Ensure MemoryDB Clusters Have Minor Version Upgrade Enabled
Overview
This check verifies that your Amazon MemoryDB for Redis clusters have automatic minor version upgrades enabled. When enabled, AWS automatically applies new minor engine versions to your clusters during the maintenance window.
Risk
Without automatic minor version upgrades, your MemoryDB clusters may run on outdated engine versions that contain known security vulnerabilities or bugs. This can lead to:
- Security exposure: Unpatched vulnerabilities could be exploited by attackers to access or modify your data
- Stability issues: Known bugs may cause unexpected crashes or data corruption
- Compliance gaps: Many security frameworks require systems to be kept up-to-date with security patches
Remediation Steps
Prerequisites
You need access to your AWS account with permissions to modify MemoryDB clusters. Specifically, you need the memorydb:UpdateCluster or memorydb:CreateCluster permission.
AWS Console Method
- Open the Amazon MemoryDB console
- Make sure you are in the correct region (e.g., us-east-1)
- In the left navigation, click Clusters
- Select the cluster you want to modify
- Click Actions and then Modify
- Scroll to the Maintenance section
- Check the box for Auto minor version upgrade
- Click Save changes
Important: The change takes effect during the next maintenance window. If you need immediate application, consider scheduling an immediate maintenance window.
AWS CLI (optional)
Note: As of the current AWS CLI version, the update-cluster command does not directly support modifying the auto-minor-version-upgrade setting for existing clusters. This setting can be specified when creating new clusters.
For new clusters, enable auto minor version upgrade at creation time:
aws memorydb create-cluster \
--cluster-name my-cluster \
--node-type db.t4g.small \
--acl-name open-access \
--auto-minor-version-upgrade \
--region us-east-1
For existing clusters, you have two options:
- Use the AWS Console (recommended) - Follow the console steps above
- Use Infrastructure as Code - Deploy a CloudFormation stack or Terraform configuration that updates the setting (see sections below)
Verify the current setting on an existing cluster:
aws memorydb describe-clusters \
--cluster-name <your-cluster-name> \
--query "Clusters[0].AutoMinorVersionUpgrade" \
--region us-east-1
This returns true if auto minor version upgrade is enabled, or false if disabled.
CloudFormation (optional)
Use the following CloudFormation template to create or update a MemoryDB cluster with auto minor version upgrade enabled:
AWSTemplateFormatVersion: '2010-09-09'
Description: MemoryDB cluster with auto minor version upgrade enabled
Parameters:
ClusterName:
Type: String
Description: Name of the MemoryDB cluster
NodeType:
Type: String
Default: db.t4g.small
Description: Node type for the cluster
ACLName:
Type: String
Default: open-access
Description: ACL name for the cluster
Resources:
MemoryDBCluster:
Type: AWS::MemoryDB::Cluster
Properties:
ClusterName: !Ref ClusterName
NodeType: !Ref NodeType
ACLName: !Ref ACLName
AutoMinorVersionUpgrade: true
Outputs:
ClusterARN:
Description: ARN of the MemoryDB cluster
Value: !GetAtt MemoryDBCluster.ARN
Deploy the stack:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name memorydb-auto-upgrade \
--parameter-overrides ClusterName=my-cluster \
--region us-east-1
Note: The AutoMinorVersionUpgrade property can be updated without replacing the cluster.
Terraform (optional)
Use the following Terraform configuration:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "cluster_name" {
description = "Name of the MemoryDB cluster"
type = string
}
variable "node_type" {
description = "Node type for the cluster"
type = string
default = "db.t4g.small"
}
variable "acl_name" {
description = "ACL name for the cluster"
type = string
default = "open-access"
}
resource "aws_memorydb_cluster" "example" {
name = var.cluster_name
node_type = var.node_type
acl_name = var.acl_name
auto_minor_version_upgrade = true
}
Apply the configuration:
terraform init
terraform plan -var="cluster_name=my-cluster"
terraform apply -var="cluster_name=my-cluster"
For existing clusters managed by Terraform, add or update the auto_minor_version_upgrade = true line and run terraform apply.
Verification
After making changes, verify that auto minor version upgrade is enabled:
- Go to the MemoryDB console
- Select your cluster
- In the Configuration tab, confirm that Auto minor version upgrade shows Enabled
CLI verification
aws memorydb describe-clusters \
--cluster-name <your-cluster-name> \
--query "Clusters[0].{Name:Name,AutoMinorVersionUpgrade:AutoMinorVersionUpgrade}" \
--output table \
--region us-east-1
Expected output:
-----------------------------------------
| DescribeClusters |
+------------------------+--------------+
| AutoMinorVersionUpgrade| Name |
+------------------------+--------------+
| True | my-cluster |
+------------------------+--------------+
Additional Resources
Notes
- Maintenance window: Minor version upgrades are applied during the cluster's maintenance window. Plan your maintenance window during low-traffic periods to minimize impact.
- Testing first: Consider testing new engine versions in a non-production environment before enabling auto-upgrade in production.
- No downtime guarantee: While AWS aims to minimize disruption, minor version upgrades may cause brief connectivity interruptions. Applications should implement retry logic for database connections.
- Compliance: Enabling auto minor version upgrade helps meet compliance requirements for frameworks like C5 and NIS2 that mandate timely security patching.