Profile Applicability:
- Level 1
Description:
Enabling automatic updates and patching ensures that security patches, bug fixes, and performance improvements are applied to Amazon Aurora databases in a timely and consistent manner. This reduces the risk of running outdated or vulnerable versions of database engines.
Rationale:
Automatic updates and patching help protect the database from known vulnerabilities and security issues by ensuring that all updates are applied without manual intervention. This minimizes the attack surface and ensures that the database operates with the latest security features and enhancements.
Impact:
Without automatic updates and patching, database instances may remain vulnerable to security threats, performance degradation, or system instability due to outdated software. Enabling this feature ensures that critical patches are applied without delay, reducing exposure to security risks.
Default Value:
By default, Amazon RDS does not enable automatic patching for all database instances, though it can be manually enabled for RDS instances.
Pre-requisites:
An AWS account with Aurora database instances.
The database instances should be running a supported version of Amazon Aurora.
Basic understanding of RDS maintenance windows and patching process.
Remediation:
Test Plan:
Using AWS Console:
Navigate to RDS Dashboard and select an Aurora instance.
Check the Maintenance section for the Auto Minor Version Upgrade setting to ensure it is enabled.
Ensure that Automatic Patching is enabled for the database instance under the Modify DB Instance options.
Review the Maintenance Window to ensure updates and patches are applied within an acceptable timeframe.
Using AWS CLI:
Run the following command to verify if automatic updates are enabled:
aws rds describe-db-instances --query "DBInstances[].[DBInstanceIdentifier,AutoMinorVersionUpgrade]"
Check for the Maintenance Window:
aws rds describe-db-instances --query "DBInstances[].[DBInstanceIdentifier,PreferredMaintenanceWindow]"
Implementation Plan
Using AWS Console:
Go to the RDS Dashboard, select the Aurora instance, and click Modify.
Under Maintenance, enable Auto Minor Version Upgrade.
Under DB Engine Version, ensure that the Auto Minor Version Upgrade option is selected.
Review the Maintenance Window and adjust it if necessary to minimize downtime during updates.
Apply the changes and restart the instance if needed.
Using AWS CLI:
Modify the Aurora instance to enable automatic minor version upgrades:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --auto-minor-version-upgrade --apply-immediately
Verify that the maintenance window is set:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --preferred-maintenance-window "Sun:05:00-Sun:06:00" --apply-immediately
Check for the status of applied patches:
aws rds describe-events --source-type db-instance --source-identifier <db-instance-id>
Backout Plan
Using AWS Console:
Navigate to the RDS Dashboard and select the Aurora instance.
Go to Modify DB Instance and disable Auto Minor Version Upgrade.
Review and adjust the Maintenance Window to a more suitable time, if necessary.
Revert to the previous instance version if needed by choosing an earlier version from the DB Engine Version options.
Using AWS CLI:
Disable automatic minor version upgrades:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --no-auto-minor-version-upgrade --apply-immediately
Adjust the maintenance window:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --preferred-maintenance-window "Mon:03:00-Mon:04:00" --apply-immediately
Roll back to the previous database engine version (if applicable):
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --engine-version <previous-version> --apply-immediately
References: