AWS RDS database instance does not receive minor database engine upgrades

Description:

Amazon RDS provides automatic upgrades of the DB engine to new minor versions during scheduled maintenance windows. Minor database engine versions usually include database changes that are backward compatible, security enhancements, and bug fixes. If your RDS database instance is not configured to receive minor version upgrades automatically, it might be missing out on critical security updates, bug fixes, and new features that come with minor version updates. This can expose the database to potential vulnerabilities and other issues that have been addressed in the latest minor versions.

Remediation:

1. Enable Auto Minor Version Upgrade for New RDS Instances:

AWS Management Console:
  • Navigate to the RDS dashboard.
  • Click on "Create database".
  • In the creation wizard, under the "DB engine version" section, ensure the "Auto minor version upgrade" is set to "Enable".
  • Continue with other database settings and click "Create".
AWS CLI:
aws rds create-db-instance --db-instance-identifier YourDBInstanceName --auto-minor-version-upgrade --other-required-parameters

2. Enable Auto Minor Version Upgrade for Existing RDS Instances:

AWS Management Console:
  • Navigate to the RDS dashboard.
  • Select your database instance.
  • Click on "Modify".
  • In the "DB Engine Version" section, set "Auto minor version upgrade" to "Yes".
  • Scroll down and click on "Continue", then "Modify DB Instance".
AWS CLI:
aws rds modify-db-instance --db-instance-identifier YourDBInstanceName --apply-immediately --auto-minor-version-upgrade

3. Monitor and Audit:

AWS Management Console:
  • Navigate to AWS Config.
  • Create a new rule to check for RDS instances that are not set to receive auto minor version upgrades.
  • Use AWS CloudTrail to monitor and log any changes to the auto minor version upgrade setting.
AWS CLI:

For monitoring, AWS Config SDK or Boto3 in Python would be preferable instead of direct AWS CLI commands.

4. Document and Train:

Ensure that internal guidelines mandate the use of automatic minor version upgrades for RDS instances. Train the technical teams on the importance of this feature and the benefits it offers in terms of security and performance.

By following these steps, you can ensure that your RDS instances are always up to date with the latest minor version updates, thereby keeping them secure and optimized.

Updated 5 months ago