Information for: DEVELOPERS   PARTNERS

Implementing security updates

Acquia uses an automated process to deploy a security update branch to the Remote Administration environment.

  • Acquia’s security update automation requires your subscription is correctly set up. Ensure all required setup is fully implemented.
  • Standard RA subscriptions will only receive security updates using Acquia’s automated security update process. It’s the responsibility of your team to ensure your website is compatible with the automated update process.
  • Legacy Premium RA subscribers may request help to ensure your website is compatible with Acquia’s security update automation.
  • Acquia’s security update automation behaves according to RA preferences set per subscription. Unless these preferences are manually set, the default preferences will be used.
  • Inform-Only subscriptions will receive a ticket noting recommended security updates, but no action will be taken. If you would like to receive an update, you must change your preference to Full Deploy. This preference can be changed back after the specific update is complete.

Legacy Premium RA subscriptions which aren’t compatible with Acquia’s security update automation will receive updates as soon as possible, but Acquia can’t guarantee a timeline.

Who is informed?

In the event of a proactive security update, Acquia informs contacts designated by team administrators. All tickets initiated by the Remote Administration team are assigned to the primary contact on the account. You can edit this list on your Teams and Permissions pages.

To ensure specific team members receive notifications, on your Teams and Permissions page, add the following permission to the appropriate team members:

  • Include as a collaborator on all help requests by default

Ticket timelines

Security Updates are implemented using a semi-automated queue. At this time, Acquia initiates automated updates as follows:

  • When a core security update is announced on The queue will be initiated within 24 hours of the release. Subscribers should receive tickets within 24 to 48 hours.
  • Production websites are periodically scanned for core and module security updates.
  • Subscribers can specifically request updates.

After the queue is initiated, update automation will detect security updates, start the update process, and create a new ticket notifying your team an updated branch is ready to test on the RA environment.

Acquia implements security updates depending on your subscription preferences:

  • Inform Only subscriptions: Acquia will send out a security update notification for Drupal Core SA releases within 24 to 48 hours of the announcement. These tickets are for notification purposes only and no action is required. They will be resolved. If you would like your subscription updated, set your preferences to Full Deploy, respond on the initial ticket, and Acquia will create an update and a new ticket.
  • Full Deploy subscriptions: Acquia’s RA team will update all Full Deploy subscriptions by using an automated process. Your team will receive a new ticket detailing all the changes after updates have been deployed and are ready for testing on the RA Environment. Use of this environment prevents any disruption to your ongoing development.

All security updates are implemented as follows:

  • After Acquia deploys an update and sends a ticket, the time to solve the ticket depends on testing and troubleshooting.
  • Moving through each update step requires your approval. Acquia will not deploy a secure branch to either your testing or production environment without explicit approval by a member of your team.
  • After you have approved a tag, Acquia will move to production as soon as possible, or during a scheduled and approved deploy window.

Scheduling production deploy windows

If you would like an update deployed to production at a specific time, set a deploy time in your RA preferences and notify RA in the existing update ticket. This service is available every day.

Be aware of the following items when requesting to schedule production deploys:

  • To allow time for scheduling, all requests must be made with a minimum of one full business day’s notice. Although we can’t guarantee a window with fewer than 24 hours’ notice, Acquia will try to accommodate these requests, when possible.
  • Be sure to provide a one-hour window in your preferred time zone for the deploy, and clearly state your time zone in the ticket. Acquia will confirm the window. If the deploy is during standard business hours, we will assign it to a member of our team to monitor the process.
  • Acquia will begin the update during the window. During standard business hours, Acquia will communicate any delays or issues through the existing ticket.
  • Production deploy requests occurring outside of the standard business hours for your support region will be unmonitored. If your production deploy happens at this time and you experience issues, file a critical support ticket per standard procedures for critical support and reference the RA update ticket.
  • If your production deploy scheduled outside of standard business hours doesn’t complete as expected, you won’t be notified. You must let Acquia know by updating the existing ticket to reschedule the deploy.