

Retrieves the current effective patches (the patch and the approval state) for the specified patch baseline. Applies to patch baselines for Windows only.

See also: AWS API Documentation

Request Syntax

response = client.describe_effective_patches_for_patch_baseline(
  • BaselineId (string) --


    The ID of the patch baseline to retrieve the effective patches for.

  • MaxResults (integer) -- The maximum number of patches to return (per page).
  • NextToken (string) -- The token for the next set of items to return. (You received this token from a previous call.)
Return type



Response Syntax

    'EffectivePatches': [
            'Patch': {
                'Id': 'string',
                'ReleaseDate': datetime(2015, 1, 1),
                'Title': 'string',
                'Description': 'string',
                'ContentUrl': 'string',
                'Vendor': 'string',
                'ProductFamily': 'string',
                'Product': 'string',
                'Classification': 'string',
                'MsrcSeverity': 'string',
                'KbNumber': 'string',
                'MsrcNumber': 'string',
                'Language': 'string',
                'AdvisoryIds': [
                'BugzillaIds': [
                'CVEIds': [
                'Name': 'string',
                'Epoch': 123,
                'Version': 'string',
                'Release': 'string',
                'Arch': 'string',
                'Severity': 'string',
                'Repository': 'string'
            'PatchStatus': {
                'ComplianceLevel': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'INFORMATIONAL'|'UNSPECIFIED',
                'ApprovalDate': datetime(2015, 1, 1)
    'NextToken': 'string'

Response Structure

  • (dict) --

    • EffectivePatches (list) --

      An array of patches and patch status.

      • (dict) --

        The EffectivePatch structure defines metadata about a patch along with the approval state of the patch in a particular patch baseline. The approval state includes information about whether the patch is currently approved, due to be approved by a rule, explicitly approved, or explicitly rejected and the date the patch was or will be approved.

        • Patch (dict) --

          Provides metadata for a patch, including information such as the KB ID, severity, classification and a URL for where more information can be obtained about the patch.

          • Id (string) --

            The ID of the patch. Applies to Windows patches only.


            This ID isn't the same as the Microsoft Knowledge Base ID.

          • ReleaseDate (datetime) --

            The date the patch was released.

          • Title (string) --

            The title of the patch.

          • Description (string) --

            The description of the patch.

          • ContentUrl (string) --

            The URL where more information can be obtained about the patch.

          • Vendor (string) --

            The name of the vendor providing the patch.

          • ProductFamily (string) --

            The product family the patch is applicable for. For example, Windows or Amazon Linux 2 .

          • Product (string) --

            The specific product the patch is applicable for. For example, WindowsServer2016 or AmazonLinux2018.03 .

          • Classification (string) --

            The classification of the patch. For example, SecurityUpdates , Updates , or CriticalUpdates .

          • MsrcSeverity (string) --

            The severity of the patch, such as Critical , Important , or Moderate . Applies to Windows patches only.

          • KbNumber (string) --

            The Microsoft Knowledge Base ID of the patch. Applies to Windows patches only.

          • MsrcNumber (string) --

            The ID of the Microsoft Security Response Center (MSRC) bulletin the patch is related to. For example, MS14-045 . Applies to Windows patches only.

          • Language (string) --

            The language of the patch if it's language-specific.

          • AdvisoryIds (list) --

            The Advisory ID of the patch. For example, RHSA-2020:3779 . Applies to Linux-based managed nodes only.

            • (string) --
          • BugzillaIds (list) --

            The Bugzilla ID of the patch. For example, 1600646 . Applies to Linux-based managed nodes only.

            • (string) --
          • CVEIds (list) --

            The Common Vulnerabilities and Exposures (CVE) ID of the patch. For example, CVE-2011-3192 . Applies to Linux-based managed nodes only.

            • (string) --
          • Name (string) --

            The name of the patch. Applies to Linux-based managed nodes only.

          • Epoch (integer) --

            The epoch of the patch. For example in pkg-example-EE-20180914-2.2.amzn1.noarch , the epoch value is 20180914-2 . Applies to Linux-based managed nodes only.

          • Version (string) --

            The version number of the patch. For example, in example-pkg-1.710.10-2.7.abcd.x86_64 , the version number is indicated by -1 . Applies to Linux-based managed nodes only.

          • Release (string) --

            The particular release of a patch. For example, in pkg-example-EE-20180914-2.2.amzn1.noarch , the release is 2.amaz1 . Applies to Linux-based managed nodes only.

          • Arch (string) --

            The architecture of the patch. For example, in example-pkg-0.710.10-2.7.abcd.x86_64 , the architecture is indicated by x86_64 . Applies to Linux-based managed nodes only.

          • Severity (string) --

            The severity level of the patch. For example, CRITICAL or MODERATE .

          • Repository (string) --

            The source patch repository for the operating system and version, such as trusty-security for Ubuntu Server 14.04 LTE and focal-security for Ubuntu Server 20.04 LTE. Applies to Linux-based managed nodes only.

        • PatchStatus (dict) --

          The status of the patch in a patch baseline. This includes information about whether the patch is currently approved, due to be approved by a rule, explicitly approved, or explicitly rejected and the date the patch was or will be approved.

          • DeploymentStatus (string) --

            The approval status of a patch.

          • ComplianceLevel (string) --

            The compliance severity level for a patch.

          • ApprovalDate (datetime) --

            The date the patch was approved (or will be approved if the status is PENDING_APPROVAL ).

    • NextToken (string) --

      The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.


  • SSM.Client.exceptions.InvalidResourceId
  • SSM.Client.exceptions.DoesNotExistException
  • SSM.Client.exceptions.UnsupportedOperatingSystem
  • SSM.Client.exceptions.InternalServerError