RDS Instance Deprecated Engine Version

Overview

This check ensures your Amazon RDS database instances are running on supported, non-deprecated engine versions for MySQL, PostgreSQL, or MariaDB. AWS regularly deprecates older database engine versions, and running on deprecated versions means you miss out on critical security patches and support.

Risk

Running RDS instances on deprecated engine versions creates significant security and operational risks:

• Unpatched vulnerabilities: Deprecated versions no longer receive security fixes, leaving known CVEs (Common Vulnerabilities and Exposures) unaddressed
• Compatibility issues: Older engines may have TLS/SSL incompatibilities with modern clients
• Operational problems: You may experience issues with replication, backups, or restore operations
• Forced upgrades: AWS may eventually force maintenance windows for mandatory upgrades, causing unplanned downtime

Severity: High

Remediation Steps

Prerequisites

You need:

• Access to the AWS Console with permissions to modify RDS instances, OR
• AWS CLI configured with appropriate credentials
• A valid database backup before making changes

Setting up AWS CLI (optional)

If you prefer using the command line:

1. Install the AWS CLI: https://aws.amazon.com/cli/
2. Configure your credentials:

   aws configure

3. Verify access:

   aws rds describe-db-instances --region us-east-1

AWS Console Method

1. Open the RDS Console

   • Go to https://console.aws.amazon.com/rds/
   • Make sure you are in the correct region (us-east-1)

2. Find your database instance

   • Click Databases in the left navigation
   • Locate the instance flagged by Prowler
   • Note the current Engine version shown in the list

3. Check available upgrade versions

   • Click on the database instance name
   • Click Modify in the top right
   • Scroll to DB engine version
   • Review the dropdown list of available versions

4. Select a supported version

   • Choose a supported engine version from the dropdown
   • For minor upgrades (e.g., 8.0.32 to 8.0.35), the upgrade is typically low-risk
   • For major upgrades (e.g., MySQL 5.7 to 8.0), additional testing is recommended

5. Enable Auto Minor Version Upgrade

   • Scroll to Maintenance
   • Check Enable auto minor version upgrade to automatically receive future minor version updates

6. Choose when to apply changes

   • Scroll to the bottom and click Continue
   • Select Apply immediately for urgent security fixes, OR
   • Select Apply during the next scheduled maintenance window for planned changes
   • Click Modify DB instance

Warning: Applying changes immediately will cause a brief database outage during the upgrade. Schedule upgrades during low-traffic periods when possible.

AWS CLI (optional)

List your RDS instances and their engine versions:

aws rds describe-db-instances \
  --region us-east-1 \
  --query 'DBInstances[*].[DBInstanceIdentifier,Engine,EngineVersion]' \
  --output table

Find available upgrade versions for your engine:

# For MySQL
aws rds describe-db-engine-versions \
  --engine mysql \
  --region us-east-1 \
  --query 'DBEngineVersions[?Status==`available`].[EngineVersion,Status]' \
  --output table

# For PostgreSQL
aws rds describe-db-engine-versions \
  --engine postgres \
  --region us-east-1 \
  --query 'DBEngineVersions[?Status==`available`].[EngineVersion,Status]' \
  --output table

# For MariaDB
aws rds describe-db-engine-versions \
  --engine mariadb \
  --region us-east-1 \
  --query 'DBEngineVersions[?Status==`available`].[EngineVersion,Status]' \
  --output table

Upgrade to a supported version:

For a minor version upgrade:

aws rds modify-db-instance \
  --db-instance-identifier <your-db-instance-id> \
  --engine-version <supported-engine-version> \
  --apply-immediately \
  --region us-east-1

For a major version upgrade (requires explicit flag):

aws rds modify-db-instance \
  --db-instance-identifier <your-db-instance-id> \
  --engine-version <supported-engine-version> \
  --allow-major-version-upgrade \
  --apply-immediately \
  --region us-east-1

Enable auto minor version upgrade:

aws rds modify-db-instance \
  --db-instance-identifier <your-db-instance-id> \
  --auto-minor-version-upgrade \
  --region us-east-1

Replace <your-db-instance-id> with your actual database identifier and <supported-engine-version> with your target version (e.g., 8.0.35 for MySQL).

CloudFormation (optional)

This template creates an RDS instance with a supported engine version and auto minor version upgrade enabled. It uses AWS Secrets Manager for secure credential management.

AWSTemplateFormatVersion: '2010-09-09'
Description: RDS instance with supported engine version and auto minor version upgrade enabled

Parameters:
  DBInstanceIdentifier:
    Type: String
    Description: Unique identifier for the RDS instance
  DBInstanceClass:
    Type: String
    Default: db.t3.micro
    Description: The compute and memory capacity of the DB instance
  Engine:
    Type: String
    AllowedValues:
      - mysql
      - postgres
      - mariadb
    Description: The database engine
  EngineVersion:
    Type: String
    Description: The version of the database engine (must be a supported version)
  MasterUsername:
    Type: String
    Description: Master username for the database
  AllocatedStorage:
    Type: Number
    Default: 20
    MinValue: 20
    MaxValue: 65536
    Description: The size of the database (GB)

Resources:
  DBMasterSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub '${DBInstanceIdentifier}-master-credentials'
      Description: Master credentials for RDS instance
      GenerateSecretString:
        SecretStringTemplate: !Sub '{"username": "${MasterUsername}"}'
        GenerateStringKey: password
        PasswordLength: 32
        ExcludeCharacters: '"@/\'

  DBInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      DBInstanceClass: !Ref DBInstanceClass
      Engine: !Ref Engine
      EngineVersion: !Ref EngineVersion
      MasterUsername: !Sub '{{resolve:secretsmanager:${DBMasterSecret}:SecretString:username}}'
      MasterUserPassword: !Sub '{{resolve:secretsmanager:${DBMasterSecret}:SecretString:password}}'
      AllocatedStorage: !Ref AllocatedStorage
      AutoMinorVersionUpgrade: true
      PubliclyAccessible: false
      StorageEncrypted: true
      DeletionProtection: true
      BackupRetentionPeriod: 7
      Tags:
        - Key: Environment
          Value: Production

  SecretDBAttachment:
    Type: AWS::SecretsManager::SecretTargetAttachment
    Properties:
      SecretId: !Ref DBMasterSecret
      TargetId: !Ref DBInstance
      TargetType: AWS::RDS::DBInstance

Outputs:
  DBInstanceEndpoint:
    Description: The connection endpoint for the database
    Value: !GetAtt DBInstance.Endpoint.Address
  DBInstancePort:
    Description: The port of the database
    Value: !GetAtt DBInstance.Endpoint.Port
  SecretArn:
    Description: ARN of the secret containing database credentials
    Value: !Ref DBMasterSecret

Deploy the stack:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name my-rds-instance \
  --parameter-overrides \
    DBInstanceIdentifier=my-database \
    Engine=mysql \
    EngineVersion=8.0.35 \
    MasterUsername=admin \
  --region us-east-1

Terraform (optional)

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.0"
    }
  }
}

variable "db_instance_identifier" {
  type        = string
  description = "Unique identifier for the RDS instance"
}

variable "engine" {
  type        = string
  description = "Database engine (mysql, postgres, or mariadb)"
  validation {
    condition     = contains(["mysql", "postgres", "mariadb"], var.engine)
    error_message = "Engine must be mysql, postgres, or mariadb."
  }
}

variable "engine_version" {
  type        = string
  description = "Database engine version (must be a supported, non-deprecated version)"
}

variable "instance_class" {
  type        = string
  default     = "db.t3.micro"
  description = "The instance type for the RDS instance"
}

variable "allocated_storage" {
  type        = number
  default     = 20
  description = "Allocated storage in GB"
}

variable "master_username" {
  type        = string
  description = "Master username for the database"
  sensitive   = true
}

variable "master_password" {
  type        = string
  description = "Master password for the database"
  sensitive   = true
}

resource "aws_db_instance" "main" {
  identifier              = var.db_instance_identifier
  engine                  = var.engine
  engine_version          = var.engine_version
  instance_class          = var.instance_class
  allocated_storage       = var.allocated_storage
  username                = var.master_username
  password                = var.master_password

  # Enable auto minor version upgrade to stay current
  auto_minor_version_upgrade = true

  # Security best practices
  publicly_accessible    = false
  storage_encrypted      = true
  deletion_protection    = true
  backup_retention_period = 7

  # Allow major version upgrades when explicitly requested
  allow_major_version_upgrade = true

  tags = {
    Environment = "Production"
  }
}

Deploy with Terraform:

terraform init
terraform plan -var="db_instance_identifier=my-database" \
               -var="engine=mysql" \
               -var="engine_version=8.0.35" \
               -var="master_username=admin" \
               -var="master_password=YourSecurePassword123!"
terraform apply

Verification

After applying the upgrade:

1. In the AWS Console:

   • Navigate to RDS > Databases
   • Click on your database instance
   • Verify the Engine version shows the new supported version
   • Confirm Auto minor version upgrade is set to Yes

2. Test your application:

   • Verify your application can connect to the database
   • Run basic read/write operations to confirm functionality

CLI verification commands

# Check the engine version and auto-upgrade setting
aws rds describe-db-instances \
  --db-instance-identifier <your-db-instance-id> \
  --region us-east-1 \
  --query 'DBInstances[0].[DBInstanceIdentifier,Engine,EngineVersion,AutoMinorVersionUpgrade]' \
  --output table

Additional Resources

• AWS RDS Engine Versions Documentation
• AWS RDS PostgreSQL Versions
• AWS RDS MariaDB Versions
• Upgrading a DB Instance Engine Version
• AWS RDS describe-db-engine-versions CLI Reference

Notes

• Always backup first: Create a snapshot before upgrading, especially for major version upgrades
• Test in non-production: If possible, test the upgrade on a replica or in a staging environment first
• Major vs. minor upgrades: Minor version upgrades (e.g., 8.0.32 to 8.0.35) are typically safe. Major upgrades (e.g., 5.7 to 8.0) may require application changes
• Downtime: Engine version upgrades require a database restart, causing brief downtime
• Read replicas: If you have read replicas, they will also be upgraded when the primary is upgraded
• Multi-AZ deployments: In Multi-AZ setups, the standby is upgraded first, then a failover occurs, minimizing downtime
• Monitor deprecation notices: Subscribe to AWS notifications for upcoming deprecation dates