Acquia CMS

Implementing security updates

Acquia uses an automated process to deploy a security update branch to the Environment.

  • Acquia’s security update automation requires your subscription is correctly set up. Ensure all required setup is fully implemented.

  • Standard RA subscriptions will only receive security updates using Acquia’s automated security update process. It’s the responsibility of your team to ensure your website is compatible with the automated update process.

  • Legacy Premium RA subscribers may request help to ensure your website is compatible with Acquia’s security update automation.

  • Acquia’s security update automation behaves according to RA preferences set per subscription. Unless these preferences are manually set, the default preferences will be used.

  • Inform-Only subscriptions will receive a ticket noting recommended security updates, but no action will be taken. If you would like to receive an update, you must change your preference to Full Deploy. This preference can be changed back after the specific update is complete.

Legacy Premium RA subscriptions which aren’t compatible with Acquia’s security update automation will receive updates as soon as possible, but Acquia can’t guarantee a timeline.

Who is informed?

In the event of a proactive security update, Acquia informs contacts designated by team administrators. All tickets initiated by the Remote Administration team are assigned to the primary contact on the account. You can edit this list on your Teams and Permissions pages.

To ensure specific team members receive notifications, on your Teams and Permissions page, add the following permission to the appropriate team members:

  • Include as a collaborator on all tickets by default

Ticket timelines

Security Updates are implemented using a semi-automated queue. At this time, Acquia initiates automated updates as follows:

  • When a core security update is announced on The queue will be initiated within 24 hours of the release. Subscribers should receive tickets within 24 to 48 hours.

  • Production websites are periodically scanned for core and module security updates.

  • Subscribers can specifically request updates.

After the queue is initiated, update automation will detect security updates, start the update process, and create a new ticket notifying your team an updated branch is ready to test on the RA environment.

Acquia implements security updates depending on your subscription preferences:

  • Inform Only subscriptions: Acquia sends a security update notification for Drupal Core SA releases within 24 to 48 hours of the announcement. These tickets are only for notification purposes and do not require any action. They will be resolved. To update your subscription, set your preferences to Full Deploy, provide your response in the initial ticket, and resolve it. Acquia will create an update and a new ticket in the next weekly run for your subscription.

  • Full Deploy subscriptions: Acquia’s RA team will update all Full Deploy subscriptions by using an automated process. Your team will receive a new ticket detailing all the changes after updates have been deployed and are ready for testing on the RA Environment. Use of this environment prevents any disruption to your ongoing development.

All security updates are implemented as follows:

  • After Acquia deploys an update and sends a ticket, the time to solve the ticket depends on testing and troubleshooting.

  • Moving through each update step requires your approval. Acquia will not deploy a secure branch to either your testing or production environment without explicit approval by a member of your team.

  • After you approve a tag, Acquia moves the website to production as soon as possible, or during a scheduled and approved deploy window. The scheduled and approved deploy window must be set in RA preferences.

Scheduling production deploy windows

To deploy an update to production at a specific time, set a deploy time in your RA preferences. If you do not set a specific time, the system deploys the update immediately post your approval. This service is available every day.

Be aware of the following items when requesting to schedule production deploys:

  • To allow time for scheduling, all requests must be made with a minimum of one full business day’s notice. Although we can’t guarantee a window with fewer than 24 hours’ notice, Acquia will try to accommodate these requests, when possible.

  • Be sure to provide a one-hour window in your preferred time zone for the deploy, and clearly state your time zone in the ticket. Acquia will confirm the window.

  • Production deployment requests are not monitored. If you experience issues in your production deployment, file a critical support ticket adhering to standard procedures for critical support, and reference the RA update ticket.

  • If your production deployment does not get completed as expected, the system notifies you. You must review, make the necessary changes, and let Acquia know by updating the existing ticket to reschedule the deployment.