DMS Replication Instance Has Auto Minor Version Upgrade Enabled
Overview
This check verifies that your AWS Database Migration Service (DMS) replication instances have automatic minor version upgrades enabled. When enabled, AWS automatically applies minor engine updates during your scheduled maintenance window, keeping your instances patched and secure.
Risk
Without automatic minor upgrades, your DMS replication instances may miss critical security patches. This creates several risks:
- Confidentiality: Unpatched components may expose sensitive data during migration
- Integrity: Outdated engines can cause replication errors or data inconsistencies
- Availability: Service disruptions may occur during migration or Change Data Capture (CDC) operations
Remediation Steps
Prerequisites
You need permission to modify DMS replication instances in your AWS account.
Required IAM permissions
Your IAM user or role needs the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dms:DescribeReplicationInstances",
"dms:ModifyReplicationInstance"
],
"Resource": "*"
}
]
}
AWS Console Method
- Open the AWS DMS Console
- Select Replication instances from the left navigation
- Select the replication instance you want to modify
- Click Actions and choose Modify
- Scroll to Maintenance section
- Check the box for Auto minor version upgrade
- Choose whether to apply changes immediately or during the next maintenance window
- Click Modify to save your changes
Note: Applying immediately may cause a brief outage if an upgrade is pending. Consider scheduling during low-traffic periods.
AWS CLI (optional)
Enable Auto Minor Version Upgrade
Replace <REPLICATION_INSTANCE_ARN> with your instance's ARN:
aws dms modify-replication-instance \
--region us-east-1 \
--replication-instance-arn <REPLICATION_INSTANCE_ARN> \
--auto-minor-version-upgrade \
--apply-immediately
To apply during the next maintenance window instead, omit --apply-immediately:
aws dms modify-replication-instance \
--region us-east-1 \
--replication-instance-arn <REPLICATION_INSTANCE_ARN> \
--auto-minor-version-upgrade
Find Your Replication Instance ARNs
To list all replication instances and their ARNs:
aws dms describe-replication-instances \
--region us-east-1 \
--query "ReplicationInstances[*].[ReplicationInstanceIdentifier,ReplicationInstanceArn,AutoMinorVersionUpgrade]" \
--output table
Enable for All Instances (Bulk Update)
To enable auto minor version upgrade for all instances that currently have it disabled:
aws dms describe-replication-instances \
--region us-east-1 \
--query "ReplicationInstances[?AutoMinorVersionUpgrade==\`false\`].ReplicationInstanceArn" \
--output text | tr '\t' '\n' | while read arn; do
echo "Enabling auto minor version upgrade for: $arn"
aws dms modify-replication-instance \
--region us-east-1 \
--replication-instance-arn "$arn" \
--auto-minor-version-upgrade
done
CloudFormation (optional)
Set AutoMinorVersionUpgrade to true in your CloudFormation template:
AWSTemplateFormatVersion: '2010-09-09'
Description: DMS Replication Instance with Auto Minor Version Upgrade Enabled
Parameters:
ReplicationInstanceIdentifier:
Type: String
Description: Unique identifier for the replication instance
Default: my-replication-instance
ReplicationInstanceClass:
Type: String
Description: Instance class for the replication instance
Default: dms.t3.medium
AllocatedStorage:
Type: Number
Description: Storage in GB
Default: 50
SubnetGroupIdentifier:
Type: String
Description: Subnet group for the replication instance
Resources:
DMSReplicationInstance:
Type: AWS::DMS::ReplicationInstance
Properties:
ReplicationInstanceIdentifier: !Ref ReplicationInstanceIdentifier
ReplicationInstanceClass: !Ref ReplicationInstanceClass
AllocatedStorage: !Ref AllocatedStorage
AutoMinorVersionUpgrade: true
PubliclyAccessible: false
ReplicationSubnetGroupIdentifier: !Ref SubnetGroupIdentifier
Tags:
- Key: Name
Value: !Ref ReplicationInstanceIdentifier
Outputs:
ReplicationInstanceArn:
Description: ARN of the DMS Replication Instance
Value: !Ref DMSReplicationInstance
Terraform (optional)
Set auto_minor_version_upgrade to true in your Terraform configuration:
resource "aws_dms_replication_instance" "main" {
replication_instance_id = var.replication_instance_id
replication_instance_class = var.replication_instance_class
allocated_storage = var.allocated_storage
auto_minor_version_upgrade = true
publicly_accessible = false
replication_subnet_group_id = var.replication_subnet_group_id
tags = {
Name = var.replication_instance_id
}
}
Variables:
variable "replication_instance_id" {
description = "Unique identifier for the replication instance"
type = string
default = "my-replication-instance"
}
variable "replication_instance_class" {
description = "Instance class for the replication instance"
type = string
default = "dms.t3.medium"
}
variable "allocated_storage" {
description = "Allocated storage in GB"
type = number
default = 50
}
variable "replication_subnet_group_id" {
description = "Subnet group identifier for the replication instance"
type = string
}
Verification
After making changes, verify the setting is enabled:
- In the AWS Console, navigate to DMS > Replication instances
- Select your instance and check the Auto minor version upgrade field shows Yes
CLI verification
aws dms describe-replication-instances \
--region us-east-1 \
--query "ReplicationInstances[*].[ReplicationInstanceIdentifier,AutoMinorVersionUpgrade]" \
--output table
Expected output shows True for your instances:
---------------------------------------------
| DescribeReplicationInstances |
+-------------------------+-----------------+
| my-replication-instance| True |
+-------------------------+-----------------+
Additional Resources
- AWS DMS Replication Instance Documentation
- AWS DMS Engine Versions
- Setting the Maintenance Window
- Prowler DMS Checks
Notes
- Maintenance window: Minor version upgrades are applied during your scheduled maintenance window. Set a window during low-traffic periods to minimize impact.
- Test in non-production first: Before enabling on production instances, test the upgrade process in a development environment to identify any compatibility issues.
- Monitor release notes: Review AWS DMS release notes to stay informed about what each minor version includes.
- Backup strategy: Ensure you have backups of your source and target databases in case you need to roll back after an upgrade.
- No immediate outage guarantee: Enabling this setting does not cause an immediate outage. Upgrades only occur when AWS releases a new minor version and your maintenance window arrives.