Amazon Simple Systems Manager (SSM) Update: This release adds the AvailableSecurityUpdatesComplianceStatus field to patch baseline operations, as well as the AvailableSecurityUpdateCount and InstancesWithAvailableSecurityUpdates to patch state operations. Applies to Windows Server managed nodes only.

Author: AWS

.changes/next-release/feature-AmazonSimpleSystemsManagerSSM-1451038.json

@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "Amazon Simple Systems Manager (SSM)",
+    "contributor": "",
+    "description": "This release adds the AvailableSecurityUpdatesComplianceStatus field to patch baseline operations, as well as the AvailableSecurityUpdateCount and InstancesWithAvailableSecurityUpdates to patch state operations. Applies to Windows Server managed nodes only."
+}

services/ssm/src/main/resources/codegen-resources/service-2.json

@@ -3874,6 +3874,10 @@
         "Sources":{
           "shape":"PatchSourceList",
           "documentation":"<p>Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.</p>"
+        },
+        "AvailableSecurityUpdatesComplianceStatus":{
+          "shape":"PatchComplianceStatus",
+          "documentation":"<p>Indicates whether managed nodes for which there are available security-related patches that have not been approved by the baseline are being defined as <code>COMPLIANT</code> or <code>NON_COMPLIANT</code>. This option is specified when the <code>CreatePatchBaseline</code> or <code>UpdatePatchBaseline</code> commands are run.</p> <p>Applies to Windows Server managed nodes only.</p>"
         }
       },
       "documentation":"<p>Defines the basic information about a patch baseline override.</p>"
@@ -5158,6 +5162,10 @@
           "shape":"PatchSourceList",
           "documentation":"<p>Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.</p>"
         },
+        "AvailableSecurityUpdatesComplianceStatus":{
+          "shape":"PatchComplianceStatus",
+          "documentation":"<p>Indicates the status you want to assign to security patches that are available but not approved because they don't meet the installation criteria specified in the patch baseline.</p> <p>Example scenario: Security patches that you might want installed can be skipped if you have specified a long period to wait after a patch is released before installation. If an update to the patch is released during your specified waiting period, the waiting period for installing the patch starts over. If the waiting period is too long, multiple versions of the patch could be released but never installed.</p> <p>Supported for Windows Server managed nodes only.</p>"
+        },
         "ClientToken":{
           "shape":"ClientToken",
           "documentation":"<p>User-provided idempotency token.</p>",
@@ -6702,6 +6710,11 @@
           "shape":"InstancesCount",
           "documentation":"<p>The number of managed nodes with patches installed that are specified as other than <code>Critical</code> or <code>Security</code> but aren't compliant with the patch baseline. The status of these managed nodes is <code>NON_COMPLIANT</code>.</p>",
           "box":true
+        },
+        "InstancesWithAvailableSecurityUpdates":{
+          "shape":"Integer",
+          "documentation":"<p>The number of managed nodes for which security-related patches are available but not approved because because they didn't meet the patch baseline requirements. For example, an updated version of a patch might have been released before the specified auto-approval period was over.</p> <p>Applies to Windows Server managed nodes only.</p>",
+          "box":true
         }
       }
     },
@@ -8787,6 +8800,10 @@
         "Sources":{
           "shape":"PatchSourceList",
           "documentation":"<p>Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.</p>"
+        },
+        "AvailableSecurityUpdatesComplianceStatus":{
+          "shape":"PatchComplianceStatus",
+          "documentation":"<p>Indicates the compliance status of managed nodes for which security-related patches are available but were not approved. This preference is specified when the <code>CreatePatchBaseline</code> or <code>UpdatePatchBaseline</code> commands are run.</p> <p>Applies to Windows Server managed nodes only.</p>"
         }
       }
     },
@@ -9362,6 +9379,11 @@
           "shape":"PatchNotApplicableCount",
           "documentation":"<p>The number of patches from the patch baseline that aren't applicable for the managed node and therefore aren't installed on the node. This number may be truncated if the list of patch names is very large. The number of patches beyond this limit are reported in <code>UnreportedNotApplicableCount</code>.</p>"
         },
+        "AvailableSecurityUpdateCount":{
+          "shape":"PatchAvailableSecurityUpdateCount",
+          "documentation":"<p>The number of security-related patches that are available but not approved because they didn't meet the patch baseline requirements. For example, an updated version of a patch might have been released before the specified auto-approval period was over.</p> <p>Applies to Windows Server managed nodes only.</p>",
+          "box":true
+        },
         "OperationStartTime":{
           "shape":"DateTime",
           "documentation":"<p>The time the most recent patching operation was started on the managed node.</p>"
@@ -12076,11 +12098,11 @@
         },
         "AccountIdsToAdd":{
           "shape":"AccountIdList",
-          "documentation":"<p>The Amazon Web Services users that should have access to the document. The account IDs can either be a group of account IDs or <i>All</i>. </p>"
+          "documentation":"<p>The Amazon Web Services users that should have access to the document. The account IDs can either be a group of account IDs or <i>All</i>. You must specify a value for this parameter or the <code>AccountIdsToRemove</code> parameter.</p>"
         },
         "AccountIdsToRemove":{
           "shape":"AccountIdList",
-          "documentation":"<p>The Amazon Web Services users that should no longer have access to the document. The Amazon Web Services user can either be a group of account IDs or <i>All</i>. This action has a higher priority than <code>AccountIdsToAdd</code>. If you specify an ID to add and the same ID to remove, the system removes access to the document. </p>"
+          "documentation":"<p>The Amazon Web Services users that should no longer have access to the document. The Amazon Web Services user can either be a group of account IDs or <i>All</i>. This action has a higher priority than <code>AccountIdsToAdd</code>. If you specify an ID to add and the same ID to remove, the system removes access to the document. You must specify a value for this parameter or the <code>AccountIdsToAdd</code> parameter.</p>"
         },
         "SharedDocumentVersion":{
           "shape":"SharedDocumentVersion",
@@ -13946,6 +13968,7 @@
       "member":{"shape":"PatchAdvisoryId"}
     },
     "PatchArch":{"type":"string"},
+    "PatchAvailableSecurityUpdateCount":{"type":"integer"},
     "PatchBaselineIdentity":{
       "type":"structure",
       "members":{
@@ -14048,7 +14071,8 @@
         "INSTALLED_REJECTED",
         "MISSING",
         "NOT_APPLICABLE",
-        "FAILED"
+        "FAILED",
+        "AVAILABLE_SECURITY_UPDATE"
       ]
     },
     "PatchComplianceLevel":{
@@ -14067,6 +14091,13 @@
       "max":100,
       "min":10
     },
+    "PatchComplianceStatus":{
+      "type":"string",
+      "enum":[
+        "COMPLIANT",
+        "NON_COMPLIANT"
+      ]
+    },
     "PatchContentUrl":{"type":"string"},
     "PatchCriticalNonCompliantCount":{"type":"integer"},
     "PatchDeploymentStatus":{
@@ -14555,7 +14586,7 @@
       "members":{
         "Name":{
           "shape":"PSParameterName",
-          "documentation":"<p>The fully qualified name of the parameter that you want to create or update.</p> <note> <p>You can't enter the Amazon Resource Name (ARN) for a parameter, only the parameter name itself.</p> </note> <p>The fully qualified name includes the complete hierarchy of the parameter path and name. For parameters in a hierarchy, you must include a leading forward slash character (/) when you create or reference a parameter. For example: <code>/Dev/DBServer/MySQL/db-string13</code> </p> <p>Naming Constraints:</p> <ul> <li> <p>Parameter names are case sensitive.</p> </li> <li> <p>A parameter name must be unique within an Amazon Web Services Region</p> </li> <li> <p>A parameter name can't be prefixed with \"<code>aws</code>\" or \"<code>ssm</code>\" (case-insensitive).</p> </li> <li> <p>Parameter names can include only the following symbols and letters: <code>a-zA-Z0-9_.-</code> </p> <p>In addition, the slash character ( / ) is used to delineate hierarchies in parameter names. For example: <code>/Dev/Production/East/Project-ABC/MyParameter</code> </p> </li> <li> <p>A parameter name can't include spaces.</p> </li> <li> <p>Parameter hierarchies are limited to a maximum depth of fifteen levels.</p> </li> </ul> <p>For additional information about valid values for parameter names, see <a href=\"https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-su-create.html\">Creating Systems Manager parameters</a> in the <i>Amazon Web Services Systems Manager User Guide</i>.</p> <note> <p>The maximum length constraint of 2048 characters listed below includes 1037 characters reserved for internal use by Systems Manager. The maximum length for a parameter name that you create is 1011 characters. This includes the characters in the ARN that precede the name you specify, such as <code>arn:aws:ssm:us-east-2:111122223333:parameter/</code>.</p> </note>"
+          "documentation":"<p>The fully qualified name of the parameter that you want to create or update.</p> <note> <p>You can't enter the Amazon Resource Name (ARN) for a parameter, only the parameter name itself.</p> </note> <p>The fully qualified name includes the complete hierarchy of the parameter path and name. For parameters in a hierarchy, you must include a leading forward slash character (/) when you create or reference a parameter. For example: <code>/Dev/DBServer/MySQL/db-string13</code> </p> <p>Naming Constraints:</p> <ul> <li> <p>Parameter names are case sensitive.</p> </li> <li> <p>A parameter name must be unique within an Amazon Web Services Region</p> </li> <li> <p>A parameter name can't be prefixed with \"<code>aws</code>\" or \"<code>ssm</code>\" (case-insensitive).</p> </li> <li> <p>Parameter names can include only the following symbols and letters: <code>a-zA-Z0-9_.-</code> </p> <p>In addition, the slash character ( / ) is used to delineate hierarchies in parameter names. For example: <code>/Dev/Production/East/Project-ABC/MyParameter</code> </p> </li> <li> <p>A parameter name can't include spaces.</p> </li> <li> <p>Parameter hierarchies are limited to a maximum depth of fifteen levels.</p> </li> </ul> <p>For additional information about valid values for parameter names, see <a href=\"https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-su-create.html\">Creating Systems Manager parameters</a> in the <i>Amazon Web Services Systems Manager User Guide</i>.</p> <note> <p>The reported maximum length of 2048 characters for a parameter name includes 1037 characters that are reserved for internal use by Systems Manager. The maximum length for a parameter name that you specify is 1011 characters.</p> <p>This count of 1011 characters includes the characters in the ARN that precede the name you specify. This ARN length will vary depending on your partition and Region. For example, the following 45 characters count toward the 1011 character maximum for a parameter created in the US East (Ohio) Region: <code>arn:aws:ssm:us-east-2:111122223333:parameter/</code>.</p> </note>"
         },
         "Description":{
           "shape":"ParameterDescription",
@@ -17602,6 +17633,10 @@
           "shape":"PatchSourceList",
           "documentation":"<p>Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.</p>"
         },
+        "AvailableSecurityUpdatesComplianceStatus":{
+          "shape":"PatchComplianceStatus",
+          "documentation":"<p>Indicates the status to be assigned to security patches that are available but not approved because they don't meet the installation criteria specified in the patch baseline.</p> <p>Example scenario: Security patches that you might want installed can be skipped if you have specified a long period to wait after a patch is released before installation. If an update to the patch is released during your specified waiting period, the waiting period for installing the patch starts over. If the waiting period is too long, multiple versions of the patch could be released but never installed.</p> <p>Supported for Windows Server managed nodes only.</p>"
+        },
         "Replace":{
           "shape":"Boolean",
           "documentation":"<p>If True, then all fields that are required by the <a>CreatePatchBaseline</a> operation are also required for this API request. Optional fields that aren't specified are set to null.</p>",
@@ -17668,6 +17703,10 @@
         "Sources":{
           "shape":"PatchSourceList",
           "documentation":"<p>Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.</p>"
+        },
+        "AvailableSecurityUpdatesComplianceStatus":{
+          "shape":"PatchComplianceStatus",
+          "documentation":"<p>Indicates the compliance status of managed nodes for which security-related patches are available but were not approved. This preference is specified when the <code>CreatePatchBaseline</code> or <code>UpdatePatchBaseline</code> commands are run.</p> <p>Applies to Windows Server managed nodes only.</p>"
         }
       }
     },