AWS Cloud Operations Blog
Identify AWS Systems Manager Patch Compliance Status with AWS CloudTrail Lake
Security and compliance is a shared responsibility between AWS and the customer. The shared responsibility model outlines responsibilities for Security of the Cloud versus Security in the Cloud. Customers are responsible for Security in the Cloud, which includes patching Amazon EC2 instances. For the customers running workloads on EC2 instances, during security audits, they may be required to provide patch compliance status.
AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. If you need to identify specific CloudTrail events, AWS CloudTrail Lake lets you run SQL-based queries. CloudTrail Lake integrates with AWS Config to support ingestion and query of configuration items. With AWS Config, CloudTrail Lake can use a data store to store the history of resource changes. You can query resource changes to identify the history of EC2 instance patch compliance status.
One of the use cases for using CloudTrail Lake with AWS Config is to identify patch compliance status for AWS Systems Manager-managed EC2 instances. If a security audit requires the historical data, you can run SQL-based queries to find the historical status of patch compliance. For customers with AWS Organizations, they can leverage CloudTrail Lake to ingest AWS Config compliance data across accounts. CloudTrail Lake queries can generate a single view of the EC2 compliance status at the organization level.
In this post, we provide an overview of CloudTrail Lake with AWS Config and guide you through the steps to run SQL-based queries to identify patch compliance status.
Overview of solution
The following diagram shows the architecture of the CloudTrail Lake integration with AWS Config and how developers can run SQL-based queries.
 
 
        Figure 1:Architectural diagram for CloudTrail lake, AWS Config, and Systems Manager
- EC2 instances are running and have the AWS systems manager agent
- Systems Manager manages the EC2 instances and patches them via patch manager
- AWS Config has the ec2-managedInstance-patch-compliance-status-check rule AWS Config recorder records Systems Manager patch compliance information.
- CloudTrail Lake event data store captures AWS Config configuration changes and compliance updates.
- Developers can run SQL-based queries to identify Systems Manager patch compliance status and historical data.
For this solution, you pay for ingestion and storage as well as the amount of data analyzed through queries for CloudTrail Lake. For AWS Config, you pay for configuration items recorded in your AWS account per AWS region as well as AWS config rules evaluations. There is also a cost for running EC2 instances. See CloudTrail Lake pricing, AWS Config pricing, and EC2 pricing.
Prerequisites
- ec2-managedInstance-patch-compliance-status-check rule in AWS Config
- AWS Systems Manager Agent (SSM Agent) should be installed on EC2 instances
- EC2 instances managed by Systems Manager
- EC2 instances associated with Systems Manager Compliance
- IAM user or role that has the following least privilege
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudTrailLakeQueryBlog",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:ListEventDataStores",
                "cloudtrail:DeleteEventDataStore",
                "cloudtrail:CreateEventDataStore",
                "cloudtrail:UpdateEventDataStore",
                "cloudtrail:DescribeQuery",
                "cloudtrail:GetEventDataStore",
                "cloudtrail:StartEventDataStoreIngestion",
                "cloudtrail:StopEventDataStoreIngestion",
                "cloudtrail:StartQuery",
                "config:DescribeConfigurationRecorderStatus",
                "cloudtrail:GetQueryResults",
                "cloudtrail:CancelQuery"
            ],
            "Resource": "*"
        }
    ]
}- (Optional) S3 bucket with an S3 bucket policy described in Amazon S3 bucket policy for CloudTrail Lake query results
Walkthrough
Create a CloudTrail Lake event data store
AWS Config evaluates patch compliance status with the ec2-managedInstance-patch-compliance-status-check rule. You can create an event data store to include AWS Config configuration items, and use the event data store to investigate non-compliant changes to your environments.
Please follow the steps described in the AWS CloudTrail documentation to create an event data store for configuration items. If you would like to use AWS Organizations to run queries to identify patch compliance status for EC2 instances in multiple accounts and regions, make sure to create an AWS Config recorder in each account and region. For AWS Config recording quick setup, see AWS Config recording.
Run CloudTrail Lake queries
CloudTrail Lake allows you to run SQL-based queries against the event data store. You can find the configuration item schema of an AWS Config event type in Configuration item schema. In the example below, you will find a sample query that includes fields such as configuration and tags.
Run a query
In the example queries, replace config_event_data_store_ID with your own event data store ID. You can find sample CloudTrail Lake queries in the cloud-trail-lake-query-samples GitHub repository.
First, please download the ssm-patch-compliance-all-ec2-instances.sql from the GitHub repository.
Navigate to the CloudTrail console in the region where you set up the CloudTrail Lake event data store. Under the query page, open an editor to paste the sample query. The query performs the following steps.
- The SQL query will be run against the configuration items that have been collected from the resource type, AWS::SSM::PatchCompliance, as part of the AWS Config rule ec2-managedinstance-patch-compliance-status-check
- The query is going to retrieve the accountID, Region, Instance ID, time of the collection and will output what’s been installed and what’s not. See Understanding patch compliance state values for the patch compliance state values.
Once you run the query above, you will see a query result similar to the screenshot below.
 
 
        Figure 2:CloudTrail Lake query output
Additional CloudTrail Lake queries
You can find additional CloudTrail Lake queries in the GitHub repository. The following queries help you filter the patch status summary based on a specific instance ID and time range.
Adding a filter for EC2 instances
The query in the ssm-patch-compliance-selected-ec2-instance.sql has a filter for EC2 instance where you can replace <instance id> in the query with your own EC2 instance ID to identify patch compliance status for the specific instance.
For a specific instance with a specific time range
The query in the ssm-patch-compliance-selected-ec2-instance-time-range.sql has a filter for eventTime. You can search patch compliance status based on specific time ranges.
For all instances with a specific time range
The query in the ssm-patch-compliance-all-ec2-instances-time-range.sql allows you to identify patch compliance status for all instances within a specific time range.
For a list of EC2 instances (distinct)
The query in the ssm-patch-compliance-distinct-ec2-instance-latest.sql returns the list of instances without returning duplicate instance IDs. The latest EC2 compliance data are returned. By default, CloudTrail Lake query can return multiple EC2 instance compliance data because AWS Config keeps track of historical data.
(Optional) Save query results in S3
You can save the query results by checking the box for “Save results to S3” on the CloudTrail Lake query console. See View query results for more information about the query results tab on the console. You can download the query result files locally to analyze the output using software such as Microsoft Excel.
If you would like to visualize the query output, you can use a service such as Amazon QuickSight. In QuickSight, you can create a dataset using Amazon S3 files. With the query outputs stored in S3, QuickSight analyzes and creates dashboards.
Clean up
CloudTrail Lake has ingestion and storage cost. You can delete and manage the event data store by following the steps below.
- Go to CloudTrail console, expand Lake section, and click on Event data stores. Select the event data store created under Create a CloudTrail Lake section.
- Click on Actions dropdown on the event data store page and select Change termination protection. Change the termination protection to Disabled.
- Once the termination protection is set as Disabled, you can select Delete under the Actions dropdown.
Conclusion
In this post, we walked you through the steps to create a new CloudTrail Lake event data store and run CloudTrail Lake queries. Using the sample queries, you can to retrieve patch compliance status for Systems Manager-managed EC2 instances based on AWS Config resources. The outputs can be used to show the current or point in time patch compliance status for security audits.
Using the sample queries and walkthrough provided in this blog post, you can start developing additional queries to return additional information required for your use cases. Additionally, you can save query outputs in S3 and analyze the data by downloading the output files locally or using an AWS service such as QuickSight.