I can't seem to be able to activate a Patch Policy across the entire Organization


I want to enable a simple patch policy for across all our accounts. I followed the instructions on this blog post: https://aws.amazon.com/blogs/mt/centrally-deploy-patching-operations-across-your-aws-organization-using-systems-manager-quick-setup/

After completing all the steps, in the main account the patch manager overview looks like this:

Main Account Patch Manager

What I don't understand about this: Why has Compliance not been reported for the 1 instance in the last 7 days, even though the policy has been live a couple of days.

And for other accounts Patch Manager actually greets me with the landing page as if nothing has been set up at all. When I then click on "Start with an overview" the Dashboard looks like this:

Enter image description here

It says compliance was never reported, even though the EC2 instance is listed and has SSM Agent installed.

I feel like I'm missing a step. I don't see error messages anywhere, I don't see any logs in the S3 bucket configured in the initial Quick Setup form.

In the blog post I read that there are resources deployed for this setup via StackSets. I looked into the list of StackSets and found two StackSets that start with the prefix AWS-QuickSetup-PatchPolicy-. One of them has only one stack instance -> in the main account. The other one doesn't have any stack instances. I found that weird. I would've expected stack instances for all accounts of the organization for at least one of the StackSets, since I chose "Entire organization" as the target in the Quick Setup form.

I would very much appreciate any ideas on how to further debug what's wrong. I will gladly provide more info, but at the moment I just don't know what's important and what's not. Thank you so much.

1 Answer


Can you verify if All Features is enabled in the organizations service? This is a prerequisite for creating CloudFormation stacks throughout accounts using StackSets, the only workaround to avoid enabling this is manually create the self managed permissions in each account as described here

From the looks of it, it would seem that you are only pulling in instances from your payer account which may not have any instances due to the StackSet not deploying to sub accounts.

answered a year ago
  • Thanks for the response. "All Features" is enabled as far as I can tell. When I go to AWS Organizations -> Settings it says:

    Feature set Your organization has all features enabled. [...]

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions