DEV Community

Cover image for Building an Enterprise Patching Dashboard with AWS - A Complete Guide
Debapriya Dey
Debapriya Dey

Posted on

Building an Enterprise Patching Dashboard with AWS - A Complete Guide

#aws #devops #cloud #dataengineering

Learn how to build a centralized patching and inventory management solution using AWS Systems Manager, Glue, Athena, and QuickSight

The Problem

Imagine managing 50+ EC2 instances across multiple AWS regions. Your security team asks: "Which servers are missing critical patches?"

Without proper tooling, you'd need to:

  • SSH into each server manually
  • Run patch compliance checks one by one
  • Compile results in a spreadsheet
  • Repeat this process weekly

Time required: 2-3 hours. Accuracy: Questionable. Scalability: Impossible.

There had to be a better way.

The Solution

I built an enterprise-grade patching and inventory management dashboard that automatically:

  • ✅ Collects inventory from all EC2 instances across regions
  • ✅ Tracks patch compliance in real-time
  • ✅ Visualizes data in interactive dashboards
  • ✅ Enables natural language queries with Amazon Q
  • ✅ Requires zero manual intervention

Time to check compliance: 5 seconds. Accuracy: 100%. Scalability: Unlimited.

Architecture Overview

SSM Inventory to Quicksight Architecture

The solution uses a serverless, 4-layer architecture:

What Makes This Special?

1. Multi-Region Architecture

I implemented two network patterns to demonstrate real-world scenarios:

Pattern 1: Private Subnet with VPC Endpoints (eu-central-1)

  • 2 Amazon Linux instances in private subnets
  • Zero internet access
  • Communication via VPC endpoints (SSM, S3)
  • Perfect for production workloads requiring strict isolation

Pattern 2: Public Subnet with Internet Gateway (eu-west-1)

  • 1 Windows instance
  • Internet gateway for updates
  • Suitable for dev/test environments

2. Automated Data Pipeline

Systems Manager collects 9 types of inventory data:

  • Instance information (OS, platform, IP addresses)
  • Patch compliance status
  • Installed applications and versions
  • Windows updates
  • Network configurations
  • Running services
  • File inventory
  • Custom tags

All data automatically syncs to a central S3 bucket every 30 minutes.

3. Serverless Processing

AWS Glue crawlers automatically:

  • Discover new inventory data
  • Create/update table schemas
  • Catalog data for querying

No servers to manage, no infrastructure to maintain.

4. Interactive Dashboards

QuickSight dashboards provide:

  • Patch Compliance Overview: See compliance percentage at a glance
  • Missing Patches by Severity: Prioritize critical updates
  • Instance Inventory: Group by region, OS, or application
  • Trend Analysis: Track compliance over time

Bonus: Amazon Q integration enables natural language queries like:

"Show me all Windows servers in eu-west-1 missing critical patches"

Implementation Guide

Step 1: Setup EC2 Instances

Region 1: eu-central-1 (Private Subnet)

# Create VPC with private subnet
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --region eu-central-1

# Create VPC Endpoints for SSM
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-xxxxx \
  --service-name com.amazonaws.eu-central-1.ssm \
  --vpc-endpoint-type Interface

# Launch instances with SSM role
aws ec2 run-instances \
  --image-id ami-xxxxx \
  --instance-type t3.micro \
  --iam-instance-profile Name=SSMInstanceProfile \
  --subnet-id subnet-xxxxx \
  --count 2
Enter fullscreen mode Exit fullscreen mode

Region 2: eu-west-1 (Public Subnet)

# Launch Windows instance
aws ec2 run-instances \
  --image-id ami-xxxxx \
  --instance-type t3.micro \
  --iam-instance-profile Name=SSMInstanceProfile \
  --subnet-id subnet-xxxxx \
  --region eu-west-1
Enter fullscreen mode Exit fullscreen mode

Step 2: Configure Systems Manager Inventory 

# Create S3 bucket for inventory data
aws s3 mb s3://my-ssm-inventory-bucket --region eu-central-1

# Create Resource Data Sync (aggregates multi-region data)
aws ssm create-resource-data-sync \
  --sync-name my-inventory-sync \
  --s3-destination "BucketName=my-ssm-inventory-bucket,Region=eu-central-1"

# Enable inventory collection
aws ssm create-association \
  --name AWS-GatherSoftwareInventory \
  --targets "Key=InstanceIds,Values=*" \
  --schedule-expression "rate(30 minutes)"
Enter fullscreen mode Exit fullscreen mode

Step 3: Setup AWS Glue 

# Create Glue database
aws glue create-database \
  --database-input '{"Name":"ssm_inventory_db"}'

# Create Glue crawler
aws glue create-crawler \
  --name ssm-inventory-crawler \
  --role GlueServiceRole \
  --database-name ssm_inventory_db \
  --targets '{"S3Targets":[{"Path":"s3://my-ssm-inventory-bucket/"}]}'

# Run crawler
aws glue start-crawler --name ssm-inventory-crawler
Enter fullscreen mode Exit fullscreen mode

Step 4: Query with Athena 

-- Check patch compliance across all instances
SELECT 
    instanceid,
    platformname,
    patchgroup,
    installedcount,
    missingcount,
    failedcount,
    ROUND(installedcount * 100.0 / (installedcount + missingcount), 2) as compliance_percentage
FROM ssm_inventory_db.aws_patchsummary
WHERE missingcount > 0
ORDER BY missingcount DESC;

-- Find instances with critical missing patches
SELECT 
    instanceid,
    title,
    severity,
    state
FROM ssm_inventory_db.aws_patchcompliance
WHERE state = 'Missing' 
  AND severity = 'Critical';
Enter fullscreen mode Exit fullscreen mode

Step 5: Create QuickSight Dashboard

  1. Subscribe to QuickSight Enterprise Edition
  2. Grant S3 and Athena permissions
  3. Create datasets from Athena tables
  4. Build visualizations:
    • Donut chart: Patch compliance percentage
    • Bar chart: Missing patches by severity
    • Table: Instance inventory with drill-down
    • Line chart: Compliance trends over time

Analysis Dashboard

Analysis Dashboard

Analysis Dashboard

Data Flow

End to End Data Pipeline

SSM Data Pipeline-5 Stage Flow

Key Insights & Learnings

1. VPC Endpoints Are Essential

For private subnet instances, VPC endpoints are non-negotiable. Without them, SSM agents can't communicate with AWS services.

Cost: ~$0.01/hour per endpoint (~$7/month)
Value: Priceless for security compliance

2. Resource Data Sync Simplifies Multi-Region

Instead of managing separate S3 buckets per region, Resource Data Sync aggregates everything into one location. This makes Glue crawling and Athena queries much simpler.

3. Glue Crawlers Are Smart

Glue automatically detects schema changes and creates partitions. When SSM adds new inventory types, the crawler adapts without manual intervention.

4. QuickSight + Amazon Q = Game Changer

Non-technical stakeholders can ask questions in plain English:

  • "Which servers need patching?"
  • "Show me compliance by region"
  • "What applications are installed on production servers?"

No SQL knowledge required.

Cost Breakdown

For a 50-instance deployment:

Service Cost Notes
EC2 Variable Existing instances
Systems Manager $0 Inventory is free
S3 ~$1/month Minimal data storage
Glue ~$5/month Crawler runs + catalog
Athena ~$5/month $5 per TB scanned
QuickSight $24/user/month Enterprise Edition
VPC Endpoints ~$21/month 3 endpoints × $7

Total: ~$56/month for enterprise-grade visibility

Compare this to:

  • Manual process: 2-3 hours/week × $50/hour = $400-600/month
  • Third-party tools: $100-500/month

ROI: Positive from day one.

Real-World Impact

After implementing this solution:

Reduced patch compliance checking from 3 hours to 5 seconds
Identified 15 instances with critical missing patches immediately
Automated monthly compliance reports for security audits
Discovered unused applications, saving licensing costs
Enabled proactive patching before vulnerabilities are exploited

What's Next?

This PoC can be extended with:

  1. Automated Patching: Integrate with SSM Patch Manager for automatic remediation
  2. Alerting: SNS notifications when compliance drops below threshold
  3. Multi-Account: AWS Organizations integration for enterprise-wide visibility
  4. Custom Inventory: Track business-specific configurations
  5. Compliance Policies: Enforce patching SLAs with automated workflows

Lessons Learned

  1. Start small: Begin with 2-3 instances, validate the pipeline, then scale
  2. Test both network patterns: Private subnets require VPC endpoints
  3. Monitor Glue crawler costs: Schedule crawlers wisely (daily is usually enough)
  4. Use Athena partitions: Partition by date to reduce query costs

Conclusion

Building this enterprise patching dashboard taught me that visibility is the foundation of security. You can't patch what you can't see.

This solution demonstrates:

  • Multi-region AWS architecture
  • Serverless data engineering
  • Security best practices
  • Real-world problem solving

Whether you're managing 10 servers or 10,000, this pattern scales effortlessly.

The best part? It's 100% serverless. Deploy it, forget it, and let AWS handle the rest.

Reach Out to Us

Interested in modernizing your cloud infrastructure and implementing enterprise-grade solutions? Storm Reply is committed to continuous learning and innovation. Our team specializes in building scalable AWS architectures to support customers on their cloud journey—from initial assessment to full deployment.

With expertise in AWS architecture, data engineering, and security best practices, we can help enterprises migrate confidently and accelerate their cloud transformation.

Let's connect and discuss how we can support your modernization initiatives.

🌐 Visit: [https://www.stormreply.cloud/]

💼 LinkedIn: [https://www.linkedin.com/company/storm-reply/posts/?feedView=all]

Top comments (0)