How do I use Quick Suite to manage and view the Systems Manager patch and association compliance data for all my accounts?

7 minute read

I want to use Amazon Quick Suite to manage and view patch and association compliance data for AWS Systems Manager.

Resolution

Configure the prerequisite services

Before you use Quick Suite to manage and view compliance data, set up Inventory, a capability of AWS Systems Manager, and resource data sync in your AWS account.

You can use the resource data sync setup for multiple accounts and AWS Regions, and synchronize the data to a central Amazon Simple Storage Service (Amazon S3) bucket.

Systems Manager Inventory uses AWS Glue to aggregate the inventory data in the Amazon S3 bucket. AWS Glue uses the Amazon-GlueServiceRoleForSSM role to aggregate the data. If the S3 bucket is encrypted with AWS Key Management Service (AWS KMS) keys, then edit the Amazon-GlueServiceRoleForSSM role permissions to use AWS KMS keys. You must also configure your AWS Identity and Access Management (IAM) user for AWS KMS encryption.

By default, AWS Glue crawler aggregates the inventory data in the central S3 bucket twice daily. The AWS Glue crawler updates data based on this schedule. To modify the frequency, edit the AWS Glue crawler schedule.

Amazon Athena queries data that appears on the Detailed View page of the Systems Manager console. You can access this data only in Regions where Amazon Athena is available. To join multiple Amazon Athena tables, create a joined dataset in Quick Sight.

After you set up Systems Manager inventory, resource data sync, AWS Glue and Amazon Athena access, you can set up your Quick Suite account.

Set up a Quick Suite account

If you don't have a Quick Suite account, then complete the following steps:

Use an IAM identity that has Quick Suite permissions to sign in to the AWS Management Console.
In the navigation pane, choose Amazon Quick Suite, and then choose Sign up for Amazon Quick Suite.
Choose Enterprise or Enterprise + Q.
-or-
Choose Sign up for Standard Edition.
Enter the following information:
Enter a name for the account.
Enter an email address to receive notifications.
Choose a Region for initial data storage capacity.
Choose Create account.
Choose Manage Quick Suite.
Select the appropriate IAM identity.
On the Quick Suite menu, under Permissions, choose AWS resources.
Under Allow access and autodiscovery for these resources, choose both Amazon Athena and Amazon S3.
For Select Amazon S3 buckets, select the target S3 bucket that contains your inventory data. To give write permission for Athena Workgroup, select strong>Write permission for Athena Workgroup.
Choose Finish, and then choose Save.

If you have an existing Quick Suite account, then complete the following steps:

Open the Quick Suite console.
Choose Manage Quick Suite.
On the Quick Suite menu, under Permissions, choose the AWS resources option.
Under Allow access and autodiscovery for these resources, choose Amazon Athena and Amazon S3.
For Select Amazon S3 buckets, select the target S3 bucket that contains your inventory data. To give write permission for Athena Workgroup, select Write permission for Athena Workgroup.
Choose Finish, and then choose Save.

Create a dataset in Quick Sight

To create datasets in Quick Sight, use Amazon Athena tables as the source. Each inventory metadata has a corresponding Amazon Athena table that AWS Glue creates. To create the dataset and analyze the data, use the aws_compliancesummary and aws_complianceitem tables.

Complete the following steps:

Open the Quick Suite console.
In the navigation pane, choose Datasets.
On the Datasets page, choose Create dataset.
From the Create dataset popup window, choose Create data source. Then, from the Create dataset popup window, select Athena as the data source, and then choose Next.
Enter the data source name and Athena workgroup.
Choose Create data source.
From the databases dropdown list, select the S3 bucket.
Note: The database name is in the S3_bucket_name-region-database format.
From the list of tables, select aws_compliancesummary.
Choose Select.
Select Directly query your data.
Choose Edit/Preview data.
Choose Save and publish.

Repeat the preceding steps to create another dataset for the aws_complianceitem table.

Analyze the dataset

To use the aws_compliancesummary and aws_complianceitem datasets for data analysis, complete the following steps:

Open the Quick Suite console.
Choose Create analysis.
On the Create Analysis popup window, choose aws_compliancesummary, and then choose Select.
To add multiple datasets in the same analysis, choose Data.
In the dropdown list, choose Add dataset.
From the popup window, choose aws_complianceitem.
Choose Select.

Note: You can also add other datasets to the same analysis to create the visuals.

Add visuals

You can add a visual to your Amazon Quick Sight analysis based on the Quick Sight dataset. The dataset includes the tables from Amazon Athena that have the Systems Manager inventory data with compliance information.

Visuals for aws_compliancesummary

To view the number of resources based on patch compliance status, complete the following steps:

Open the Quick Suite console.
Choose the analysis that you want to add a visual to.
On the Analysis page, choose the dataset that you want to use.
Choose Visualize.
On the Visualize pane, choose Add, and then choose Add visual.
Choose Visual types.
On the Visual types pane, select Donut chart.
From the Fields list, choose Status to add it to Group/Color dimension.
Under Value, drag and drop Resourceid.
To count distinct values, next to the resourceid field, choose the arrow.
Choose Aggregate: Count.
Choose Count distinct.
Select the graph.
Choose Format Visual icon.
Under Data labels, choose Show metric.

To view the compliant or non-compliant instances by Region, complete the following steps:

Choose the preceding visual.
Choose the More options icon on the chart.
Choose Duplicate visual to.
Under Field wells, in the Group/Color dimension dropdown list, choose Region.
Choose Filter.
Choose ADD FILTER.
Select Status.
Select COMPLIANT or NON-COMPLIANT.
Choose Apply.

To view the account information for all accounts in a multi-account setup, use the preceding visual. Under Fields wells, in the Group/Color dimension, select accountid.

Visuals for aws_complianceitem dataset

To view the list of missing patches by instances, complete the following steps:

Open the Quick Suite console.
Choose Visualize.
In the Visualize pane, choose Visual types.
In the Visual types pane, select Donut chart.
In Visual types, select Pivot table.
Under Rows, add the following values:
Region
resourceid
patchstate
id
title
Under Values, add id.
To count distinct values, choose the arrow next to id.
Choose Aggregate: Count.
Choose Count distinct.
Choose Filter.
In Filter, choose Add Filter.
Choose Patchstate.
Select Missing.
Choose Apply.

To view the list of instances by compliance status, complete the following steps:

Open the Quick Suite console.
Choose Create Analysis.
On the Create Analysis pop-up window, choose aws_complianceitem, and then choose Select.
Choose Add.
Choose Add visual.
In Visual types, select Pivot table.
Under Rows, add the following values:
Region
resourceid
patchstate
id
title
Under Values, add id.
To count distinct values, choose the arrow next to id.
Choose Aggregate: Count.
Choose Count distinct.

To get information about all accounts, under Rows, add accountid.

Add filters

You can also add filters to filter the data based on compliance type, such as patch compliance and association compliance.

To add filters, complete the following steps:

Open the Quick Suite console.
In the navigation pane, choose Filter.
Under Filters, choose Add filter.
Select Compliance type.
To include only patch compliance, choose Patch from the list.
From the Applied to options list, select Single sheet and All visuals.
Choose Apply.

Publish a dashboard

After you add all the visuals, publish all the visuals as a dashboard to share with other users.

Complete the following steps:

In the application bar, under the Edit menu, choose Themes.
Select the appropriate theme.
Choose Publish.
Enter a name for the dashboard.
Choose Publish dashboard.

Topics: Analytics Management & Governance Business Applications Machine Learning & AI
Tags: Amazon Quick Sight AWS Systems Manager Amazon Quick Suite
Language: English

AWS OFFICIALUpdated 4 months ago

No comments

Relevant content

amzlbiaquicksight account does not allow me to use Amazon Quick Suite platform
Accepted Answer
User-8168339
asked 4 months ago
Quick Suite Datasets RLS Access Issue
Rob
asked a month ago
Systems Manager inventory data in a resource-synced centralized bucket: Looking for useful Athena or QuickSight example queries or visualizations to create useful reports and dashboards from the data.
Accepted Answer
rePost-User-2335362
asked 3 years ago
Patch Manager: Patch compliance vs Association compliance
Bill
asked 2 years ago
State Manager Association Non-Compliance vs. Failure
amehlmauer
asked 4 years ago
How do I use AWS Managed Microsoft AD to authenticate users in Quick Suite?
AWS OFFICIALUpdated 4 months ago
How do I resolve "Access denied" errors when I use Athena as a data source in Quick Suite?
AWS OFFICIALUpdated 4 months ago
How do I connect Quick Suite to a private Amazon RDS data source in a different AWS Region or AWS account?
AWS OFFICIALUpdated 3 months ago
How do I resolve Quick Setup patch policy errors in Systems Manager?
AWS OFFICIALUpdated a year ago
Announcing 4 new widgets on AWS Console Home - Security Hub, Ops summary, Patch compliance, and Managed instances
EXPERT
Grace Kitzmiller
published 3 years ago