We are using SSM patch manager for patching EC2 instances. However even after running patch manager, sudo yum check-update command on Ec2 instances shell provides list of packages that needs to be updated on the instances. Command execution is successful from SSM, also security patches are getting successfully applied. Providing the output of sudo yum check-update command on EC2 instance after running patch manager.
Note : In patch baseline, we are selecting patches from all classification and also with all severities.
sudo yum check-update output :
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
git.x86_64 2.23.1-1.amzn2.0.2 amzn2-core git-core.x86_64 2.23.1-1.amzn2.0.2
amzn2-core git-core-doc.noarch 2.23.1-1.amzn2.0.2
amzn2-core kernel.x86_64 4.14.173-137.229.amzn2
amzn2-core kernel-devel.x86_64 4.14.173-137.229.amzn2
amzn2-core kernel-headers.x86_64 4.14.173-137.229.amzn2
amzn2-core kernel-tools.x86_64 4.14.173-137.229.amzn2
amzn2-core perl-Git.noarch 2.23.1-1.amzn2.0.2
amzn2-core Security: kernel-4.14.173-137.228.amzn2.x86_64 is an installed security update Security: kernel-4.14.165-133.209.amzn2.x86_64 is the currently running version