1

Is it possible to create an AWS CloudWatch metric which keeps track of the pending security updates on an EC2 (Ubuntu) instance? The idea is to have a quicker overview of EC2 instances who are in need of security patches. By creating a metric for this we can add it to a CloudWatch dashboard for a quicker overview instead of logging in and checking the pending security patches for each individual instance.

The instances have to aws-mon-scripts installed and already forward metrics such as disk usage and memory utilization. So perhaps this is the way to go?

To be clear, the required metric is specifically based upon the amount of available security patches that are prompted when logging into your EC2 instance. For example:

102 packages can be updated.
7 updates are security updates.
SolveSoul
  • 113
  • 5

1 Answers1

1

The put-metrics-data endpoint can be used to publish custom metrics to CloudWatch. It can be used with the cli like this:

aws cloudwatch put-metric-data --namespace "Security Updates" --metric-data file://tmp/security_updates.json

In order to make this work you will need to write a bash script to store the the number of updates in a json file in a format like this:

[
  {
    "MetricName": "Security Updates",
    "Timestamp": "Wednesday, June 12, 2013 8:28:20 PM",
    "Value": 5,
    "Unit": "Count"
  }
]

I would setup cron jobs to trigger the script to gather the number of available security updates and another cron job to publish the data points to CloudWatch.

If you are looking for as a service solution you should check out Amazon Inspector which integrates with CloudWatch as well.

Henrik Pingel
  • 8,676
  • 2
  • 24
  • 38
  • This works fine, thanks! I made a script which can be added to crontab so it automatically uploads this metric. Here's the script for reference: https://gist.github.com/SolveSoul/9cf6d757450caecefb4ff31fcc74d53f#file-ubuntu-patches-metrics-sh – SolveSoul May 26 '20 at 06:19