AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-04-23 · Documentation low

File: systems-manager/latest/userguide/patch-manager-compliance-states.md

Summary

Added documentation for 'FAILED' and 'AVAILABLE_SECURITY_UPDATES' compliance states, clarified Windows Server specificity for 'NOT_APPLICABLE', and provided configuration guidance for security update compliance handling

Security assessment

The changes introduce documentation for the 'AVAILABLE_SECURITY_UPDATES' compliance state, which explicitly addresses how unapproved security updates are handled in compliance reporting. This provides guidance on configuring security patch management but does not indicate remediation of a specific vulnerability. The 'FAILED' state documentation helps troubleshoot patch installation issues, which could indirectly impact security posture but isn't explicitly tied to a disclosed security issue.

Diff

diff --git a/systems-manager/latest/userguide/patch-manager-compliance-states.md b/systems-manager/latest/userguide/patch-manager-compliance-states.md
index 4b9a97914..4ea0ee215 100644
--- a//systems-manager/latest/userguide/patch-manager-compliance-states.md
+++ b//systems-manager/latest/userguide/patch-manager-compliance-states.md
@@ -11 +11 @@ The information about patches for a managed node include a report of the state,
-###### Note
+###### Tip
@@ -64 +64,3 @@ In neither case does it mean that a patch with this status _requires_ a reboot,
-**`NOT_APPLICABLE`** ¹ | The patch is approved in the baseline, but the service or feature that uses the patch isn't installed on the managed node. For example, a patch for a web server service such as Internet Information Services (IIS) would show `NOT_APPLICABLE` if it was approved in the baseline, but the web service isn't installed on the managed node. A patch can also be marked `NOT_APPLICABLE` if it has been superseded by a subsequent update. This means that the later update is installed and the `NOT_APPLICABLE` update is no longer required.
+**`FAILED`** |  The patch is approved in the baseline, but it couldn't be installed. To troubleshoot this situation, review the command output for information that might help you understand the problem. | Non-Compliant  
+**`NOT_APPLICABLE`** ¹ |  _This compliance state is reported only for Windows Server operating systems._ The patch is approved in the baseline, but the service or feature that uses the patch isn't installed on the managed node. For example, a patch for a web server service such as Internet Information Services (IIS) would show `NOT_APPLICABLE` if it was approved in the baseline, but the web service isn't installed on the managed node. A patch can also be marked `NOT_APPLICABLE` if it has been superseded by a subsequent update. This means that the later update is installed and the `NOT_APPLICABLE` update is no longer required. | Not applicable  
+**`AVAILABLE_SECURITY_UPDATES`** |  _This compliance state is reported only for Windows Server operating systems._ An available security update patch that is not approved by the patch baseline can have a compliance value or `Compliant` or `Non-Compliant`, as defined in a custom patch baseline. When you create or update a patch baseline, you choose the status you want to assign to security patches that are available but not approved because they don't meet the installation criteria specified in the patch baseline. For example, security patches that you might want installed can be skipped if you have specified a long period to wait after a patch is released before installation. If an update to the patch is released during your specified waiting period, the waiting period for installing the patch starts over. If the waiting period is too long, multiple versions of the patch could be released but never installed. For patch summary counts, when a patch is reported as `AvailableSecurityUpdate`, it will always be included in `AvailableSecurityUpdateCount`. If the baseline is configured to report these patches as `NonCompliant`, it is also included in `SecurityNonCompliantCount`. If the baseline is configured to report these patches as `Compliant`, they are not included in `SecurityNonCompliantCount`. These patches are always reported with an unspecified severity and are never included in the `CriticalNonCompliantCount`. |  Compliant or Non-Compliant, depending on the option selected for available security updates.
@@ -68,2 +70 @@ In neither case does it mean that a patch with this status _requires_ a reboot,
-This compliance state is only reported on Windows Server operating systems.  | Not applicable  
-**`FAILED`** |  The patch is approved in the baseline, but it couldn't be installed. To troubleshoot this situation, review the command output for information that might help you understand the problem. | Non-Compliant  
+Using the console to create or update a patch baseline, you specify this option in the **Available security updates compliance status** field. Using the AWS CLI to run the [create-patch-baseline](https://docs.aws.amazon.com/cli/latest/reference/ssm/create-patch-baseline.html) or [update-patch-baseline](https://docs.aws.amazon.com/cli/latest/reference/ssm/update-patch-baseline.html) command, you specify this option in the `available-security-updates-compliance-status` parameter.