Profile Applicability

  • Level 1

Description:

The Auto Minor Version Upgrade feature for Amazon RDS ensures that RDS instances are automatically upgraded to the latest minor version of the database engine, which includes important patches and bug fixes. Enabling this feature helps maintain the security and stability of RDS instances by ensuring they are up-to-date with the latest minor version releases.

By enabling Auto Minor Version Upgrade, organizations can reduce manual intervention, improve security by automatically applying critical patches, and ensure that their RDS instances remain compliant with best practices for database versioning.

Rationale:

Enabling the Auto Minor Version Upgrade feature provides the following benefits:

  • Security and Stability: Automatically applies minor version updates, including bug fixes and security patches, reducing the risk of vulnerabilities and improving overall database performance.

  • Reduced Maintenance Effort: Eliminates the need for manual upgrades, ensuring that RDS instances are always up to date without requiring manual intervention.

  • Compliance: Helps maintain compliance with regulatory requirements that mandate up-to-date and secure database systems.

  • Minimized Downtime: The process is automated and can be managed during low-traffic periods to minimize service disruptions.

Without this feature enabled, organizations risk running outdated or vulnerable versions of database engines, which can lead to security issues and application instability.

Impact:

Failure to enable Auto Minor Version Upgrade can result in:

  • Increased security risks due to outdated database versions.

  • Manual upgrade errors: Without automation, there is a higher chance of missing critical updates, leading to potential vulnerabilities.

  • Compliance issues: Non-compliance with regulatory standards requiring timely updates and security patches.

Enabling this feature ensures that RDS instances are automatically upgraded, improving security and reducing manual maintenance overhead.

Default Value:

By default, the Auto Minor Version Upgrade feature is disabled during RDS instance creation. You must explicitly enable it to allow automatic minor version upgrades for RDS instances.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

  • RDS instance must be available for modification to enable the Auto Minor Version Upgrade feature

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the RDS Console.

  2. Select the RDS instance for which you want to verify or enable Auto Minor Version Upgrade.

  3. In the Modify DB Instance section, ensure that Auto Minor Version Upgrade is set to Yes.

  4. Confirm that the modification is saved and the Auto Minor Version Upgrade feature is enabled for the instance.

Using AWS CLI :

aws rds describe-db-instances --query "DBInstances[?AutoMinorVersionUpgrade==`true`].{DBInstanceIdentifier:DBInstanceIdentifier, AutoMinorVersionUpgrade:AutoMinorVersionUpgrade}" --output table
Implementation Plan:

Using AWS Console:

  1. Enable Auto Minor Version Upgrade for an RDS instance:

    • Go to the RDS Console.

    • Select the RDS instance you wish to modify.

    • In the Modify DB Instance section, under DB Engine Version, enable Auto Minor Version Upgrade.

    • Apply changes and save the configuration.

  2. Verify Auto Minor Version Upgrade:

    • Ensure that Auto Minor Version Upgrade is listed as Yes in the Modify DB Instance section for the selected RDS instance.

Using AWS CLI:

  1. Enable Auto Minor Version Upgrade for an RDS instance:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --auto-minor-version-upgrade true --apply-immediately

  1. Verify Auto Minor Version Upgrade:

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='<db-instance-id>'].{DBInstanceIdentifier:DBInstanceIdentifier, AutoMinorVersionUpgrade:AutoMinorVersionUpgrade}" --output table

Backout Plan:

Using AWS Console:

  1. If Auto Minor Version Upgrade causes issues with compatibility:

    • Go to the RDS Console.

    • Modify the RDS instance to disable Auto Minor Version Upgrade.

    • Save the changes and revert to manual upgrades if necessary.

  2. Modify the instance settings to manually apply minor version updates at a scheduled time to avoid potential disruptions.

Using AWS CLI:

  1. Temporarily disable Auto Minor Version Upgrade:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --auto-minor-version-upgrade false --apply-immediately

  1. Stop RDS instance modifications if compatibility or functionality issues occur:

aws rds stop-db-instance --db-instance-identifier <db-instance-id>

  1. Re-enable Auto Minor Version Upgrade once issues are resolved:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --auto-minor-version-upgrade true --apply-immediately

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services