIAMユーザもしくはIAMロールを利用してください。


  • EC2 Systems Manager(ssm)のフルコントロール権限

  • EC2のフルコントロール権限

  • CloudFormationの関するフルコントロール権限

  • IAMの関するフルコントロール権限

  • Configの関するフルコントロール権限

  • S3の関するフルコントロール権限

  • SNSの関するフルコントロール権限


0. 準備


0.1. リージョンを指定

ハンズオンでは東京リージョンを利用しますが、必要に応じて他のリージョンに変更してご利用ください。(東京リージョンを他の検証目的で利用している、など)


コマンド

export AWS_DEFAULT_REGION="ap-northeast-1"



0.2. 資格情報を確認


コマンド

aws configure list


インスタンスプロファイルを設定したEC2インスタンスでアクセスキーを設定せずに実行した場合、以下のようになります。


結果

      Name                    Value             Type    Location

---- ----- ---- --------
profile <not set> None None
access_key ****************QSAA iam-role
secret_key ****************c1xY iam-role
region us-west-2 env AWS_DEFAULT_REGION


0.3. バージョン確認


コマンド

aws --version



結果

(可能な限り最新版を利用しましょう)



0.4. バージョンアップ(必要に応じて)


コマンド

sudo pip install -U awscli



1. PatchBaselineの作成

パッチベースラインは、適用させたい更新プログラムの種類および重要度を定義するリソースです。

適用したくない更新プログラムを指定することも可能です。

※このハンズオンでは、デフォルトのパッチベースラインを利用します。


1.1. デフォルトPatchBaselineの確認


デフォルトPatchBaselineのIDを取得


コマンド

BASELINE_ID=$(aws ssm describe-patch-baselines \

--query "BaselineIdentities[?DefaultBaseline==\`"true"\`].BaselineId" \
--output text) \
&& echo ${BASELINE_ID}


デフォルトPatchBaselineの内容を確認


コマンド

aws ssm get-patch-baseline \

--baseline-id ${BASELINE_ID}


結果

{

"BaselineId": "arn:aws:ssm:ap-northeast-1:486716784251:patchbaseline/pb-04ba050f612fba3a6",
"Name": "AWS-DefaultPatchBaseline",
"PatchGroups": [],
"RejectedPatches": [],
"GlobalFilters": {
"PatchFilters": [
{
"Values": [
"Windows7",
"Windows8",
"Windows8.1",
"Windows10",
"Windows10LTSB",
"WindowsServer2008",
"WindowsServer2008R2",
"WindowsServer2012",
"WindowsServer2012R2",
"WindowsServer2016"
],
"Key": "PRODUCT"
}
]
},
"ApprovalRules": {
"PatchRules": [
{
"PatchFilterGroup": {
"PatchFilters": [
{
"Values": [
"CriticalUpdates",
"SecurityUpdates"
],
"Key": "CLASSIFICATION"
},
{
"Values": [
"Critical",
"Important"
],
"Key": "MSRC_SEVERITY"
}
]
},
"ApproveAfterDays": 7
}
]
},
"ModifiedDate": 1481687616.193,
"CreatedDate": 1481687616.193,
"ApprovedPatches": [],
"Description": "Default Patch Baseline Provided by AWS."
}


2. MaintenanceWindowの作成


2.1. MaintenanceWindowの作成


パラメータの指定

※月曜のPM8:00(日本時間)にメンテナンスタスクが実行されるスケジュールを設定します。

進捗に応じて、開始時刻を調整してください。


コマンド

MAINTENANCE_WINDOW_NAME="test-maintenance-window"

MAINTENANCE_WINDOW_SCHEDULE="cron(0 11 ? * MON *)"
MAINTENANCE_WINDOW_DURATION="2"
MAINTENANCE_WINDOW_CUTOFF="1"


同名のMaintenanceWindowの不存在を確認


コマンド

aws ssm describe-maintenance-windows \

--filters Key="Name",Values="${MAINTENANCE_WINDOW_NAME}"


結果

{

"WindowIdentities": []
}


MaintenanceWindowの作成


コマンド

aws ssm create-maintenance-window \

--name ${MAINTENANCE_WINDOW_NAME} \
--schedule "${MAINTENANCE_WINDOW_SCHEDULE}" \
--duration ${MAINTENANCE_WINDOW_DURATION} \
--cutoff ${MAINTENANCE_WINDOW_CUTOFF} \
--no-allow-unassociated-targets


結果

{

"WindowId": "mw-*****************"
}


MaintenanceWindowの確認


コマンド

aws ssm describe-maintenance-windows \

--filters Key="Name",Values="${MAINTENANCE_WINDOW_NAME}"


結果

{

"WindowIdentities": [
{
"Duration": 2,
"Cutoff": 1,
"WindowId": "mw-*****************",
"Enabled": true,
"Name": "test-maintenance-window"
}
]
}


MaintenanceWindowIDの取得


コマンド

MAINTENANCE_WINDOW_ID=$(aws ssm describe-maintenance-windows \

--filters Key="Name",Values="${MAINTENANCE_WINDOW_NAME}" \
--query "WindowIdentities[0].WindowId" \
--output text) \
&& echo ${MAINTENANCE_WINDOW_ID}


MaintenanceWindowの詳細を確認


コマンド

aws ssm get-maintenance-window \

--window-id ${MAINTENANCE_WINDOW_ID}


結果

{

"Cutoff": 1,
"Name": "test-maintenance-window",
"Schedule": "cron(0 11 ? * MON *)",
"Enabled": true,
"AllowUnassociatedTargets": false,
"WindowId": "mw-*****************",
"ModifiedDate": 1490534750.991,
"CreatedDate": 1490534750.991,
"Duration": 2
}


2.2. ターゲットの登録


MaintenanceWindowが適用されているインスタンスを確認


コマンド

aws ssm describe-maintenance-window-targets \

--window-id ${MAINTENANCE_WINDOW_ID}


コマンド

{

"Targets": []
}


MaintenanceWindowにインスタンスを登録


コマンド

aws ssm register-target-with-maintenance-window \

--window-id ${MAINTENANCE_WINDOW_ID} \
--resource-type "INSTANCE" \
--targets "Key=InstanceIds,Values=${INSTANCE_ID}"


結果

{

"WindowTargetId": "********-****-****-****-************"
}


MaintenanceWindowにインスタンスが登録されたことを確認


コマンド

aws ssm describe-maintenance-window-targets \

--window-id ${MAINTENANCE_WINDOW_ID}


結果

{

"Targets": [
{
"ResourceType": "INSTANCE",
"WindowId": "mw-*****************",
"Targets": [
{
"Values": [
"i-*****************"
],
"Key": "InstanceIds"
}
],
"WindowTargetId": "********-****-****-****-************"
}
]
}


2.3. Service Roleの作成


ロール名の指定


コマンド

ROLE_NAME_FOR_MAINTENANCE_WINDOW="ServiceRoleForMaintenanceWindow"



同名ロールの不存在を確認


コマンド

aws iam get-role \

--role-name ${ROLE_NAME_FOR_MAINTENANCE_WINDOW}


結果

An error occurred (NoSuchEntity) when calling the GetRole operation: Role not found for ServiceRoleForMaintenanceWindow



信頼関係を定義


コマンド

TRUST_POLICY_FILE='Trust-Policy-for-MaintenanceWindow.json'



コマンド

cat << EOF > ${TRUST_POLICY_FILE}

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ssm.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
EOF

cat ${TRUST_POLICY_FILE}



コマンド

jsonlint -q ${TRUST_POLICY_FILE}



パラメータを確認


コマンド

cat << ETX

ROLE_NAME_FOR_MAINTENANCE_WINDOW: ${ROLE_NAME_FOR_MAINTENANCE_WINDOW}
TRUST_POLICY_FILE:
${TRUST_POLICY_FILE}

ETX



結果


ROLE_NAME_FOR_MAINTENANCE_WINDOW: ServiceRoleForMaintenanceWindow
TRUST_POLICY_FILE: Trust-Policy-for-MaintenanceWindow.json



ロールを作成


コマンド

aws iam create-role \

--role-name ${ROLE_NAME_FOR_MAINTENANCE_WINDOW} \
--assume-role-policy-document file://${TRUST_POLICY_FILE}


結果

{

"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"ssm.amazonaws.com"
]
}
}
]
},
"RoleId": "*********************",
"CreateDate": "2017-03-26T14:40:35.623Z",
"RoleName": "ServiceRoleForMaintenanceWindow",
"Path": "/",
"Arn": "arn:aws:iam::************:role/ServiceRoleForMaintenanceWindow"
}
}


ロールにアタッチするポリシーを指定


コマンド

POLICY_ARN_FOR_MAINTENANCE_WINDOW="arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole"



ロールにポリシーをアタッチ


コマンド

aws iam attach-role-policy \

--role-name ${ROLE_NAME_FOR_MAINTENANCE_WINDOW} \
--policy-arn ${POLICY_ARN_FOR_MAINTENANCE_WINDOW}


ロールにポリシーがアタッチされたことを確認


コマンド

aws iam list-attached-role-policies \

--role-name ${ROLE_NAME_FOR_MAINTENANCE_WINDOW}


結果

{

"AttachedPolicies": [
{
"PolicyName": "AmazonSSMMaintenanceWindowRole",
"PolicyArn": "arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole"
}
]
}


ARNの取得


コマンド

ROLE_ARN_FOR_MAINTENANCE_WINDOW=$(aws iam get-role \

--role-name ${ROLE_NAME_FOR_MAINTENANCE_WINDOW} \
--query "Role.Arn" \
--output text) \
&& echo ${ROLE_ARN_FOR_MAINTENANCE_WINDOW}


結果

arn:aws:iam::************:role/ServiceRoleForMaintenanceWindow



2.4. タスクの登録


ドキュメントの指定


コマンド

DOCUMENT_NAME="AWS-ApplyPatchBaseline"



ドキュメントで指定できるパラメータを確認


コマンド

aws ssm describe-document \

--name ${DOCUMENT_NAME} \
--query "Document.Parameters"


コマンド

[

{
"Type": "String",
"Name": "Operation",
"Description": "(Required) The update or configuration to perform on the instance. The system checks if the baseline patches are installed. The install operation installs all patches in the baseline."
},
{
"DefaultValue": "",
"Type": "String",
"Name": "SnapshotId",
"Description": "(Optional) The snapshot Id to retrieve a patch baseline snapshot with."
}
]


ドキュメントの実行内容を確認


コマンド

aws ssm get-document \

--name ${DOCUMENT_NAME}


結果

{

"Content": "{\n \"schemaVersion\": \"1.2\",\n \"description\": \"Scans for or installs patches from a patch baseline.\",\n \"parameters\": {\n \"Operation\": {\n \"type\": \"String\",\n \"description\": \"(Required) The update or configuration to perform on the instance. The system checks if the baseline patches are installed. The install operation installs all patches in the baseline.\", \n \"allowedValues\": [\n \"Scan\",\n \"Install\"\n ]\n },\n \"SnapshotId\": {\n \"type\": \"String\",\n \"description\": \"(Optional) The snapshot Id to retrieve a patch baseline snapshot with.\",\n \"allowedPattern\": \"(^$)|^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$\",\n \"default\" : \"\"\n }\n },\n \"runtimeConfig\": {\n \"aws:runPowerShellScript\": {\n \"properties\": [{\n \"id\": \"0.aws:runPowerShellScript\",\n \"timeoutSeconds\": 7200,\n \"runCommand\": [\n \"# Check the OS version\",\n \"if ([Environment]::OSVersion.Version.Major -le 5) {\",\n \" Write-Error 'This command is not supported on Windows 2003 or lower.'\",\n \" exit -1\",\n \"} elseif ([Environment]::OSVersion.Version.Major -ge 10) {\",\n \" $sku = (Get-CimInstance -ClassName Win32_OperatingSystem).OperatingSystemSKU\",\n \" if ($sku -eq 143 -or $sku -eq 144) {\",\n \" Write-Host 'This command is not supported on Windows 2016 Nano Server.'\",\n \" exit -1\",\n \" }\",\n \"}\",\n \"# Check the SSM agent version\",\n \"$ssmAgentService = Get-ItemProperty 'HKLM:SYSTEM\\\\CurrentControlSet\\\\Services\\\\AmazonSSMAgent\\\\'\",\n \"if (-not $ssmAgentService -or $ssmAgentService.Version -lt '2.0.533.0') {\",\n \" Write-Host 'This command is not supported with SSM Agent version less than 2.0.533.0.'\",\n \" exit -1\",\n \"}\",\n \"\",\n \"# Application specific constants\",\n \"$appName = 'PatchBaselineOperations'\",\n \"$psModuleFileName = 'Amazon.PatchBaselineOperations.dll'\",\n \"$s3FileName = 'Amazon.PatchBaselineOperations-1.0.zip'\",\n \"$s3LocationUsEast = 'https://s3.amazonaws.com/aws-ssm-{0}/' + $appName.ToLower() + '/' + $s3FileName\",\n \"$s3LocationRegular = 'https://s3-{0}.amazonaws.com/aws-ssm-{0}/' + $appName.ToLower() + '/' + $s3FileName\",\n \"$s3LocationCn = 'https://s3.{0}.amazonaws.com.cn/aws-ssm-{0}/' + $appName.ToLower() + '/' + $s3FileName\",\n \"$s3FileHash = '1B3731B11AB9A56A8F9C89FF8008F61A0E10539DC751B1C9D3ED85A0DD3FBB4F'\",\n \"$psModuleHashes = @{ \",\n \" 'Amazon.PatchBaselineOperations.dll' = '9708C234C3DED1AF9DBCF583A2D4651E79815B4A4FFF5047CDD15151CF1945AD';\",\n \" 'AWSSDK.Core.dll' = 'D6E34999DBF9BE1A439E05E1B4E0D730655CE2E33000B658FBEF89AFDC1EEB99';\",\n \" 'AWSSDK.SimpleSystemsManagement.dll' = '58043C199D716A627D1031DFFECC88DE4EE7F91D0AE6C9110362FA520FD0E287';\",\n \" 'Newtonsoft.Json.dll' = '0516D4109263C126C779E4E8F5879349663FA0A5B23D6D44167403E14066E6F9';\",\n \" 'THIRD_PARTY_LICENSES.txt' = '4C9B3A1C7C3E27676DD31AFC89FAC6584CA49FB850C9E62DDCF9E5E78F50640C'\",\n \"}\",\n \"\",\n \"# Folders and Logging\",\n \"$tempDirectory = $env:TEMP\",\n \"$downloadPath = [IO.Path]::Combine($tempDirectory, $s3FileName)\",\n \"$psModuleInstallLocation = [IO.Path]::Combine([Environment]::GetEnvironmentVariable([Environment+SpecialFolder]::ProgramFiles), 'Amazon', $appName)\",\n \"$psModuleInstallFile = [IO.Path]::Combine($psModuleInstallLocation, $psModuleFileName)\",\n \"$log = @()\",\n \"\",\n \"function CheckFileHash ($filePath, $fileHash) {\",\n \" if (Test-Path($filePath)) {\",\n \" $fileStream = New-Object System.IO.FileStream($filePath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)\",\n \" $sha256 = [System.Security.Cryptography.SHA256]::Create()\",\n \" $sourceHash = [System.BitConverter]::ToString($sha256.ComputeHash($fileStream), 0).Replace('-', '').ToLowerInvariant()\",\n \" $sha256.Dispose()\",\n \" $fileStream.Dispose()\",\n \" \",\n \" if ($sourceHash -ne $fileHash) {\",\n \" return $false\",\n \" }\",\n \" else {\",\n \" return $true\",\n \" }\",\n \" }\",\n \" else {\",\n \" return $false\",\n \" }\",\n \"}\",\n \"\",\n \"function CheckPowerShellModuleInstallation {\",\n \" $isInstalled = $false \",\n \" # Path does not exist meaning it has never been downloaded.\",\n \" if (Test-Path($psModuleInstallLocation)) {\",\n \" # Check if the expected number of files and directories are in the folder\",\n \" if (((Get-ChildItem $psModuleInstallLocation -Directory | Measure-Object | %{$_.Count}) -eq 0) -and \",\n \" ((Get-ChildItem $psModuleInstallLocation -File | Measure-Object | %{$_.Count}) -eq $psModuleHashes.Count)) {\",\n \" $validFileHashes = $true\",\n \"\",\n \" # Check each file for their expected file hash.\",\n \" Get-ChildItem $psModuleInstallLocation -File | ForEach-Object {\",\n \" if ($psModuleHashes.ContainsKey($_.Name)) {\",\n \" $installFile = [IO.Path]::Combine($psModuleInstallLocation, $_.Name)\",\n \" if (-Not (CheckFileHash $installFile $psModuleHashes[$_.Name])) {\",\n \" $log += ('The SHA hash of the {0} file does not match the expected value.' -f $_.Name)\",\n \" $validFileHashes = $false\",\n \" }\",\n \" } else {\",\n \" $log += ('The PowerShellModule installation folder contains an unexpected file with name {0}.' -f $_.Name)\",\n \" $validFileHashes = $false\",\n \" }\",\n \" }\",\n \"\",\n \" $isInstalled = $validFileHashes\",\n \" } else {\",\n \" $log += ('An incorrect number of files were present in the PowerShellModule installation folder. The contents will be deleted.')\",\n \" }\",\n \"\",\n \" if (-Not $isInstalled) {\",\n \" # Remove all files and folders as the folder contains potentially malicious software.\",\n \" Remove-Item $psModuleInstallLocation -Recurse\",\n \" }\",\n \" }\",\n \" \",\n \" return $isInstalled\",\n \"}\",\n \"\",\n \"function InstallPowerShellModule {\",\n \" if (-Not (CheckPowerShellModuleInstallation)) {\",\n \" $log += (\\\"Preparing to download {0} PowerShell module from S3.`r`n\\\" -f $appName)\",\n \"\",\n \" #Setup the directories if they do not exist.\",\n \" if (-Not (Test-Path($psModuleInstallLocation))) {\",\n \" $noOp = New-Item $psModuleInstallLocation -ItemType Directory\",\n \" } \",\n \"\",\n \" if (-Not (Test-Path($tempDirectory))) {\",\n \" $noOp = New-Item $tempDirectory -ItemType Directory\",\n \" }\",\n \" $region = $env:AWS_SSM_REGION_NAME \",\n \" if ($region -eq 'us-east-1') {\",\n \" $s3Location = $s3LocationUsEast -f $region\",\n \" } elseif ($region -eq 'cn-north-1') {\",\n \" $s3Location = $s3LocationCn -f $region\",\n \" } else {\",\n \" $s3Location = $s3LocationRegular -f $region\",\n \" }\",\n \"\",\n \" $log += (\\\"Downloading {0} PowerShell module from {1} to {2}.`r`n\\\" -f $appName, $s3Location, $downloadPath)\",\n \" (New-Object Net.WebClient).DownloadFile($s3Location, $downloadPath)\",\n \"\",\n \" if (CheckFileHash $downloadPath $s3FileHash ) {\",\n \" $log += (\\\"Extracting {0} zip file contents to temporary folder.`r`n\\\" -f $appName)\",\n \" (New-Object -Com Shell.Application).namespace($psModuleInstallLocation).CopyHere((New-Object -Com Shell.Application).namespace($downloadPath).Items(), 16)\",\n \" }\",\n \" else {\",\n \" throw ('The SHA hash of the {0} S3 source file does not match the expected value.' -f $appName)\",\n \" }\",\n \"\",\n \" $log += (\\\"Verifying SHA 256 of the {0} PowerShell module files.`r`n\\\" -f $appName)\",\n \" if (-Not (CheckPowerShellModuleInstallation)) {\",\n \" throw ('The verification of the {0} PowerShell module did not pass.' -f $appName)\",\n \" }\",\n \"\",\n \" $log += (\\\"Successfully downloaded and installed the {0} PowerShell module.`r`n\\\" -f $appName)\",\n \" }\",\n \"}\",\n \"\",\n \"try {\",\n \" InstallPowerShellModule\",\n \"} catch [Exception] {\",\n \" $msg = \\\"An error occurred when executing {0}: {1}`r`nDetails:`r`n{2}\\\" -f $appName, $_.Exception.Message, $log\",\n \" Write-Error $msg\",\n \" exit -1\",\n \"}\",\n \"finally {\",\n \" if (Test-Path $downloadPath) {\",\n \" rm $downloadPath\",\n \" }\",\n \"}\",\n \"\",\n \"# Setup the command\",\n \"Import-Module $psModuleInstallFile\",\n \"$response = Invoke-PatchBaselineOperation -Operation {{Operation}} -SnapshotId '{{SnapshotId}}' -InstanceId $env:AWS_SSM_INSTANCE_ID -Region $env:AWS_SSM_REGION_NAME\",\n \"\",\n \"if ($response.ExitCode -ne 3010)\",\n \"{\",\n \" $response.ToString()\",\n \"}\",\n \"\",\n \"exit $response.ExitCode\"\n ]\n }]\n }\n }\n}\n",
"Name": "AWS-ApplyPatchBaseline"
}


ドキュメントのパラメータを指定


コマンド

PATCH_BASELINE_PARAMETER_FILE_NAME="patch_baseline_parameter.json"



コマンド

cat << EOF > ${PATCH_BASELINE_PARAMETER_FILE_NAME}

{
"Operation": {
"Values": [
"Install"
]
}
}
EOF

cat ${PATCH_BASELINE_PARAMETER_FILE_NAME}



コマンド

jsonlint -q ${PATCH_BASELINE_PARAMETER_FILE_NAME}



実行結果の出力先を指定


コマンド

PATCH_BASELINE_LOGGING_FILE_NAME="patch_baseline_logging.json"



コマンド

cat << EOF > ${PATCH_BASELINE_LOGGING_FILE_NAME}

{
"S3BucketName": "
${BUCKET_NAME}",
"S3KeyPrefix": "",
"S3Region": "
${AWS_DEFAULT_REGION}"
}
EOF

cat ${PATCH_BASELINE_LOGGING_FILE_NAME}



コマンド

jsonlint -q ${PATCH_BASELINE_LOGGING_FILE_NAME}



その他パラメータの指定


コマンド

TASK_TYPE="RUN_COMMAND"

PRIORITY="1"
MAX_COCCURRENCY="1"
MAX_ERRORS="1"


タスクを登録


コマンド

aws ssm register-task-with-maintenance-window \

--window-id ${MAINTENANCE_WINDOW_ID} \
--targets "Key=InstanceIds,Values=${INSTANCE_ID}" \
--task-arn ${DOCUMENT_NAME} \
--service-role-arn ${ROLE_ARN_FOR_MAINTENANCE_WINDOW} \
--task-type ${TASK_TYPE} \
--task-parameters file://${PATCH_BASELINE_PARAMETER_FILE_NAME} \
--priority ${PRIORITY} \
--max-concurrency ${MAX_COCCURRENCY} \
--max-errors ${MAX_ERRORS} \
--logging-info file://${PATCH_BASELINE_LOGGING_FILE_NAME}


結果

{

"WindowTaskId": "********-****-****-****-************"
}


タスクが登録されたことを確認


コマンド

aws ssm describe-maintenance-window-tasks \

--window-id ${MAINTENANCE_WINDOW_ID}


結果

{

"Tasks": [
{
"LoggingInfo": {
"S3KeyPrefix": "",
"S3BucketName": "ec2-systems-manager-************",
"S3Region": "ap-northeast-1"
},
"ServiceRoleArn": "arn:aws:iam::************:role/ServiceRoleForMaintenanceWindow",
"MaxErrors": "1",
"TaskArn": "AWS-ApplyPatchBaseline",
"MaxConcurrency": "1",
"WindowTaskId": "********-****-****-****-************",
"TaskParameters": {
"Operation": {
"Values": [
"Scan"
]
}
},
"Priority": 1,
"WindowId": "mw-*****************",
"Type": "RUN_COMMAND",
"Targets": [
{
"Values": [
"i-*****************"
],
"Key": "InstanceIds"
}
]
}
]
}


3. 動作確認


3.1. メンテナンスウィンドウの実行履歴を確認

設定した時刻以降に実行してください。


メンテナンスウィンドウの実行履歴の一覧を確認


コマンド

aws ssm describe-maintenance-window-executions \

--window-id ${MAINTENANCE_WINDOW_ID}


結果

{

"WindowExecutions": [
{
"Status": "IN_PROGRESS",
"WindowId": "mw-0246784fcac329f62",
"WindowExecutionId": "0be4db9a-41f3-4a65-b611-34fbf433cc99",
"StartTime": 1490883027.414
}
]
}


メンテナンスウィンドウの実行結果の確認


コマンド

EXECUTION_ID=$(aws ssm describe-maintenance-window-executions \

--window-id ${MAINTENANCE_WINDOW_ID} \
--query "sort_by(WindowExecutions,&StartTime)[-1].WindowExecutionId" \
--output text) \
&& echo ${EXECUTION_ID}


コマンド

aws ssm describe-maintenance-window-execution-tasks \

--window-execution-id ${EXECUTION_ID}


結果

{

"WindowExecutionTaskIdentities": [
{
"Status": "SUCCESS",
"TaskArn": "AWS-ApplyPatchBaseline",
"StartTime": 1490883027.89,
"TaskType": "RUN_COMMAND",
"EndTime": 1490883485.858,
"WindowExecutionId": "0be4db9a-41f3-4a65-b611-34fbf433cc99",
"TaskExecutionId": "3ec28799-6f42-4a3a-a503-2b708dc9b3c8"
}
]
}


タスクの実行結果の確認


コマンド

TASK_ID=$(aws ssm describe-maintenance-window-execution-tasks \

--window-execution-id ${EXECUTION_ID} \
--query "WindowExecutionTaskIdentities[0].TaskExecutionId" \
--output text) \
&& echo ${TASK_ID}


コマンド

aws ssm describe-maintenance-window-execution-task-invocations \

--window-execution-id ${EXECUTION_ID} \
--task-id ${TASK_ID}


結果

{

"WindowExecutionTaskInvocationIdentities": [
{
"Status": "SUCCESS",
"Parameters": "{\"documentName\":\"AWS-ApplyPatchBaseline\",\"instanceIds\":[\"i-*****************\"],\"parameters\":{\"SnapshotId\":[\"0be4db9a-41f3-4a65-b611-34fbf433cc99\"],\"Operation\":[\"Scan\"]},\"maxConcurrency\":\"1\",\"maxErrors\":\"1\",\"outputS3BucketName\":\"ec2-systems-manager-************\",\"outputS3Region\":\"ap-northeast-1\",\"outputS3KeyPrefix\":\"\"}",
"ExecutionId": "ec20c45e-631d-4802-8e38-5e1729336137",
"InvocationId": "9887654e-bfc1-49ae-87e9-2e8d750f3613",
"StartTime": 1490883027.962,
"EndTime": 1490883485.704,
"WindowExecutionId": "0be4db9a-41f3-4a65-b611-34fbf433cc99",
"StatusDetails": "Success",
"TaskExecutionId": "3ec28799-6f42-4a3a-a503-2b708dc9b3c8"
}
]
}


実行ログの確認


コマンド

EXECUTION_ID=$(aws ssm describe-maintenance-window-execution-task-invocations \

--window-execution-id ${EXECUTION_ID} \
--task-id ${TASK_ID} \
--query "WindowExecutionTaskInvocationIdentities[0].ExecutionId" \
--output text) \
&& echo ${EXECUTION_ID}


コマンド

OBJECT_KEY=$(aws s3 ls ${BUCKET_NAME} \

--recursive \
| grep ${EXECUTION_ID} \
| grep "stdout" \
| sed 's/[\t ]\+/\t/g' \
| cut -f4) \
&& echo ${OBJECT_KEY}


結果

ec20c45e-631d-4802-8e38-5e1729336137/i-*****************/awsrunPowerShellScript/0.awsrunPowerShellScript/stdout



コマンド

aws s3 cp s3://${BUCKET_NAME}/${OBJECT_KEY} stdout && cat stdout


download: s3://ec2-systems-manager-************/ec20c45e-631d-4802-8e38-5e1729336137/i-*****************/awsrunPowerShellScript/0.awsrunPowerShellScript/stdout to ./stdout

Patch Summary for i-*****************
PatchGroup :
BaselineId : pb-04ba050f612fba3a6
SnapshotId : de205080-287e-4a77-b17f-752a30f5b671
OwnerInformation :
OperationType : Install
OperationStartTime : 2017-04-02T14:20:50.0000000Z
OperationEndTime : 2017-04-02T14:37:17.5713419Z
InstalledCount : 70
InstalledOtherCount : 179
FailedCount : 0
MissingCount : 0
NotApplicableCount : 1743

WIN-ND2FOTNT7HF - PatchBaselineOperations Installation Results - 2017-04-02T14:37:19.235

KbArticleId Installed Message
----------- ----------- -----------
KB2966826 Yes Success
KB2973114 Yes Success
KB2972213 Yes Success
KB2966828 Yes Success
KB2968296 Yes Success
KB2972103 Yes Success
KB2982998 Yes Success
KB2978122 Yes Success
KB3037576 Yes Success
KB3023219 Yes Success
KB3072307 Yes Success
KB3074545 Yes Success
KB3097992 Yes Success
KB3127222 Yes Success
KB3122651 Yes Success
KB3135985 Yes Success
KB3142026 Yes Success
KB4012216 Yes Success
KB3205404 Yes Success


WindowsUpdateの一覧


コマンド

aws ssm list-inventory-entries \

--instance-id ${INSTANCE_ID} \
--type-name AWS:WindowsUpdate


結果

{

"InstanceId": "i-*****************",
"TypeName": "AWS:WindowsUpdate",
"Entries": [
{
"HotFixId": "KB2978122",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB2982998",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3135985",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB2973114",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB2968296",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB2972103",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB2972213",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3097992",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3023219",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3127222",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3037576",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3122651",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3074545",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3072307",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3142026",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB4012216",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB2966826",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3210132",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB2966828",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2017-04-02T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3210135",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-12-14T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB3195387",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-11-22T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB3179948",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-10-11T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB3182203",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-10-11T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB3179574",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-09-14T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB3185911",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-09-14T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3184122",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-09-14T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3177186",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-09-14T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3174644",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-09-14T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3175024",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-09-14T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3178539",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-09-14T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3185319",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-09-14T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3184943",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-09-14T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3175443",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-08-13T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3172729",
"InstalledBy": "WIN-ND2FOTNT7HF\\Administrator",
"InstalledTime": "2016-08-13T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3173424",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-08-13T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB3172614",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-08-13T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB3169704",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-08-13T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3170455",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-08-13T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3161949",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-06-15T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3162343",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-06-15T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3160005",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-06-15T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3159398",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-06-15T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3161958",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-06-15T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3164035",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-06-15T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3162835",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-06-15T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB3164294",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-06-15T00:00:00Z",
"Description": "Security Update"
},
{
"HotFixId": "KB3156418",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-06-15T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB3145432",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-05-12T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB3145384",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-05-12T00:00:00Z",
"Description": "Update"
},
{
"HotFixId": "KB3146604",
"InstalledBy": "NT AUTHORITY\\SYSTEM",
"InstalledTime": "2016-05-12T00:00:00Z",
"Description": "Update"
}
],
"SchemaVersion": "1.0",
"NextToken": "AAEAATZ7h5MZSBZax3pNRMn5LTF/aOIbylNJxj/5LJbttCDqaFPutnVAhLKwvHtSX86sgzlfcwrsVaxEMVktcbn/x65PStfisYBgO9PVJx6sUX6+sARWDMVOg6F8eY+m8BpLrNWw3Lm5qSA5cp5lhUv04GXkbwxBbkjWFxtrzd8fLfApcVao1b/U07WofxCF8H0UyX6cEZ+GNikKbAQVBqOlEa8ovNSyg+zLgdPU+cEzWDDT9X+o/B0ODAAvtUDaWhP0Am/mHPAufTkvFgpvGdF28yM=",
"CaptureTime": "2017-04-02T14:34:19Z"
}


パッチベースラインへの準拠状況(?)


コマンド

aws ssm list-inventory-entries \

--instance-id ${INSTANCE_ID} \
--type-name AWS:PatchCompliance


結果

{

"InstanceId": "i-*****************",
"TypeName": "AWS:PatchCompliance",
"Entries": [
{
"KBId": "KB2919355",
"Severity": "Critical",
"Classification": "SecurityUpdates",
"Title": "Windows 8.1 Update for x64-based Systems (KB2919355)",
"State": "Installed",
"InstalledTime": "2014-03-18T00:00:00.0000000Z"
},
{
"KBId": "KB2966826",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2966826)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB2966828",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2966828)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB2968296",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2968296)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB2972103",
"Severity": "Critical",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 (KB2972103)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB2972213",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2972213)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB2973114",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 (KB2973114)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB2978122",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2978122)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB2982998",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 (KB2982998)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB3000483",
"Severity": "Critical",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows 7 for x64-based Systems (KB3000483)",
"State": "Installed",
"InstalledTime": "2016-05-12T00:00:00.0000000Z"
},
{
"KBId": "KB3004361",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows 8.1 for x64-based Systems (KB3004361)",
"State": "Installed",
"InstalledTime": "2015-02-10T00:00:00.0000000Z"
},
{
"KBId": "KB3004365",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows 8.1 (KB3004365)",
"State": "Installed",
"InstalledTime": "2015-08-13T00:00:00.0000000Z"
},
{
"KBId": "KB3019978",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows 8 (KB3019978)",
"State": "Installed",
"InstalledTime": "2015-01-13T00:00:00.0000000Z"
},
{
"KBId": "KB3022777",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2008 R2 x64 Edition (KB3022777)",
"State": "Installed",
"InstalledTime": "2015-01-13T00:00:00.0000000Z"
},
{
"KBId": "KB3023219",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 (KB3023219)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB3023266",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows 8.1 for x64-based Systems (KB3023266)",
"State": "Installed",
"InstalledTime": "2015-01-13T00:00:00.0000000Z"
},
{
"KBId": "KB3030377",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2008 R2 for Itanium-based Systems (KB3030377)",
"State": "Installed",
"InstalledTime": "2015-03-10T00:00:00.0000000Z"
},
{
"KBId": "KB3035126",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2008 (KB3035126)",
"State": "Installed",
"InstalledTime": "2015-03-10T00:00:00.0000000Z"
},
{
"KBId": "KB3037576",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB3037576)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB3045685",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2008 (KB3045685)",
"State": "Installed",
"InstalledTime": "2015-04-15T00:00:00.0000000Z"
},
{
"KBId": "KB3045999",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows 8.1 (KB3045999)",
"State": "Installed",
"InstalledTime": "2015-04-15T00:00:00.0000000Z"
},
{
"KBId": "KB3046017",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 (KB3046017)",
"State": "Installed",
"InstalledTime": "2015-08-13T00:00:00.0000000Z"
},
{
"KBId": "KB3055642",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 R2 (KB3055642)",
"State": "Installed",
"InstalledTime": "2015-05-13T00:00:00.0000000Z"
},
{
"KBId": "KB3059317",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 (KB3059317)",
"State": "Installed",
"InstalledTime": "2015-08-13T00:00:00.0000000Z"
},
{
"KBId": "KB3061512",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 R2 (KB3061512)",
"State": "Installed",
"InstalledTime": "2015-08-13T00:00:00.0000000Z"
},
{
"KBId": "KB3071756",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows 7 for x64-based Systems (KB3071756)",
"State": "Installed",
"InstalledTime": "2015-08-13T00:00:00.0000000Z"
},
{
"KBId": "KB3072307",
"Severity": "Critical",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB3072307)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB3074545",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 (KB3074545)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB3075220",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2008 (KB3075220)",
"State": "Installed",
"InstalledTime": "2015-08-13T00:00:00.0000000Z"
},
{
"KBId": "KB3082089",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows 8.1 for x64-based Systems (KB3082089)",
"State": "Installed",
"InstalledTime": "2015-09-09T00:00:00.0000000Z"
},
{
"KBId": "KB3084135",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 R2 (KB3084135)",
"State": "Installed",
"InstalledTime": "2015-09-09T00:00:00.0000000Z"
},
{
"KBId": "KB3092601",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2008 for Itanium-based Systems (KB3092601)",
"State": "Installed",
"InstalledTime": "2015-11-12T00:00:00.0000000Z"
},
{
"KBId": "KB3097992",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 for x86-based Systems (KB3097992)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB3109103",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 (KB3109103)",
"State": "Installed",
"InstalledTime": "2015-12-09T00:00:00.0000000Z"
},
{
"KBId": "KB3110329",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows 7 for x64-based Systems (KB3110329)",
"State": "Installed",
"InstalledTime": "2016-01-13T00:00:00.0000000Z"
},
{
"KBId": "KB3121461",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows 7 (KB3121461)",
"State": "Installed",
"InstalledTime": "2016-01-13T00:00:00.0000000Z"
},
{
"KBId": "KB3121918",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 R2 (KB3121918)",
"State": "Installed",
"InstalledTime": "2016-01-13T00:00:00.0000000Z"
},
{
"KBId": "KB3122651",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 (KB3122651)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB3124275",
"Severity": "Critical",
"Classification": "SecurityUpdates",
"Title": "Cumulative Security Update for Internet Explorer 8 for Windows 7 for x64-based Systems (KB3124275)",
"State": "Installed",
"InstalledTime": "2016-01-13T00:00:00.0000000Z"
},
{
"KBId": "KB3126434",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows 8.1 for x64-based Systems (KB3126434)",
"State": "Installed",
"InstalledTime": "2016-02-11T00:00:00.0000000Z"
},
{
"KBId": "KB3126587",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 R2 (KB3126587)",
"State": "Installed",
"InstalledTime": "2016-02-11T00:00:00.0000000Z"
},
{
"KBId": "KB3126593",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 (KB3126593)",
"State": "Installed",
"InstalledTime": "2016-02-11T00:00:00.0000000Z"
},
{
"KBId": "KB3127222",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 (KB3127222)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB3133043",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2008 R2 x64 Edition (KB3133043)",
"State": "Installed",
"InstalledTime": "2016-02-11T00:00:00.0000000Z"
},
{
"KBId": "KB3135985",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 (KB3135985)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB3139398",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2008 R2 for Itanium-based Systems (KB3139398)",
"State": "Installed",
"InstalledTime": "2016-03-08T00:00:00.0000000Z"
},
{
"KBId": "KB3139914",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 R2 (KB3139914)",
"State": "Installed",
"InstalledTime": "2016-03-08T00:00:00.0000000Z"
},
{
"KBId": "KB3142026",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 for x64 (KB3142026)",
"State": "Installed",
"InstalledTime": "2017-04-02T00:00:00.0000000Z"
},
{
"KBId": "KB3146723",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2012 R2 (KB3146723)",
"State": "Installed",
"InstalledTime": "2016-04-12T00:00:00.0000000Z"
},
{
"KBId": "KB3149090",
"Severity": "Important",
"Classification": "SecurityUpdates",
"Title": "Security Update for Windows Server 2008 for Itanium-based Systems (KB3149090)",
"State": "Installed",
"InstalledTime": "2016-04-12T00:00:00.0000000Z"
}
],
"SchemaVersion": "1.0",
"NextToken": "AAEAATexnyIR4JxtsdR11dWfIyDJJyym4x7iUGG0NT3QkTMSzznfW3U95SPg+cYmw7RfiRc0CKh4p6Zzx1mJjssXAe3MqPx3VOEKkYfETykHl1NT90duHwH3LAHbRut7lzzPe9vQKcPSz/h8XkPK+PVv6EuyGgEJ8X+2YF05pdLYDlK8Jbb3XbyOrgNaP4RRZE4bGjFFF9DM93eG0O3Let2/5v1yDkt7mbVDYL4T3YD9CEnnyxcROPaiNzfsq82ForVn0yYkPa7OpFG0kzCwiiwzfyc=",
"CaptureTime": "2017-04-02T02:37:17Z"
}


パッチの適用状況(概況)


コマンド

aws ssm list-inventory-entries \

--instance-id ${INSTANCE_ID} \
--type-name AWS:PatchSummary


結果

{

"InstanceId": "i-*****************",
"TypeName": "AWS:PatchSummary",
"Entries": [
{
"BaselineId": "pb-04ba050f612fba3a6",
"InstalledOtherCount": "179",
"FailedCount": "0",
"MissingCount": "0",
"NotApplicableCount": "1743",
"OperationEndTime": "2017-04-02T14:37:17.5713419Z",
"PatchGroup": "",
"OperationType": "Install",
"OwnerInformation": "",
"OperationStartTime": "2017-04-02T14:20:50.0000000Z",
"InstalledCount": "70",
"SnapshotId": "de205080-287e-4a77-b17f-752a30f5b671"
}
],
"SchemaVersion": "1.0",
"CaptureTime": "2017-04-02T02:37:17Z"
}


4. メンテナンスウィンドウの削除


4.1. メンテナンスウィンドウの削除


パラメータの確認


コマンド

cat << ETX

MAINTENANCE_WINDOW_ID: ${MAINTENANCE_WINDOW_ID}

ETX



結果


MAINTENANCE_WINDOW_ID: mw-*****************



メンテナンスウィンドウの削除


コマンド

aws ssm delete-maintenance-window \

--window-id ${MAINTENANCE_WINDOW_ID}


結果

{

"WindowId": "mw-*****************"
}


メンテナンスウィンドウが削除されたことを確認


コマンド

aws ssm get-maintenance-window \

--window-id ${MAINTENANCE_WINDOW_ID}


結果

An error occurred (DoesNotExistException) when calling the GetMaintenanceWindow operation: Maintenance window mw-***************** does not exist


以上