Patch baseline

[MrAtheist]

Hi @awserik,

Note: this should be under "discussion," but i dont see the tab here...

Following your blog post, i have a few questions as to how patch baseline works in a multi account setting...

1. When automation issues a "scan" to the child accounts, is the child account referring to the patch baselines that are under its own account? or is it referring to the patch baselines that are under the root account?
2. Depending on the answer to Patch baseline  #1, how would it work if i want to wire up custom baselines to the mix? Do i have to set up identical custom baselines under each account, or just under the root account is sufficient?
3. Again, depending on the answer to Missing permissions? #2, after reviewing the patch status from athena (stolen another idea), do i have to issue the approval/rejection to the custom baseline under each account, or just at the root account level?
   3.5. After race condition iam role with lambda #3, i suppose that i will need to fire another "install" to actually install from the patch baselines as reviewed from race condition iam role with lambda #3. I guess this wraps up a "cycle" and rinse and repeat?

[awserik]

Hey @MrAtheist , Patch Baselines are an account/Regional resource so if you would like to use custom patch baselines across accounts/Regions, you will need to create them in each account/Region. You can stand these up by using CloudFormation StackSets to deploy across the organization.

Regarding approval, after you issue a patch scan, you can then query Athena to return a list of updates that are marked as missing based on the approval rules in the corresponding baseline. Following a patch scan, you can then issue a patch install to have the updates marked as missing installed on the target nodes. There is no specific approval that you need to perform as far as marking updates to be installed (the approval is inherit in defining the patch baseline approval rules).

Hope this helps!