Ensure RDS Clusters Have Minor Version Upgrade Enabled
Overview
This check verifies that your Amazon RDS clusters have automatic minor version upgrades enabled. When enabled, AWS automatically applies minor engine version updates during your scheduled maintenance window, keeping your databases current with the latest security patches and bug fixes.
Risk
Without automatic minor version upgrades, your RDS clusters may:
- Miss critical security patches - Known vulnerabilities remain unpatched, leaving your database exposed to exploitation
- Experience stability issues - Bug fixes that improve reliability are not applied
- Require emergency maintenance - Manual patching becomes necessary when versions reach end-of-life, potentially causing unplanned downtime
Remediation Steps
Prerequisites
You need access to modify RDS clusters in your AWS account. This typically requires the rds:ModifyDBCluster permission.
AWS Console Method
- Open the Amazon RDS console
- In the navigation pane, choose Databases
- Select the DB cluster you want to modify
- Choose Modify
- Scroll to the Maintenance section
- Check the box for Enable auto minor version upgrade
- Choose Continue
- Review your changes and select when to apply them:
- Apply immediately - Changes take effect right away
- Apply during the next scheduled maintenance window - Safer for production workloads
- Choose Modify cluster
AWS CLI (optional)
Enable Auto Minor Version Upgrade
Run this command to enable automatic minor version upgrades for your cluster:
aws rds modify-db-cluster \
--region us-east-1 \
--db-cluster-identifier <your-cluster-identifier> \
--auto-minor-version-upgrade
To apply the change immediately (rather than waiting for the maintenance window):
aws rds modify-db-cluster \
--region us-east-1 \
--db-cluster-identifier <your-cluster-identifier> \
--auto-minor-version-upgrade \
--apply-immediately
Verify the Setting
Check the current configuration:
aws rds describe-db-clusters \
--region us-east-1 \
--db-cluster-identifier <your-cluster-identifier> \
--query 'DBClusters[0].AutoMinorVersionUpgrade'
The output should be true.
CloudFormation (optional)
CloudFormation Template
Use the AutoMinorVersionUpgrade property on your AWS::RDS::DBCluster resource:
AWSTemplateFormatVersion: '2010-09-09'
Description: RDS Cluster with Auto Minor Version Upgrade Enabled
Parameters:
DBClusterIdentifier:
Type: String
Description: Identifier for the RDS DB cluster
MasterUsername:
Type: String
Description: Master username for the database
MasterUserPassword:
Type: String
NoEcho: true
Description: Master password for the database
Engine:
Type: String
Default: aurora-mysql
AllowedValues:
- aurora-mysql
- aurora-postgresql
Description: Database engine type
EngineVersion:
Type: String
Description: Database engine version
Resources:
RDSCluster:
Type: AWS::RDS::DBCluster
Properties:
DBClusterIdentifier: !Ref DBClusterIdentifier
Engine: !Ref Engine
EngineVersion: !Ref EngineVersion
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
AutoMinorVersionUpgrade: true
BackupRetentionPeriod: 7
DeletionProtection: true
StorageEncrypted: true
Outputs:
ClusterEndpoint:
Description: The connection endpoint for the DB cluster
Value: !GetAtt RDSCluster.Endpoint.Address
ClusterReadEndpoint:
Description: The reader endpoint for the DB cluster
Value: !GetAtt RDSCluster.ReadEndpoint.Address
Update an Existing Stack
If you already have a CloudFormation stack, add or modify the AutoMinorVersionUpgrade property:
AutoMinorVersionUpgrade: true
Then update your stack:
aws cloudformation update-stack \
--region us-east-1 \
--stack-name <your-stack-name> \
--template-body file://template.yaml \
--parameters ParameterKey=DBClusterIdentifier,ParameterValue=<your-cluster-id> \
ParameterKey=MasterUsername,ParameterValue=<username> \
ParameterKey=MasterUserPassword,ParameterValue=<password> \
ParameterKey=EngineVersion,ParameterValue=<version>
Terraform (optional)
Important Note on Terraform Support
The auto_minor_version_upgrade attribute has different support levels depending on the resource type:
-
aws_rds_cluster(Aurora clusters): This attribute is not yet supported directly on the cluster resource. You must either:- Set it on individual
aws_rds_cluster_instanceresources, OR - Use the AWS CLI post-provisioning to enable it on the cluster
- Set it on individual
-
aws_rds_cluster_instance(Aurora cluster instances): Fully supported -
aws_db_instance(Standalone RDS instances): Fully supported
Aurora Cluster Instance Example
For Aurora clusters, set the attribute on each cluster instance:
resource "aws_rds_cluster" "main" {
cluster_identifier = "my-aurora-cluster"
engine = "aurora-mysql"
engine_version = "8.0.mysql_aurora.3.04.0"
master_username = var.master_username
master_password = var.master_password
backup_retention_period = 7
deletion_protection = true
storage_encrypted = true
skip_final_snapshot = false
}
resource "aws_rds_cluster_instance" "main" {
count = 2
identifier = "my-aurora-instance-${count.index}"
cluster_identifier = aws_rds_cluster.main.id
instance_class = "db.r6g.large"
engine = aws_rds_cluster.main.engine
engine_version = aws_rds_cluster.main.engine_version
# Enable auto minor version upgrade
auto_minor_version_upgrade = true
}
Standalone RDS Instance Example
For standalone RDS instances (including Multi-AZ deployments):
resource "aws_db_instance" "main" {
identifier = "my-rds-instance"
allocated_storage = 20
db_name = "mydb"
engine = "mysql"
engine_version = "8.0"
instance_class = "db.t3.micro"
username = var.master_username
password = var.master_password
skip_final_snapshot = false
# Enable auto minor version upgrade
auto_minor_version_upgrade = true
# Enable Multi-AZ for high availability
multi_az = true
}
Post-Provisioning Workaround for Aurora Clusters
If you need to enable auto minor version upgrade on an existing Aurora cluster managed by Terraform, use a null_resource with a local-exec provisioner:
resource "null_resource" "enable_auto_upgrade" {
depends_on = [aws_rds_cluster.main]
provisioner "local-exec" {
command = <<-EOT
aws rds modify-db-cluster \
--region us-east-1 \
--db-cluster-identifier ${aws_rds_cluster.main.cluster_identifier} \
--auto-minor-version-upgrade
EOT
}
}
Verification
After making changes, verify that auto minor version upgrade is enabled:
- In the RDS console, select your cluster
- Choose the Configuration tab
- Look for Auto minor version upgrade - it should show Yes
CLI Verification
aws rds describe-db-clusters \
--region us-east-1 \
--db-cluster-identifier <your-cluster-identifier> \
--query 'DBClusters[0].{ClusterID:DBClusterIdentifier,AutoMinorVersionUpgrade:AutoMinorVersionUpgrade}'
Expected output:
{
"ClusterID": "your-cluster-identifier",
"AutoMinorVersionUpgrade": true
}
Additional Resources
- Working with Amazon Aurora DB clusters
- Upgrading the minor version or patch level of an Aurora MySQL DB cluster
- Upgrading Amazon RDS DB instances
- AWS RDS Best Practices
Notes
-
Maintenance window timing: Minor version upgrades are applied during your scheduled maintenance window. Choose a window during low-traffic periods to minimize impact.
-
Testing first: Before enabling auto upgrades in production, test new minor versions in a non-production environment to ensure compatibility with your application.
-
Aurora vs. Multi-AZ DB clusters: This check applies to both Aurora clusters and Multi-AZ DB clusters. The setting works similarly for both, but the underlying upgrade process may differ.
-
Version deprecation: AWS may forcibly upgrade clusters running deprecated engine versions. Enabling auto minor version upgrade helps you stay ahead of these mandatory upgrades.
-
Compliance frameworks: This check aligns with AWS Foundational Security Best Practices and KISA-ISMS-P compliance frameworks.