My goal is to scan/path instances in a patch group and only impact instances that match the specified operating system in my patch policy definition. SSM Patch manager ignores the rules in the patch baseline and impacts all instances in the group. What am I missing here?
Details
I spun up two ubuntu instances with versions 18.04 and 16.04 and created a patch group that included these two instances. Next, I created a custom patch policy and set the OS to Ubuntu and the product name to Ubuntu 18.04 and set the other entries to all.
I used the run command document "AWS-RunPatchBaseline" in scan mode to scan the above mentioned patch group.
I can see in the output both the instances were scanned even though only Ubuntu 18.04 was mentioned in the patch baseline. How do i ensure that only the particular OS version is scanned or patched in case there are two instances with same Operating System but have different versions..?
Payload section of my runcommand output indicates the document seems to not factor in the OS version:
Patch Baseline: {'accountId': '*', 'baselineId': 'pb-061ce09db20eee31e', 'name': 'pp_ubuntu_18', 'globalFilters': {'filters': []}, 'approvalRules': {'rules': [{'approveAfterDays': 0, 'filterGroup': {'filters': [{'key': 'PRODUCT', 'values': ['Ubuntu18.04']}, {'key': 'SECTION', 'values': ['']}, {'key': 'PRIORITY', 'values': ['']}]}, 'complianceLevel': 'UNSPECIFIED', 'enableNonSecurity': False}]}, 'approvedPatches': [], 'approvedPatchesComplianceLevel': 'UNSPECIFIED', 'approvedPatchesEnableNonSecurity': False, 'rejectedPatches': [], 'rejectedPatchesAction': 'ALLOW_AS_DEPENDENCY', 'createdTime': 1562154060.257, 'modifiedTime': 1562154060.257, 'description': 'pp_ubuntu_18', 'operatingSystem': 'UBUNTU', 'sources': []}
Full output:
/usr/bin/python3
/usr/bin/apt-get
Reading package lists...
Building dependency tree...
Reading state information...
python3-apt is already the newest version (1.1.0~beta1ubuntu0.16.04.5).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Using python binary: 'python3'
07/03/2019 14:32:59 root [INFO]: Downloading payload from https://s3.dualstack.us-east-1.amazonaws.com/aws-ssm-us-east-1/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.21.tar.gz
07/03/2019 14:33:00 root [INFO]: Running with snapshot id = and operation = Scan
07/03/2019 14:33:00 root [INFO]: Instance Id: i-********
07/03/2019 14:33:00 root [INFO]: Region: us-east-1
07/03/2019 14:33:00 root [INFO]: Product: Ubuntu16.04
07/03/2019 14:33:00 root [INFO]: Patch Group: ubuntu_servers
07/03/2019 14:33:00 root [INFO]: Operation type: Scan
07/03/2019 14:33:00 root [INFO]: Snapshot Id: 8e6377dd-6a5b-459e-b1ff-a1944588dd7a
07/03/2019 14:33:00 root [INFO]: Patch Baseline: {'rejectedPatchesAction': 'ALLOW_AS_DEPENDENCY', 'modifiedTime': 1562154060.257, 'approvalRules': {'rules': [{'filterGroup': {'filters': [{'key': 'PRODUCT', 'values': ['Ubuntu18.04']}, {'key': 'SECTION', 'values': ['']}, {'key': 'PRIORITY', 'values': ['']}]}, 'approveAfterDays': 0, 'complianceLevel': 'UNSPECIFIED', 'enableNonSecurity': False}]}, 'description': 'pp_ubuntu_18', 'sources': [], 'createdTime': 1562154060.257, 'operatingSystem': 'UBUNTU', 'accountId': '**********', 'name': 'pp_ubuntu_18', 'approvedPatchesEnableNonSecurity': False, 'approvedPatches': [], 'approvedPatchesComplianceLevel': 'UNSPECIFIED', 'rejectedPatches': [], 'globalFilters': {'filters': []}, 'baselineId': 'pb-061ce09db20eee31e'}
2019-07-03 14:33:00,859 root [INFO]: Starting APT patching operation.
2019-07-03 14:33:00,859 root [INFO]: Loading patch snapshot from snapshot.json
2019-07-03 14:33:00,918 root [INFO]: Searching for sources for product: Ubuntu16.04
2019-07-03 14:33:01,109 root [INFO]: Re-synchronizing the package index files from their sources.
Hit http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial InRelease
Hit http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial-backports InRelease
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
Fetched 109 kB in 0s (0 B/s)
2019-07-03 14:33:16,165 root [INFO]: