Do I need to be in the Managerment account to use System Manager / Patch Manager to patch instances across an Organization

Question

I see the blog posts about being able to patch across an AWS Organization; I'm just wondering if you need to do that from the Management account or can you do it from a different account? So far it seems like you need to do it from the Management account and it looks like you need to enable a few other services ( like Config ) which I can do; but I already have a delagated account for Config so I would need to move that back to the Management account if I have to patch from there.

Answer

Hi, thanks for your question.

At the time, AWS Systems Manager Patch Policy across Organization [1] should be deployed from the Management Account. There is no need of setup AWS Config service to create a Patch Policy for your organization. Here is blog post you can follow to complete this setup [2].  In order to monitor your patch compliance , you can use AWS Systems Manager Explorer, which can set up a Delegated Administrator account within your Organization [3].

[1][https://aws.amazon.com/about-aws/whats-new/2023/01/aws-systems-manager-patch-policies-cross-account-region-patching/]()
[2][https://aws.amazon.com/blogs/mt/centrally-deploy-patching-operations-across-your-aws-organization-using-systems-manager-quick-setup/]()
[3][https://docs.aws.amazon.com/systems-manager/latest/userguide/Explorer-setup-delegated-administrator.html]()

Regards,

Do I need to be in the Managerment account to use System Manager / Patch Manager to patch instances across an Organization

Relevanter Inhalt