2021/04/06 - Amazon Simple Systems Manager (SSM) - 1 new 4 updated api methods
Changes Supports removing a label or labels from a parameter, enables ScheduledEndTime and ChangeDetails for StartChangeRequestExecution API, supports critical/security/other noncompliant count for patch API.
Remove a label or labels from a parameter.
See also: AWS API Documentation
Request Syntax
client.unlabel_parameter_version( Name='string', ParameterVersion=123, Labels=[ 'string', ] )
string
[REQUIRED]
The parameter name of which you want to delete one or more labels.
integer
[REQUIRED]
The specific version of the parameter which you want to delete one or more labels from. If it is not present, the call will fail.
list
[REQUIRED]
One or more labels to delete from the specified parameter version.
(string) --
dict
Response Syntax
{ 'RemovedLabels': [ 'string', ], 'InvalidLabels': [ 'string', ] }
Response Structure
(dict) --
RemovedLabels (list) --
A list of all labels deleted from the parameter.
(string) --
InvalidLabels (list) --
The labels that are not attached to the given parameter version.
(string) --
{'InstancePatchStates': {'CriticalNonCompliantCount': 'integer', 'OtherNonCompliantCount': 'integer', 'SecurityNonCompliantCount': 'integer'}}
Retrieves the high-level patch state of one or more instances.
See also: AWS API Documentation
Request Syntax
client.describe_instance_patch_states( InstanceIds=[ 'string', ], NextToken='string', MaxResults=123 )
list
[REQUIRED]
The ID of the instance whose patch state information should be retrieved.
(string) --
string
The token for the next set of items to return. (You received this token from a previous call.)
integer
The maximum number of instances to return (per page).
dict
Response Syntax
{ 'InstancePatchStates': [ { 'InstanceId': 'string', 'PatchGroup': 'string', 'BaselineId': 'string', 'SnapshotId': 'string', 'InstallOverrideList': 'string', 'OwnerInformation': 'string', 'InstalledCount': 123, 'InstalledOtherCount': 123, 'InstalledPendingRebootCount': 123, 'InstalledRejectedCount': 123, 'MissingCount': 123, 'FailedCount': 123, 'UnreportedNotApplicableCount': 123, 'NotApplicableCount': 123, 'OperationStartTime': datetime(2015, 1, 1), 'OperationEndTime': datetime(2015, 1, 1), 'Operation': 'Scan'|'Install', 'LastNoRebootInstallOperationTime': datetime(2015, 1, 1), 'RebootOption': 'RebootIfNeeded'|'NoReboot', 'CriticalNonCompliantCount': 123, 'SecurityNonCompliantCount': 123, 'OtherNonCompliantCount': 123 }, ], 'NextToken': 'string' }
Response Structure
(dict) --
InstancePatchStates (list) --
The high-level patch state for the requested instances.
(dict) --
Defines the high-level patch compliance state for a managed instance, providing information about the number of installed, missing, not applicable, and failed patches along with metadata about the operation when this information was gathered for the instance.
InstanceId (string) --
The ID of the managed instance the high-level patch compliance information was collected for.
PatchGroup (string) --
The name of the patch group the managed instance belongs to.
BaselineId (string) --
The ID of the patch baseline used to patch the instance.
SnapshotId (string) --
The ID of the patch baseline snapshot used during the patching operation when this compliance data was collected.
InstallOverrideList (string) --
An https URL or an Amazon S3 path-style URL to a list of patches to be installed. This patch installation list, which you maintain in an S3 bucket in YAML format and specify in the SSM document AWS-RunPatchBaseline , overrides the patches specified by the default patch baseline.
For more information about the InstallOverrideList parameter, see About the SSM document AWS-RunPatchBaseline in the AWS Systems Manager User Guide .
OwnerInformation (string) --
Placeholder information. This field will always be empty in the current release of the service.
InstalledCount (integer) --
The number of patches from the patch baseline that are installed on the instance.
InstalledOtherCount (integer) --
The number of patches not specified in the patch baseline that are installed on the instance.
InstalledPendingRebootCount (integer) --
The number of patches installed by Patch Manager since the last time the instance was rebooted.
InstalledRejectedCount (integer) --
The number of patches installed on an instance that are specified in a RejectedPatches list. Patches with a status of InstalledRejected were typically installed before they were added to a RejectedPatches list.
Note
If ALLOW_AS_DEPENDENCY is the specified option for RejectedPatchesAction , the value of InstalledRejectedCount will always be 0 (zero).
MissingCount (integer) --
The number of patches from the patch baseline that are applicable for the instance but aren't currently installed.
FailedCount (integer) --
The number of patches from the patch baseline that were attempted to be installed during the last patching operation, but failed to install.
UnreportedNotApplicableCount (integer) --
The number of patches beyond the supported limit of NotApplicableCount that are not reported by name to Systems Manager Inventory.
NotApplicableCount (integer) --
The number of patches from the patch baseline that aren't applicable for the instance and therefore aren't installed on the instance. This number may be truncated if the list of patch names is very large. The number of patches beyond this limit are reported in UnreportedNotApplicableCount .
OperationStartTime (datetime) --
The time the most recent patching operation was started on the instance.
OperationEndTime (datetime) --
The time the most recent patching operation completed on the instance.
Operation (string) --
The type of patching operation that was performed: SCAN (assess patch compliance state) or INSTALL (install missing patches).
LastNoRebootInstallOperationTime (datetime) --
The time of the last attempt to patch the instance with NoReboot specified as the reboot option.
RebootOption (string) --
Indicates the reboot option specified in the patch baseline.
Note
Reboot options apply to Install operations only. Reboots are not attempted for Patch Manager Scan operations.
RebootIfNeeded : Patch Manager tries to reboot the instance if it installed any patches, or if any patches are detected with a status of InstalledPendingReboot .
NoReboot : Patch Manager attempts to install missing packages without trying to reboot the system. Patches installed with this option are assigned a status of InstalledPendingReboot . These patches might not be in effect until a reboot is performed.
CriticalNonCompliantCount (integer) --
The number of instances where patches that are specified as "Critical" for compliance reporting in the patch baseline are not installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required instance reboot. The status of these instances is NON_COMPLIANT .
SecurityNonCompliantCount (integer) --
The number of instances where patches that are specified as "Security" in a patch advisory are not installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required instance reboot. The status of these instances is NON_COMPLIANT .
OtherNonCompliantCount (integer) --
The number of instances with patches installed that are specified as other than "Critical" or "Security" but are not compliant with the patch baseline. The status of these instances is NON_COMPLIANT.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
{'InstancePatchStates': {'CriticalNonCompliantCount': 'integer', 'OtherNonCompliantCount': 'integer', 'SecurityNonCompliantCount': 'integer'}}
Retrieves the high-level patch state for the instances in the specified patch group.
See also: AWS API Documentation
Request Syntax
client.describe_instance_patch_states_for_patch_group( PatchGroup='string', Filters=[ { 'Key': 'string', 'Values': [ 'string', ], 'Type': 'Equal'|'NotEqual'|'LessThan'|'GreaterThan' }, ], NextToken='string', MaxResults=123 )
string
[REQUIRED]
The name of the patch group for which the patch state information should be retrieved.
list
Each entry in the array is a structure containing:
Key (string between 1 and 200 characters)
Values (array containing a single string)
Type (string "Equal", "NotEqual", "LessThan", "GreaterThan")
(dict) --
Defines a filter used in DescribeInstancePatchStatesForPatchGroup used to scope down the information returned by the API.
Key (string) -- [REQUIRED]
The key for the filter. Supported values are FailedCount, InstalledCount, InstalledOtherCount, MissingCount and NotApplicableCount.
Values (list) -- [REQUIRED]
The value for the filter, must be an integer greater than or equal to 0.
(string) --
Type (string) -- [REQUIRED]
The type of comparison that should be performed for the value: Equal, NotEqual, LessThan or GreaterThan.
string
The token for the next set of items to return. (You received this token from a previous call.)
integer
The maximum number of patches to return (per page).
dict
Response Syntax
{ 'InstancePatchStates': [ { 'InstanceId': 'string', 'PatchGroup': 'string', 'BaselineId': 'string', 'SnapshotId': 'string', 'InstallOverrideList': 'string', 'OwnerInformation': 'string', 'InstalledCount': 123, 'InstalledOtherCount': 123, 'InstalledPendingRebootCount': 123, 'InstalledRejectedCount': 123, 'MissingCount': 123, 'FailedCount': 123, 'UnreportedNotApplicableCount': 123, 'NotApplicableCount': 123, 'OperationStartTime': datetime(2015, 1, 1), 'OperationEndTime': datetime(2015, 1, 1), 'Operation': 'Scan'|'Install', 'LastNoRebootInstallOperationTime': datetime(2015, 1, 1), 'RebootOption': 'RebootIfNeeded'|'NoReboot', 'CriticalNonCompliantCount': 123, 'SecurityNonCompliantCount': 123, 'OtherNonCompliantCount': 123 }, ], 'NextToken': 'string' }
Response Structure
(dict) --
InstancePatchStates (list) --
The high-level patch state for the requested instances.
(dict) --
Defines the high-level patch compliance state for a managed instance, providing information about the number of installed, missing, not applicable, and failed patches along with metadata about the operation when this information was gathered for the instance.
InstanceId (string) --
The ID of the managed instance the high-level patch compliance information was collected for.
PatchGroup (string) --
The name of the patch group the managed instance belongs to.
BaselineId (string) --
The ID of the patch baseline used to patch the instance.
SnapshotId (string) --
The ID of the patch baseline snapshot used during the patching operation when this compliance data was collected.
InstallOverrideList (string) --
An https URL or an Amazon S3 path-style URL to a list of patches to be installed. This patch installation list, which you maintain in an S3 bucket in YAML format and specify in the SSM document AWS-RunPatchBaseline , overrides the patches specified by the default patch baseline.
For more information about the InstallOverrideList parameter, see About the SSM document AWS-RunPatchBaseline in the AWS Systems Manager User Guide .
OwnerInformation (string) --
Placeholder information. This field will always be empty in the current release of the service.
InstalledCount (integer) --
The number of patches from the patch baseline that are installed on the instance.
InstalledOtherCount (integer) --
The number of patches not specified in the patch baseline that are installed on the instance.
InstalledPendingRebootCount (integer) --
The number of patches installed by Patch Manager since the last time the instance was rebooted.
InstalledRejectedCount (integer) --
The number of patches installed on an instance that are specified in a RejectedPatches list. Patches with a status of InstalledRejected were typically installed before they were added to a RejectedPatches list.
Note
If ALLOW_AS_DEPENDENCY is the specified option for RejectedPatchesAction , the value of InstalledRejectedCount will always be 0 (zero).
MissingCount (integer) --
The number of patches from the patch baseline that are applicable for the instance but aren't currently installed.
FailedCount (integer) --
The number of patches from the patch baseline that were attempted to be installed during the last patching operation, but failed to install.
UnreportedNotApplicableCount (integer) --
The number of patches beyond the supported limit of NotApplicableCount that are not reported by name to Systems Manager Inventory.
NotApplicableCount (integer) --
The number of patches from the patch baseline that aren't applicable for the instance and therefore aren't installed on the instance. This number may be truncated if the list of patch names is very large. The number of patches beyond this limit are reported in UnreportedNotApplicableCount .
OperationStartTime (datetime) --
The time the most recent patching operation was started on the instance.
OperationEndTime (datetime) --
The time the most recent patching operation completed on the instance.
Operation (string) --
The type of patching operation that was performed: SCAN (assess patch compliance state) or INSTALL (install missing patches).
LastNoRebootInstallOperationTime (datetime) --
The time of the last attempt to patch the instance with NoReboot specified as the reboot option.
RebootOption (string) --
Indicates the reboot option specified in the patch baseline.
Note
Reboot options apply to Install operations only. Reboots are not attempted for Patch Manager Scan operations.
RebootIfNeeded : Patch Manager tries to reboot the instance if it installed any patches, or if any patches are detected with a status of InstalledPendingReboot .
NoReboot : Patch Manager attempts to install missing packages without trying to reboot the system. Patches installed with this option are assigned a status of InstalledPendingReboot . These patches might not be in effect until a reboot is performed.
CriticalNonCompliantCount (integer) --
The number of instances where patches that are specified as "Critical" for compliance reporting in the patch baseline are not installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required instance reboot. The status of these instances is NON_COMPLIANT .
SecurityNonCompliantCount (integer) --
The number of instances where patches that are specified as "Security" in a patch advisory are not installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required instance reboot. The status of these instances is NON_COMPLIANT .
OtherNonCompliantCount (integer) --
The number of instances with patches installed that are specified as other than "Critical" or "Security" but are not compliant with the patch baseline. The status of these instances is NON_COMPLIANT.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
{'InstancesWithCriticalNonCompliantPatches': 'integer', 'InstancesWithOtherNonCompliantPatches': 'integer', 'InstancesWithSecurityNonCompliantPatches': 'integer'}
Returns high-level aggregated patch compliance state for a patch group.
See also: AWS API Documentation
Request Syntax
client.describe_patch_group_state( PatchGroup='string' )
string
[REQUIRED]
The name of the patch group whose patch snapshot should be retrieved.
dict
Response Syntax
{ 'Instances': 123, 'InstancesWithInstalledPatches': 123, 'InstancesWithInstalledOtherPatches': 123, 'InstancesWithInstalledPendingRebootPatches': 123, 'InstancesWithInstalledRejectedPatches': 123, 'InstancesWithMissingPatches': 123, 'InstancesWithFailedPatches': 123, 'InstancesWithNotApplicablePatches': 123, 'InstancesWithUnreportedNotApplicablePatches': 123, 'InstancesWithCriticalNonCompliantPatches': 123, 'InstancesWithSecurityNonCompliantPatches': 123, 'InstancesWithOtherNonCompliantPatches': 123 }
Response Structure
(dict) --
Instances (integer) --
The number of instances in the patch group.
InstancesWithInstalledPatches (integer) --
The number of instances with installed patches.
InstancesWithInstalledOtherPatches (integer) --
The number of instances with patches installed that aren't defined in the patch baseline.
InstancesWithInstalledPendingRebootPatches (integer) --
The number of instances with patches installed by Patch Manager that have not been rebooted after the patch installation. The status of these instances is NON_COMPLIANT.
InstancesWithInstalledRejectedPatches (integer) --
The number of instances with patches installed that are specified in a RejectedPatches list. Patches with a status of INSTALLED_REJECTED were typically installed before they were added to a RejectedPatches list.
Note
If ALLOW_AS_DEPENDENCY is the specified option for RejectedPatchesAction, the value of InstancesWithInstalledRejectedPatches will always be 0 (zero).
InstancesWithMissingPatches (integer) --
The number of instances with missing patches from the patch baseline.
InstancesWithFailedPatches (integer) --
The number of instances with patches from the patch baseline that failed to install.
InstancesWithNotApplicablePatches (integer) --
The number of instances with patches that aren't applicable.
InstancesWithUnreportedNotApplicablePatches (integer) --
The number of instances with NotApplicable patches beyond the supported limit, which are not reported by name to Systems Manager Inventory.
InstancesWithCriticalNonCompliantPatches (integer) --
The number of instances where patches that are specified as "Critical" for compliance reporting in the patch baseline are not installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required instance reboot. The status of these instances is NON_COMPLIANT .
InstancesWithSecurityNonCompliantPatches (integer) --
The number of instances where patches that are specified as "Security" in a patch advisory are not installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required instance reboot. The status of these instances is NON_COMPLIANT .
InstancesWithOtherNonCompliantPatches (integer) --
The number of instances with patches installed that are specified as other than "Critical" or "Security" but are not compliant with the patch baseline. The status of these instances is NON_COMPLIANT.
{'ChangeDetails': 'string', 'ScheduledEndTime': 'timestamp'}
Creates a change request for Change Manager. The runbooks (Automation documents) specified in the change request run only after all required approvals for the change request have been received.
See also: AWS API Documentation
Request Syntax
client.start_change_request_execution( ScheduledTime=datetime(2015, 1, 1), DocumentName='string', DocumentVersion='string', Parameters={ 'string': [ 'string', ] }, ChangeRequestName='string', ClientToken='string', Runbooks=[ { 'DocumentName': 'string', 'DocumentVersion': 'string', 'Parameters': { 'string': [ 'string', ] }, 'TargetParameterName': 'string', 'Targets': [ { 'Key': 'string', 'Values': [ 'string', ] }, ], 'MaxConcurrency': 'string', 'MaxErrors': 'string', 'TargetLocations': [ { 'Accounts': [ 'string', ], 'Regions': [ 'string', ], 'TargetLocationMaxConcurrency': 'string', 'TargetLocationMaxErrors': 'string', 'ExecutionRoleName': 'string' }, ] }, ], Tags=[ { 'Key': 'string', 'Value': 'string' }, ], ScheduledEndTime=datetime(2015, 1, 1), ChangeDetails='string' )
datetime
The date and time specified in the change request to run the Automation runbooks.
Note
The Automation runbooks specified for the runbook workflow can't run until all required approvals for the change request have been received.
string
[REQUIRED]
The name of the change template document to run during the runbook workflow.
string
The version of the change template document to run during the runbook workflow.
dict
A key-value map of parameters that match the declared parameters in the change template document.
(string) --
(list) --
(string) --
string
The name of the change request associated with the runbook workflow to be run.
string
The user-provided idempotency token. The token must be unique, is case insensitive, enforces the UUID format, and can't be reused.
list
[REQUIRED]
Information about the Automation runbooks (Automation documents) that are run during the runbook workflow.
Note
The Automation runbooks specified for the runbook workflow can't run until all required approvals for the change request have been received.
(dict) --
Information about an Automation runbook (Automation document) used in a runbook workflow in Change Manager.
Note
The Automation runbooks specified for the runbook workflow can't run until all required approvals for the change request have been received.
DocumentName (string) -- [REQUIRED]
The name of the Automation runbook (Automation document) used in a runbook workflow.
DocumentVersion (string) --
The version of the Automation runbook (Automation document) used in a runbook workflow.
Parameters (dict) --
The key-value map of execution parameters, which were supplied when calling StartChangeRequestExecution .
(string) --
(list) --
(string) --
TargetParameterName (string) --
The name of the parameter used as the target resource for the rate-controlled runbook workflow. Required if you specify Targets .
Targets (list) --
A key-value mapping to target resources that the Runbook operation performs tasks on. Required if you specify TargetParameterName .
(dict) --
An array of search criteria that targets instances using a Key,Value combination that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, AWS Lambda, and AWS Step Functions). For more information about running tasks that do not specify targets, see Registering maintenance window tasks without targets in the AWS Systems Manager User Guide .
Supported formats include the following.
``Key=InstanceIds,Values=*instance-id-1* ,*instance-id-2* ,*instance-id-3* ``
``Key=tag:my-tag-key ,Values=*my-tag-value-1* ,*my-tag-value-2* ``
``Key=tag-key,Values=*my-tag-key-1* ,*my-tag-key-2* ``
Run Command and Maintenance window targets only : ``Key=resource-groups:Name,Values=*resource-group-name* ``
Maintenance window targets only : ``Key=resource-groups:ResourceTypeFilters,Values=*resource-type-1* ,*resource-type-2* ``
Automation targets only : ``Key=ResourceGroup;Values=*resource-group-name* ``
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Run Command and Maintenance window targets only : Key=resource-groups:Name,Values=ProductionResourceGroup This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.
Maintenance window targets only : ``Key=resource-groups:ResourceTypeFilters,Values=*AWS::EC2::INSTANCE* ,*AWS::EC2::VPC* `` This example demonstrates how to target only EC2 instances and VPCs in your maintenance window.
Automation targets only : Key=ResourceGroup,Values=MyResourceGroup
State Manager association targets only : Key=InstanceIds,Values=* This example demonstrates how to target all managed instances in the AWS Region where the association was created.
For more information about how to send commands that target instances using Key,Value parameters, see Targeting multiple instances in the AWS Systems Manager User Guide .
Key (string) --
User-defined criteria for sending commands that target instances that meet the criteria.
Values (list) --
User-defined criteria that maps to Key . For example, if you specified tag:ServerRole , you could specify value:WebServer to run a command on instances that include EC2 tags of ServerRole,WebServer .
Depending on the type of Target , the maximum number of values for a Key might be lower than the global maximum of 50.
(string) --
MaxConcurrency (string) --
The MaxConcurrency value specified by the user when the operation started, indicating the maximum number of resources that the runbook operation can run on at the same time.
MaxErrors (string) --
The MaxErrors value specified by the user when the execution started, indicating the maximum number of errors that can occur during the operation before the updates are stopped or rolled back.
TargetLocations (list) --
Information about the AWS Regions and accounts targeted by the current Runbook operation.
(dict) --
The combination of AWS Regions and accounts targeted by the current Automation execution.
Accounts (list) --
The AWS accounts targeted by the current Automation execution.
(string) --
Regions (list) --
The AWS Regions targeted by the current Automation execution.
(string) --
TargetLocationMaxConcurrency (string) --
The maximum number of AWS accounts and AWS regions allowed to run the Automation concurrently.
TargetLocationMaxErrors (string) --
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
ExecutionRoleName (string) --
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole .
list
Optional metadata that you assign to a resource. You can specify a maximum of five tags for a change request. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a change request to identify an environment or target AWS Region. In this case, you could specify the following key-value pairs:
Key=Environment,Value=Production
Key=Region,Value=us-east-2
(dict) --
Metadata that you assign to your AWS resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Systems Manager, you can apply tags to documents, managed instances, maintenance windows, Parameter Store parameters, and patch baselines.
Key (string) -- [REQUIRED]
The name of the tag.
Value (string) -- [REQUIRED]
The value of the tag.
datetime
The time that the requester expects the runbook workflow related to the change request to complete. The time is an estimate only that the requester provides for reviewers.
string
User-provided details about the change. If no details are provided, content specified in the Template information section of the associated change template is added.
dict
Response Syntax
{ 'AutomationExecutionId': 'string' }
Response Structure
(dict) --
AutomationExecutionId (string) --
The unique ID of a runbook workflow operation. (A runbook workflow is a type of Automation operation.)