Profile Applicability:
Level 1
Description:
The Auto Minor Version Upgrade feature ensures that RDS instances automatically receive minor database engine upgrades when they become available. These upgrades contain important security patches, bug fixes, and performance improvements. Auto Minor Version Upgrade is applied only during the scheduled maintenance window. This setting ensures databases stay updated without requiring manual intervention.
Rationale:
Security patches are critical for protecting databases from newly discovered vulnerabilities.
Minor upgrades improve performance and stability without introducing breaking changes.
AWS occasionally deprecates older minor versions, making updates necessary.
Ensures compliance with security best practices and regulatory frameworks like SOC 2, GDPR, HIPAA, and PCI-DSS.
Impact:
No major version upgrades occur automatically → Only minor, backward-compatible updates are applied.
Some downtime may occur during maintenance if Apply Immediately is selected.
If disabled, security patches must be manually applied, increasing administrative effort.
Default Value:
By default, Auto Minor Version Upgrade is NOT enabled.
Pre-Requisites:
IAM permissions to modify RDS instance settings:
rds:DescribeDBInstances, rds:ModifyDBInstance
AWS CLI installed (for automation)
List of all RDS instances in your AWS account
Remediation:
Test Plan:
Using AWS Console
Check Auto Minor Version Upgrade for an RDS Instance
Log in to the AWS Console → Open Amazon RDS Console: RDS Console
Click Databases
Select an RDS instance
Click on Maintenance and backups
Under the Maintenance section, check Auto Minor Version Upgrade status:
Enabled → Compliant
Disabled → Not compliant
- Repeat for all RDS instances.
Using AWS CLI
Step 1: List All RDS Instances
aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'
This will list all RDS instances in your AWS account.
Step 2: Check Auto Minor Version Upgrade for Each Instance
aws rds describe-db-instances --db-instance-identifier <db-name> --query 'DBInstances[*].AutoMinorVersionUpgrade'
Expected Output (If enabled):
[
true
]Step 3: Check Auto Minor Version Upgrade for All RDS Instances in a Region
aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,AutoMinorVersionUpgrade]'
This command will list all RDS instances along with their Auto Minor Version Upgrade status.
Implementation Steps:
Using AWS Console.
Step 1: Enable Auto Minor Version Upgrade
Log in to the AWS Console → Open RDS Console
Click Databases → Select the RDS instance
Click Modify
Scroll to Maintenance section
Check the box for Auto Minor Version Upgrade
Click Continue
Select one of the following:
Apply Immediately → Updates take effect immediately (may cause downtime)
Apply during the next maintenance window (Recommended for production)
Click Modify DB Instance
The instance status changes from Available → Modifying → Available
Verify that Auto Minor Version Upgrade is now Enabled
- Repeat for all RDS instances.
Using AWS CLI
Step 1: List All RDS Instances
aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'
Find the RDS instance(s) that need updates.
Step 2: Enable Auto Minor Version Upgrade for a Specific Instance
aws rds modify-db-instance --db-instance-identifier <db-name> --auto-minor-version-upgrade --apply-immediately
This enables Auto Minor Version Upgrade and applies the changes immediately.
Step 3: Verify That Auto Minor Version Upgrade is Enabled
aws rds describe-db-instances --db-instance-identifier <db-name> --query 'DBInstances[*].AutoMinorVersionUpgrade'
Expected Output: [ true ]
Backout Plan:
Disable Auto Minor Version Upgrade via AWS Console or CLI:
aws rds modify-db-instance --db-instance-identifier <db-name> --no-auto-minor-version-upgrade --apply-immediately
Ensure backups exist before making changes.
Restore from snapshot if unexpected issues occur.