RDS Instance Minor Version Upgrade Enabled
Overview
This check verifies that Amazon RDS database instances have automatic minor version upgrades enabled. When enabled, AWS automatically applies minor engine version updates during your scheduled maintenance windows.
Minor version updates typically include security patches, bug fixes, and small improvements that maintain backward compatibility with your applications.
Risk
Without automatic minor version upgrades, your databases may:
- Miss critical security patches, leaving known vulnerabilities unaddressed
- Become targets for exploits that have already been publicly disclosed and fixed
- Experience data corruption or service outages from unpatched bugs
- Fall out of compliance with security standards that require timely patching
Attackers actively scan for databases running outdated versions with known vulnerabilities.
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify RDS instances, OR
- AWS CLI configured with appropriate credentials
Required IAM permissions
You need the following IAM permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:ModifyDBInstance"
],
"Resource": "*"
}
]
}
AWS Console Method
- Open the Amazon RDS Console
- In the left navigation, click Databases
- Select the database instance you want to modify
- Click the Modify button
- Scroll down to the Maintenance section
- Find Auto minor version upgrade and select Yes (or check the box to enable it)
- Scroll to the bottom and click Continue
- On the summary page, choose when to apply the change:
- Apply immediately - Takes effect right away (may cause brief interruption)
- Apply during the next scheduled maintenance window - Safer for production
- Click Modify DB instance to confirm
AWS CLI (optional)
Enable auto minor version upgrade for an existing instance:
aws rds modify-db-instance \
--db-instance-identifier <your-db-instance-id> \
--auto-minor-version-upgrade \
--region us-east-1
To apply the change immediately (instead of waiting for the maintenance window):
aws rds modify-db-instance \
--db-instance-identifier <your-db-instance-id> \
--auto-minor-version-upgrade \
--apply-immediately \
--region us-east-1
Check the current setting for an instance:
aws rds describe-db-instances \
--db-instance-identifier <your-db-instance-id> \
--query 'DBInstances[0].AutoMinorVersionUpgrade' \
--region us-east-1
List all instances with auto minor version upgrade disabled:
aws rds describe-db-instances \
--query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' \
--output table \
--region us-east-1
CloudFormation (optional)
Use the AutoMinorVersionUpgrade property set to true when defining an RDS instance:
AWSTemplateFormatVersion: '2010-09-09'
Description: RDS instance with auto minor version upgrade enabled
Parameters:
DBInstanceIdentifier:
Type: String
Description: The database instance identifier
MinLength: 1
MaxLength: 63
DBInstanceClass:
Type: String
Default: db.t3.micro
Description: The database instance class
Engine:
Type: String
Default: mysql
AllowedValues:
- mysql
- postgres
- mariadb
Description: The database engine
EngineVersion:
Type: String
Description: The database engine version
MasterUsername:
Type: String
Description: Master username for the database
MinLength: 1
MaxLength: 16
NoEcho: true
AllocatedStorage:
Type: Number
Default: 20
MinValue: 20
MaxValue: 65536
Description: The allocated storage size in GB
Resources:
RDSInstance:
Type: AWS::RDS::DBInstance
DeletionPolicy: Snapshot
UpdateReplacePolicy: Snapshot
Properties:
DBInstanceIdentifier: !Ref DBInstanceIdentifier
DBInstanceClass: !Ref DBInstanceClass
Engine: !Ref Engine
EngineVersion: !Ref EngineVersion
MasterUsername: !Ref MasterUsername
ManageMasterUserPassword: true
AllocatedStorage: !Ref AllocatedStorage
AutoMinorVersionUpgrade: true
PubliclyAccessible: false
StorageEncrypted: true
DeletionProtection: false
Outputs:
DBInstanceEndpoint:
Description: The connection endpoint for the database
Value: !GetAtt RDSInstance.Endpoint.Address
DBInstancePort:
Description: The port number on which the database accepts connections
Value: !GetAtt RDSInstance.Endpoint.Port
Key line: AutoMinorVersionUpgrade: true
Terraform (optional)
Use the auto_minor_version_upgrade argument set to true:
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "db_instance_identifier" {
description = "The identifier for the RDS instance"
type = string
}
variable "db_instance_class" {
description = "The instance class for the RDS instance"
type = string
default = "db.t3.micro"
}
variable "engine" {
description = "The database engine to use"
type = string
default = "mysql"
}
variable "engine_version" {
description = "The engine version to use"
type = string
}
variable "allocated_storage" {
description = "The allocated storage in gigabytes"
type = number
default = 20
}
variable "db_username" {
description = "Username for the master DB user"
type = string
sensitive = true
}
variable "db_password" {
description = "Password for the master DB user"
type = string
sensitive = true
}
resource "aws_db_instance" "main" {
identifier = var.db_instance_identifier
instance_class = var.db_instance_class
engine = var.engine
engine_version = var.engine_version
allocated_storage = var.allocated_storage
storage_encrypted = true
username = var.db_username
password = var.db_password
# Enable automatic minor version upgrades (required for this check)
auto_minor_version_upgrade = true
publicly_accessible = false
skip_final_snapshot = false
final_snapshot_identifier = "${var.db_instance_identifier}-final-snapshot"
deletion_protection = false
tags = {
Name = var.db_instance_identifier
}
}
output "db_instance_endpoint" {
description = "The connection endpoint for the database"
value = aws_db_instance.main.endpoint
}
output "db_instance_port" {
description = "The port number on which the database accepts connections"
value = aws_db_instance.main.port
}
Key line: auto_minor_version_upgrade = true
Verification
After making the change, verify it was applied:
- Go to the RDS Console and select your database
- Click the Configuration tab
- Look for Auto minor version upgrade - it should show Yes
CLI verification
aws rds describe-db-instances \
--db-instance-identifier <your-db-instance-id> \
--query 'DBInstances[0].{Instance:DBInstanceIdentifier,AutoMinorVersionUpgrade:AutoMinorVersionUpgrade}' \
--output table \
--region us-east-1
Expected output:
--------------------------------------------------
| DescribeDBInstances |
+---------------------------+--------------------+
| AutoMinorVersionUpgrade | Instance |
+---------------------------+--------------------+
| True | your-db-instance |
+---------------------------+--------------------+
Additional Resources
- AWS RDS User Guide: Working with Engine Versions
- AWS RDS User Guide: Maintenance Window
- AWS CLI Reference: modify-db-instance
- Terraform AWS Provider: aws_db_instance
Notes
-
Maintenance windows: Minor version upgrades are applied during your scheduled maintenance window unless you use
--apply-immediately. Consider the timing for production databases. -
Multi-AZ deployments: For Multi-AZ instances, the upgrade is applied to the standby first, then a failover occurs, and finally the old primary is upgraded. This minimizes downtime.
-
Read replicas: Read replicas should also have this setting enabled. They are upgraded after the primary instance.
-
Testing first: While minor versions are designed to be backward compatible, it's good practice to test updates in a non-production environment first when possible.
-
Aurora differences: Amazon Aurora handles engine updates differently. Aurora clusters use a separate versioning system - refer to Aurora-specific documentation for version management.