:doc:`SSM <../../ssm>` / Client / get_patch_baseline

******************
get_patch_baseline
******************



.. py:method:: SSM.Client.get_patch_baseline(**kwargs)

  

  Retrieves information about a patch baseline.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/GetPatchBaseline>`_  


  **Request Syntax**
  ::

    response = client.get_patch_baseline(
        BaselineId='string'
    )
    
  :type BaselineId: string
  :param BaselineId: **[REQUIRED]** 

    The ID of the patch baseline to retrieve.

     

    .. note::

      

      To retrieve information about an Amazon Web Services managed patch baseline, specify the full Amazon Resource Name (ARN) of the baseline. For example, for the baseline ``AWS-AmazonLinuxDefaultPatchBaseline``, specify ``arn:aws:ssm:us-east-2:733109147000:patchbaseline/pb-0e392de35e7c563b7`` instead of ``pb-0e392de35e7c563b7``.

      

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'BaselineId': 'string',
          'Name': 'string',
          'OperatingSystem': 'WINDOWS'|'AMAZON_LINUX'|'AMAZON_LINUX_2'|'AMAZON_LINUX_2022'|'UBUNTU'|'REDHAT_ENTERPRISE_LINUX'|'SUSE'|'CENTOS'|'ORACLE_LINUX'|'DEBIAN'|'MACOS'|'RASPBIAN'|'ROCKY_LINUX'|'ALMA_LINUX'|'AMAZON_LINUX_2023',
          'GlobalFilters': {
              'PatchFilters': [
                  {
                      'Key': 'ARCH'|'ADVISORY_ID'|'BUGZILLA_ID'|'PATCH_SET'|'PRODUCT'|'PRODUCT_FAMILY'|'CLASSIFICATION'|'CVE_ID'|'EPOCH'|'MSRC_SEVERITY'|'NAME'|'PATCH_ID'|'SECTION'|'PRIORITY'|'REPOSITORY'|'RELEASE'|'SEVERITY'|'SECURITY'|'VERSION',
                      'Values': [
                          'string',
                      ]
                  },
              ]
          },
          'ApprovalRules': {
              'PatchRules': [
                  {
                      'PatchFilterGroup': {
                          'PatchFilters': [
                              {
                                  'Key': 'ARCH'|'ADVISORY_ID'|'BUGZILLA_ID'|'PATCH_SET'|'PRODUCT'|'PRODUCT_FAMILY'|'CLASSIFICATION'|'CVE_ID'|'EPOCH'|'MSRC_SEVERITY'|'NAME'|'PATCH_ID'|'SECTION'|'PRIORITY'|'REPOSITORY'|'RELEASE'|'SEVERITY'|'SECURITY'|'VERSION',
                                  'Values': [
                                      'string',
                                  ]
                              },
                          ]
                      },
                      'ComplianceLevel': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'INFORMATIONAL'|'UNSPECIFIED',
                      'ApproveAfterDays': 123,
                      'ApproveUntilDate': 'string',
                      'EnableNonSecurity': True|False
                  },
              ]
          },
          'ApprovedPatches': [
              'string',
          ],
          'ApprovedPatchesComplianceLevel': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'INFORMATIONAL'|'UNSPECIFIED',
          'ApprovedPatchesEnableNonSecurity': True|False,
          'RejectedPatches': [
              'string',
          ],
          'RejectedPatchesAction': 'ALLOW_AS_DEPENDENCY'|'BLOCK',
          'PatchGroups': [
              'string',
          ],
          'CreatedDate': datetime(2015, 1, 1),
          'ModifiedDate': datetime(2015, 1, 1),
          'Description': 'string',
          'Sources': [
              {
                  'Name': 'string',
                  'Products': [
                      'string',
                  ],
                  'Configuration': 'string'
              },
          ],
          'AvailableSecurityUpdatesComplianceStatus': 'COMPLIANT'|'NON_COMPLIANT'
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **BaselineId** *(string) --* 

        The ID of the retrieved patch baseline.

        
      

      - **Name** *(string) --* 

        The name of the patch baseline.

        
      

      - **OperatingSystem** *(string) --* 

        Returns the operating system specified for the patch baseline.

        
      

      - **GlobalFilters** *(dict) --* 

        A set of global filters used to exclude patches from the baseline.

        
        

        - **PatchFilters** *(list) --* 

          The set of patch filters that make up the group.

          
          

          - *(dict) --* 

            Defines which patches should be included in a patch baseline.

             

            A patch filter consists of a key and a set of values. The filter key is a patch property. For example, the available filter keys for ``WINDOWS`` are ``PATCH_SET``, ``PRODUCT``, ``PRODUCT_FAMILY``, ``CLASSIFICATION``, and ``MSRC_SEVERITY``.

             

            The filter values define a matching criterion for the patch property indicated by the key. For example, if the filter key is ``PRODUCT`` and the filter values are ``["Office 2013", "Office 2016"]``, then the filter accepts all patches where product name is either "Office 2013" or "Office 2016". The filter values can be exact values for the patch property given as a key, or a wildcard (*), which matches all values.

             

            You can view lists of valid values for the patch properties by running the ``DescribePatchProperties`` command. For information about which patch properties can be used with each major operating system, see  DescribePatchProperties.

            
            

            - **Key** *(string) --* 

              The key for the filter.

               

              Run the  DescribePatchProperties command to view lists of valid keys for each operating system type.

              
            

            - **Values** *(list) --* 

              The value for the filter key.

               

              Run the  DescribePatchProperties command to view lists of valid values for each key based on operating system type.

              
              

              - *(string) --* 
          
        
      
    
      

      - **ApprovalRules** *(dict) --* 

        A set of rules used to include patches in the baseline.

        
        

        - **PatchRules** *(list) --* 

          The rules that make up the rule group.

          
          

          - *(dict) --* 

            Defines an approval rule for a patch baseline.

            
            

            - **PatchFilterGroup** *(dict) --* 

              The patch filter group that defines the criteria for the rule.

              
              

              - **PatchFilters** *(list) --* 

                The set of patch filters that make up the group.

                
                

                - *(dict) --* 

                  Defines which patches should be included in a patch baseline.

                   

                  A patch filter consists of a key and a set of values. The filter key is a patch property. For example, the available filter keys for ``WINDOWS`` are ``PATCH_SET``, ``PRODUCT``, ``PRODUCT_FAMILY``, ``CLASSIFICATION``, and ``MSRC_SEVERITY``.

                   

                  The filter values define a matching criterion for the patch property indicated by the key. For example, if the filter key is ``PRODUCT`` and the filter values are ``["Office 2013", "Office 2016"]``, then the filter accepts all patches where product name is either "Office 2013" or "Office 2016". The filter values can be exact values for the patch property given as a key, or a wildcard (*), which matches all values.

                   

                  You can view lists of valid values for the patch properties by running the ``DescribePatchProperties`` command. For information about which patch properties can be used with each major operating system, see  DescribePatchProperties.

                  
                  

                  - **Key** *(string) --* 

                    The key for the filter.

                     

                    Run the  DescribePatchProperties command to view lists of valid keys for each operating system type.

                    
                  

                  - **Values** *(list) --* 

                    The value for the filter key.

                     

                    Run the  DescribePatchProperties command to view lists of valid values for each key based on operating system type.

                    
                    

                    - *(string) --* 
                
              
            
          
            

            - **ComplianceLevel** *(string) --* 

              A compliance severity level for all approved patches in a patch baseline.

              
            

            - **ApproveAfterDays** *(integer) --* 

              The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of ``7`` means that patches are approved seven days after they are released.

               

              Patch Manager evaluates patch release dates using Coordinated Universal Time (UTC). If the day represented by ``7`` is ``2025-11-16``, patches released between ``2025-11-16T00:00:00Z`` and ``2025-11-16T23:59:59Z`` will be included in the approval.

               

              This parameter is marked as ``Required: No``, but your request must include a value for either ``ApproveAfterDays`` or ``ApproveUntilDate``.

               

              Not supported for Debian Server or Ubuntu Server.

               

              .. warning::

                 

                Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the **Windows Server** tab in the topic `How security patches are selected <https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-selecting-patches.html>`__ in the *Amazon Web Services Systems Manager User Guide*.

                

              
            

            - **ApproveUntilDate** *(string) --* 

              The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically.

               

              Enter dates in the format ``YYYY-MM-DD``. For example, ``2025-11-16``.

               

              Patch Manager evaluates patch release dates using Coordinated Universal Time (UTC). If you enter the date ``2025-11-16``, patches released between ``2025-11-16T00:00:00Z`` and ``2025-11-16T23:59:59Z`` will be included in the approval.

               

              This parameter is marked as ``Required: No``, but your request must include a value for either ``ApproveUntilDate`` or ``ApproveAfterDays``.

               

              Not supported for Debian Server or Ubuntu Server.

               

              .. warning::

                 

                Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the **Windows Server** tab in the topic `How security patches are selected <https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-selecting-patches.html>`__ in the *Amazon Web Services Systems Manager User Guide*.

                

              
            

            - **EnableNonSecurity** *(boolean) --* 

              For managed nodes identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository. The default value is ``false``. Applies to Linux managed nodes only.

              
        
      
    
      

      - **ApprovedPatches** *(list) --* 

        A list of explicitly approved patches for the baseline.

        
        

        - *(string) --* 
    
      

      - **ApprovedPatchesComplianceLevel** *(string) --* 

        Returns the specified compliance severity level for approved patches in the patch baseline.

        
      

      - **ApprovedPatchesEnableNonSecurity** *(boolean) --* 

        Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes. The default value is ``false``. Applies to Linux managed nodes only.

        
      

      - **RejectedPatches** *(list) --* 

        A list of explicitly rejected patches for the baseline.

        
        

        - *(string) --* 
    
      

      - **RejectedPatchesAction** *(string) --* 

        The action specified to take on patches included in the ``RejectedPatches`` list. A patch can be allowed only if it is a dependency of another package, or blocked entirely along with packages that include it as a dependency.

        
      

      - **PatchGroups** *(list) --* 

        Patch groups included in the patch baseline.

        
        

        - *(string) --* 
    
      

      - **CreatedDate** *(datetime) --* 

        The date the patch baseline was created.

        
      

      - **ModifiedDate** *(datetime) --* 

        The date the patch baseline was last modified.

        
      

      - **Description** *(string) --* 

        A description of the patch baseline.

        
      

      - **Sources** *(list) --* 

        Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.

        
        

        - *(dict) --* 

          Information about the patches to use to update the managed nodes, including target operating systems and source repository. Applies to Linux managed nodes only.

          
          

          - **Name** *(string) --* 

            The name specified to identify the patch source.

            
          

          - **Products** *(list) --* 

            The specific operating system versions a patch repository applies to, such as "Ubuntu16.04", "AmazonLinux2016.09", "RedhatEnterpriseLinux7.2" or "Suse12.7". For lists of supported product values, see  PatchFilter.

            
            

            - *(string) --* 
        
          

          - **Configuration** *(string) --* 

            The value of the repo configuration.

             

            **Example for yum repositories**

             

            ``[main]``

             

            ``name=MyCustomRepository``

             

            ``baseurl=https://my-custom-repository``

             

            ``enabled=1``

             

            For information about other options available for your yum repository configuration, see `dnf.conf(5) <https://man7.org/linux/man-pages/man5/dnf.conf.5.html>`__ on the *man7.org* website.

             

            **Examples for Ubuntu Server and Debian Server**

             

            ``deb http://security.ubuntu.com/ubuntu jammy main``

             

            ``deb https://site.example.com/debian distribution component1 component2 component3``

             

            Repo information for Ubuntu Server repositories must be specifed in a single line. For more examples and information, see `jammy (5) sources.list.5.gz <https://manpages.ubuntu.com/manpages/jammy/man5/sources.list.5.html>`__ on the *Ubuntu Server Manuals* website and `sources.list format <https://wiki.debian.org/SourcesList#sources.list_format>`__ on the *Debian Wiki*.

            
      
    
      

      - **AvailableSecurityUpdatesComplianceStatus** *(string) --* 

        Indicates the compliance status of managed nodes for which security-related patches are available but were not approved. This preference is specified when the ``CreatePatchBaseline`` or ``UpdatePatchBaseline`` commands are run.

         

        Applies to Windows Server managed nodes only.

        
  
  **Exceptions**
  
  *   :py:class:`SSM.Client.exceptions.DoesNotExistException`

  
  *   :py:class:`SSM.Client.exceptions.InvalidResourceId`

  
  *   :py:class:`SSM.Client.exceptions.InternalServerError`

  