iCompaas Support

Profile Applicability:

• Level 1

Description:
AWS-managed database services should be regularly patched to ensure that known vulnerabilities are addressed and new functionality is applied. This includes enabling auto minor version upgrades or scheduling manual upgrades during maintenance windows.

Rationale:
 Unpatched systems are a primary target for attackers. Keeping systems updated ensures the latest security fixes and performance improvements are applied, reducing risk and ensuring compliance.

Impact:
 Pros:

• Protects against known vulnerabilities
  

• Helps maintain service reliability and performance
  

• Required for most security and compliance certifications
  

Cons:

• Updates could introduce regressions if not tested in staging
  

• Requires coordination with maintenance windows to avoid downtime
  

Default Value:
 Auto minor version upgrade is disabled by default on most RDS engines.

Pre-requisites:

• IAM privileges to modify database instances
  

• Defined maintenance window for patching
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to Amazon RDS > Databases
   

3. Select the database instance
   

4. Click on the Maintenance & backups tab
   

5. Check if Auto minor version upgrade is set to Yes
   

6. Review pending maintenance actions
   

Using AWS CLI:

1. Check if auto minor version upgrade is enabled:
   

   aws rds describe-db-instances --db-instance-identifier <your-db-instance-id> --query "DBInstances[*].AutoMinorVersionUpgrade"

Implementation Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to Amazon RDS > Databases
   

3. Select your DB instance
   

4. Click Modify
   

5. Scroll down to the Maintenance section
   

6. Check the box for Auto minor version upgrade
   

7. Click Continue and choose Apply immediately
   

Using AWS CLI:

1. Enable auto minor version upgrades:
   

    aws rds modify-db-instance --db-instance-identifier <your-db-instance-id> --auto-minor-version-upgrade --apply-immediately

Backout Plan

Using AWS Console:

1. Navigate to Amazon RDS > Databases
   

2. Select the instance and click Modify
   

3. Uncheck Auto minor version upgrade
   

4. Click Continue and Apply immediately
   

Using AWS CLI:

1. Disable auto minor version upgrades:
   

    aws rds modify-db-instance --db-instance-identifier <your-db-instance-id> --no-auto-minor-version-upgrade --apply-immediately

References:

• Upgrading a DB instance engine version

• Amazon RDS FAQs