CfnPatchBaselinePropsMixin

class aws_cdk.mixins_preview.aws_ssm.mixins.CfnPatchBaselinePropsMixin(props, *, strategy=None)

Bases: Mixin

The AWS::SSM::PatchBaseline resource defines the basic information for an AWS Systems Manager patch baseline.

A patch baseline defines which patches are approved for installation on your instances.

For more information, see CreatePatchBaseline in the AWS Systems Manager API Reference .

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-patchbaseline.html

CloudformationResource:

AWS::SSM::PatchBaseline

Mixin:

true

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview import mixins
from aws_cdk.mixins_preview.aws_ssm import mixins as ssm_mixins

cfn_patch_baseline_props_mixin = ssm_mixins.CfnPatchBaselinePropsMixin(ssm_mixins.CfnPatchBaselineMixinProps(
    approval_rules=ssm_mixins.CfnPatchBaselinePropsMixin.RuleGroupProperty(
        patch_rules=[ssm_mixins.CfnPatchBaselinePropsMixin.RuleProperty(
            approve_after_days=123,
            approve_until_date="approveUntilDate",
            compliance_level="complianceLevel",
            enable_non_security=False,
            patch_filter_group=ssm_mixins.CfnPatchBaselinePropsMixin.PatchFilterGroupProperty(
                patch_filters=[ssm_mixins.CfnPatchBaselinePropsMixin.PatchFilterProperty(
                    key="key",
                    values=["values"]
                )]
            )
        )]
    ),
    approved_patches=["approvedPatches"],
    approved_patches_compliance_level="approvedPatchesComplianceLevel",
    approved_patches_enable_non_security=False,
    available_security_updates_compliance_status="availableSecurityUpdatesComplianceStatus",
    default_baseline=False,
    description="description",
    global_filters=ssm_mixins.CfnPatchBaselinePropsMixin.PatchFilterGroupProperty(
        patch_filters=[ssm_mixins.CfnPatchBaselinePropsMixin.PatchFilterProperty(
            key="key",
            values=["values"]
        )]
    ),
    name="name",
    operating_system="operatingSystem",
    patch_groups=["patchGroups"],
    rejected_patches=["rejectedPatches"],
    rejected_patches_action="rejectedPatchesAction",
    sources=[ssm_mixins.CfnPatchBaselinePropsMixin.PatchSourceProperty(
        configuration="configuration",
        name="name",
        products=["products"]
    )],
    tags=[CfnTag(
        key="key",
        value="value"
    )]
),
    strategy=mixins.PropertyMergeStrategy.OVERRIDE
)

Create a mixin to apply properties to AWS::SSM::PatchBaseline.

Parameters:

• props (Union[CfnPatchBaselineMixinProps, Dict[str, Any]]) – L1 properties to apply.

• strategy (Optional[PropertyMergeStrategy]) – (experimental) Strategy for merging nested properties. Default: - PropertyMergeStrategy.MERGE

Methods

apply_to(construct)

Apply the mixin properties to the construct.

Parameters:

construct (IConstruct)

Return type:

IConstruct

supports(construct)

Check if this mixin supports the given construct.

Parameters:

construct (IConstruct)

Return type:

bool

Attributes

CFN_PROPERTY_KEYS = ['approvalRules', 'approvedPatches', 'approvedPatchesComplianceLevel', 'approvedPatchesEnableNonSecurity', 'availableSecurityUpdatesComplianceStatus', 'defaultBaseline', 'description', 'globalFilters', 'name', 'operatingSystem', 'patchGroups', 'rejectedPatches', 'rejectedPatchesAction', 'sources', 'tags']

Static Methods

classmethod is_mixin(x)

(experimental) Checks if x is a Mixin.

Parameters:

x (Any) – Any object.

Return type:

bool

Returns:

true if x is an object created from a class which extends Mixin.

Stability:

experimental

PatchFilterGroupProperty

class CfnPatchBaselinePropsMixin.PatchFilterGroupProperty(*, patch_filters=None)

Bases: object

The PatchFilterGroup property type specifies a set of patch filters for an AWS Systems Manager patch baseline, typically used for approval rules for a Systems Manager patch baseline.

PatchFilterGroup is the property type for the GlobalFilters property of the AWS::SSM::PatchBaseline resource and the PatchFilterGroup property of the Rule property type.

Parameters:

patch_filters (Union[IResolvable, Sequence[Union[IResolvable, PatchFilterProperty, Dict[str, Any]]], None]) – The set of patch filters that make up the group.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-patchfiltergroup.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_ssm import mixins as ssm_mixins

patch_filter_group_property = ssm_mixins.CfnPatchBaselinePropsMixin.PatchFilterGroupProperty(
    patch_filters=[ssm_mixins.CfnPatchBaselinePropsMixin.PatchFilterProperty(
        key="key",
        values=["values"]
    )]
)

Attributes

patch_filters

The set of patch filters that make up the group.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-patchfiltergroup.html#cfn-ssm-patchbaseline-patchfiltergroup-patchfilters

PatchFilterProperty

class CfnPatchBaselinePropsMixin.PatchFilterProperty(*, key=None, values=None)

Bases: object

The PatchFilter property type defines a patch filter for an AWS Systems Manager patch baseline.

The PatchFilters property of the PatchFilterGroup property type contains a list of PatchFilter property types.

You can view lists of valid values for the patch properties by running the DescribePatchProperties command. For more information, see DescribePatchProperties in the AWS Systems Manager API Reference .

Parameters:

• key (Optional[str]) – The key for the filter. For information about valid keys, see PatchFilter in the AWS Systems Manager API Reference .

• values (Optional[Sequence[str]]) –

  The value for the filter key. For information about valid values for each key based on operating system type, see PatchFilter in the AWS Systems Manager API Reference .

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-patchfilter.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_ssm import mixins as ssm_mixins

patch_filter_property = ssm_mixins.CfnPatchBaselinePropsMixin.PatchFilterProperty(
    key="key",
    values=["values"]
)

Attributes

key

The key for the filter.

For information about valid keys, see PatchFilter in the AWS Systems Manager API Reference .

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-patchfilter.html#cfn-ssm-patchbaseline-patchfilter-key

values

The value for the filter key.

For information about valid values for each key based on operating system type, see PatchFilter in the AWS Systems Manager API Reference .

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-patchfilter.html#cfn-ssm-patchbaseline-patchfilter-values

PatchSourceProperty

class CfnPatchBaselinePropsMixin.PatchSourceProperty(*, configuration=None, name=None, products=None)

Bases: object

PatchSource is the property type for the Sources resource of the AWS::SSM::PatchBaseline resource.

The AWS CloudFormation AWS::SSM::PatchSource resource is used to provide information about the patches to use to update target instances, including target operating systems and source repository. Applies to Linux managed nodes only.

Parameters:

• configuration (Optional[str]) – The value of the repo configuration. Example for yum repositories [main] name=MyCustomRepository baseurl=https://my-custom-repository enabled=1 For information about other options available for your yum repository configuration, see dnf.conf(5) on the man7.org website. Examples for Ubuntu Server and Debian Server deb http://security.ubuntu.com/ubuntu jammy main deb https://site.example.com/debian distribution component1 component2 component3 Repo information for Ubuntu Server repositories must be specifed in a single line. For more examples and information, see jammy (5) sources.list.5.gz on the Ubuntu Server Manuals website and sources.list format on the Debian Wiki .

• name (Optional[str]) – The name specified to identify the patch source.

• products (Optional[Sequence[str]]) –

  The specific operating system versions a patch repository applies to, such as “Ubuntu16.04”, “RedhatEnterpriseLinux7.2” or “Suse12.7”. For lists of supported product values, see PatchFilter in the AWS Systems Manager API Reference .

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-patchsource.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_ssm import mixins as ssm_mixins

patch_source_property = ssm_mixins.CfnPatchBaselinePropsMixin.PatchSourceProperty(
    configuration="configuration",
    name="name",
    products=["products"]
)

Attributes

configuration

The value of the repo configuration.

Example for yum repositories

[main]

name=MyCustomRepository

baseurl=https://my-custom-repository

enabled=1

For information about other options available for your yum repository configuration, see dnf.conf(5) on the man7.org website.

Examples for Ubuntu Server and Debian Server

deb http://security.ubuntu.com/ubuntu jammy main

deb https://site.example.com/debian distribution component1 component2 component3

Repo information for Ubuntu Server repositories must be specifed in a single line. For more examples and information, see jammy (5) sources.list.5.gz on the Ubuntu Server Manuals website and sources.list format on the Debian Wiki .

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-patchsource.html#cfn-ssm-patchbaseline-patchsource-configuration

name

The name specified to identify the patch source.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-patchsource.html#cfn-ssm-patchbaseline-patchsource-name

products

The specific operating system versions a patch repository applies to, such as “Ubuntu16.04”, “RedhatEnterpriseLinux7.2” or “Suse12.7”. For lists of supported product values, see PatchFilter in the AWS Systems Manager API Reference .

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-patchsource.html#cfn-ssm-patchbaseline-patchsource-products

RuleGroupProperty

class CfnPatchBaselinePropsMixin.RuleGroupProperty(*, patch_rules=None)

Bases: object

The RuleGroup property type specifies a set of rules that define the approval rules for an AWS Systems Manager patch baseline.

RuleGroup is the property type for the ApprovalRules property of the AWS::SSM::PatchBaseline resource.

Parameters:

patch_rules (Union[IResolvable, Sequence[Union[IResolvable, RuleProperty, Dict[str, Any]]], None]) – The rules that make up the rule group.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-rulegroup.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_ssm import mixins as ssm_mixins

rule_group_property = ssm_mixins.CfnPatchBaselinePropsMixin.RuleGroupProperty(
    patch_rules=[ssm_mixins.CfnPatchBaselinePropsMixin.RuleProperty(
        approve_after_days=123,
        approve_until_date="approveUntilDate",
        compliance_level="complianceLevel",
        enable_non_security=False,
        patch_filter_group=ssm_mixins.CfnPatchBaselinePropsMixin.PatchFilterGroupProperty(
            patch_filters=[ssm_mixins.CfnPatchBaselinePropsMixin.PatchFilterProperty(
                key="key",
                values=["values"]
            )]
        )
    )]
)

Attributes

patch_rules

The rules that make up the rule group.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-rulegroup.html#cfn-ssm-patchbaseline-rulegroup-patchrules

RuleProperty

class CfnPatchBaselinePropsMixin.RuleProperty(*, approve_after_days=None, approve_until_date=None, compliance_level=None, enable_non_security=None, patch_filter_group=None)

Bases: object

The Rule property type specifies an approval rule for a Systems Manager patch baseline.

The PatchRules property of the RuleGroup property type contains a list of Rule property types.

Parameters:

• approve_after_days (Union[int, float, None]) – The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of 7 means that patches are approved seven days after they are released. Patch Manager evaluates patch release dates using Coordinated Universal Time (UTC). If the day represented by 7 is 2025-11-16 , patches released between 2025-11-16T00:00:00Z and 2025-11-16T23:59:59Z will be included in the approval. This parameter is marked as Required: No , but your request must include a value for either ApproveAfterDays or ApproveUntilDate . Not supported for Debian Server or Ubuntu Server. .. epigraph:: Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the Windows Server tab in the topic How security patches are selected in the AWS Systems Manager User Guide .

• approve_until_date (Optional[str]) –

  The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Enter dates in the format YYYY-MM-DD . For example, 2025-11-16 . Patch Manager evaluates patch release dates using Coordinated Universal Time (UTC). If you enter the date 2025-11-16 , patches released between 2025-11-16T00:00:00Z and 2025-11-16T23:59:59Z will be included in the approval. This parameter is marked as Required: No , but your request must include a value for either ApproveUntilDate or ApproveAfterDays . Not supported for Debian Server or Ubuntu Server. .. epigraph:: Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the Windows Server tab in the topic How security patches are selected in the AWS Systems Manager User Guide .

• compliance_level (Optional[str]) – A compliance severity level for all approved patches in a patch baseline. Valid compliance severity levels include the following: UNSPECIFIED , CRITICAL , HIGH , MEDIUM , LOW , and INFORMATIONAL .

• enable_non_security (Union[bool, IResolvable, None]) – For managed nodes identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository. The default value is false . Applies to Linux managed nodes only. Default: - false

• patch_filter_group (Union[IResolvable, PatchFilterGroupProperty, Dict[str, Any], None]) – The patch filter group that defines the criteria for the rule.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-rule.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_ssm import mixins as ssm_mixins

rule_property = ssm_mixins.CfnPatchBaselinePropsMixin.RuleProperty(
    approve_after_days=123,
    approve_until_date="approveUntilDate",
    compliance_level="complianceLevel",
    enable_non_security=False,
    patch_filter_group=ssm_mixins.CfnPatchBaselinePropsMixin.PatchFilterGroupProperty(
        patch_filters=[ssm_mixins.CfnPatchBaselinePropsMixin.PatchFilterProperty(
            key="key",
            values=["values"]
        )]
    )
)

Attributes

approve_after_days

The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline.

For example, a value of 7 means that patches are approved seven days after they are released.

Patch Manager evaluates patch release dates using Coordinated Universal Time (UTC). If the day represented by 7 is 2025-11-16 , patches released between 2025-11-16T00:00:00Z and 2025-11-16T23:59:59Z will be included in the approval.

This parameter is marked as Required: No , but your request must include a value for either ApproveAfterDays or ApproveUntilDate .

Not supported for Debian Server or Ubuntu Server. .. epigraph:

Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the *Windows Server* tab in the topic `How security patches are selected <https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-selecting-patches.html>`_ in the *AWS Systems Manager User Guide* .

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-rule.html#cfn-ssm-patchbaseline-rule-approveafterdays

approve_until_date

The cutoff date for auto approval of released patches.

Any patches released on or before this date are installed automatically.

Enter dates in the format YYYY-MM-DD . For example, 2025-11-16 .

Patch Manager evaluates patch release dates using Coordinated Universal Time (UTC). If you enter the date 2025-11-16 , patches released between 2025-11-16T00:00:00Z and 2025-11-16T23:59:59Z will be included in the approval.

This parameter is marked as Required: No , but your request must include a value for either ApproveUntilDate or ApproveAfterDays .

Not supported for Debian Server or Ubuntu Server. .. epigraph:

Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the *Windows Server* tab in the topic `How security patches are selected <https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-selecting-patches.html>`_ in the *AWS Systems Manager User Guide* .

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-rule.html#cfn-ssm-patchbaseline-rule-approveuntildate

compliance_level

A compliance severity level for all approved patches in a patch baseline.

Valid compliance severity levels include the following: UNSPECIFIED , CRITICAL , HIGH , MEDIUM , LOW , and INFORMATIONAL .

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-rule.html#cfn-ssm-patchbaseline-rule-compliancelevel

enable_non_security

For managed nodes identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository.

The default value is false . Applies to Linux managed nodes only.

Default:

• false

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-rule.html#cfn-ssm-patchbaseline-rule-enablenonsecurity

patch_filter_group

The patch filter group that defines the criteria for the rule.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-rule.html#cfn-ssm-patchbaseline-rule-patchfiltergroup