PatchInspect is a serverless solution that computes patch compliance percentages for each server in your AWS environment using AWS Lambda and Systems Manager (SSM). Utilizing this tool makes it simple to oversee patch compliance across your whole AWS infrastructure.
- Serverless: PatchInspect is built on AWS Lambda, making it cost-effective and scalable.
- Automated: It automatically collects and computes patch compliance, reducing manual effort.
- Customizable: You can customize PatchInspect to fit your organization's patch compliance policies.
- Reporting: Obtain patch compliance reports as raw findings in JSON format.
- Logging: PatchInspect logs findings in a CloudWatch Log Group for further analysis.
Before getting started with PatchInspect, make sure you have the following prerequisites:
- An AWS account with appropriate permissions to create and manage Lambda functions, SSM resources, EventBridge rules, and CloudWatch Logs.
- AWS CLI installed and configured with the necessary credentials.
- Terraform installed on your local machine.
To deploy PatchInspect in your AWS environment using Terraform, follow these steps:
-
Clone this GitHub repository:
git clone https://github.com/yourusername/PatchInspect.git
-
Navigate to the PatchInspect directory:
cd PatchInspect
-
Initialize Terraform:
terraform init
-
Review and customize the following configuration files to match your AWS environment:
- variables.tf: Define Terraform variables that can be customized.
- terraform.auto.tfvars: Provide values for the Terraform variables, including AWS region, tags, IAM roles, and other settings.
-
Apply the Terraform configuration to create the necessary resources:
terraform apply
-
Once the deployment is complete, PatchInspect will be up and running in your AWS environment.
- Every Monday morning, on a predetermined schedule through AWS EventBridge, PatchInspect gathers patch compliance data. It can be set up to collect at any time period (hours, days, or weeks). If required, it can also be triggered on demand.
- The Lambda function runs on every Monday to check patch compliance for all servers in the accounts specified in accounts.json.
Patch compliance reports are obtained as raw findings for each server in JSON format. You can export and analyze these findings using your preferred log analysis or visualization tool.
- variables.tf and terraform.auto.tfvars
- variables.tf: This file defines Terraform variables that can be customized. Review and modify this file to suit your configuration needs.
- terraform.auto.tfvars: Provide values for the Terraform variables in this file. Include AWS region, tags, IAM roles, and other settings as required.
PatchInspect logs its findings in a CloudWatch Log Group named PatchInspect_findings. You can configure log retention policies and access controls for this log group in the AWS Management Console.
To visualize and analyze the findings logged by PatchInspect, you can integrate the CloudWatch Logs with visualization tools like ELK (Elasticsearch, Logstash, Kibana) or other log analysis solutions. Here are the general steps:
- Set up Elasticsearch: Create an Elasticsearch cluster where the log data will be stored.
- Set up Logstash: Configure Logstash to pull data from the CloudWatch Log Group and send it to Elasticsearch.
- Set up Kibana: Use Kibana to create custom dashboards and visualizations for your log data.
- Configure Log Forwarding: Ensure that CloudWatch Logs are configured to forward log data to your Logstash instance.
- Analyze Data: Access Kibana to analyze and visualize your PatchInspect findings easily.
We welcome contributions to PatchInspect! If you have any ideas for improvements, bug fixes, or new features, please open an issue or submit a pull request. Check out our contributing guidelines for more details.
This project is licensed under the Apache License 2.0. You are free to use, modify, and distribute the code as per the terms of the license.