Is it possible to create an AWS CloudWatch metric which keeps track of the pending security updates on an EC2 (Ubuntu) instance? The idea is to have a quicker overview of EC2 instances who are in need of security patches. By creating a metric for this we can add it to a CloudWatch dashboard for a quicker overview instead of logging in and checking the pending security patches for each individual instance.
The instances have to aws-mon-scripts installed and already forward metrics such as disk usage and memory utilization. So perhaps this is the way to go?
To be clear, the required metric is specifically based upon the amount of available security patches that are prompted when logging into your EC2 instance. For example:
102 packages can be updated.
7 updates are security updates.