It would appear that a number of folks are using the Amazon Systems Manager in concert with osquery (implemented purely as a binary).
Running commands like the following using SSM documents. Rapid7 put together a pretty great article of some likely good queries. I’d like to put together a comprehensive cheat sheet for Windows and Linux along with some sample write ups on what this could be good for hunting.
osqueryi --json "SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;"