Open menu
-->

AWS RDS Auto Minor Version Upgrade

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. Each version upgrade is available only after is tested and approved by AWS.

This rule resolution is part of the Cloud Conformity Security Package

AWS RDS will occasionally deprecate minor engine versions and provide new ones for upgrade. When the last version number within the release is replaced (e.g. 5.6.26 to 5.6.27), the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes and security patches for their database engines.

Audit

To determine if your RDS instances have Auto Minor Version Upgrade feature enabled, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select See Details.

06 Under Maintenance Details section, search for the Auto Minor Version Upgrade status:

Under Maintenance Details section, search for the Auto Minor Version Upgrade status

If the current status is set to No, the feature is not enabled and the minor engine upgrades released will not be applied to the selected RDS instance.

07 Repeat steps no. 4 – 6 for each RDS instance provisioned in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names, available in the selected AWS region:

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier:

[
    "prod-mysql-instance"
]

03 Run again describe-db-instances command (OSX/Linux/UNIX) using the RDS instance identifier returned earlier, to determine the Auto Minor Version Upgrade status for the selected instance:

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier prod-mysql-instance
	--query 'DBInstances[*].AutoMinorVersionUpgrade'

04 The command output should return the feature current status (true for enabled, false for disabled):

[
    false
]

05 If the current status is set to false, the feature is not enabled and the minor engine upgrades will not be applied to the selected RDS instance.

06 Repeat steps no. 1 – 4 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To update your RDS instances configuration and enable Auto Minor Version Upgrade, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select Modify.

06 On the Modify DB Instance: <instance identifier> page, under Maintenance section, select Yes from the Auto Minor Version Upgrade dropdown list.

07 At the bottom of the page, check Apply Immediately to apply the changes immediately.

08 Click Continue.

09 Review the changes and click Modify DB Instance. The instance status should change from available to modifying and back to available. Once the feature is enabled, the Auto Minor Version Upgrade status should change to Yes:

Once the feature is enabled, the Auto Minor Version Upgrade status should change to Yes

10 Repeat steps no. 4 – 9 for each RDS instance available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS instances names (identifiers), available in the selected AWS region:

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier:

[
    "prod-mysql-instance"
]

03 Run modify-db-instance command (OSX/Linux/UNIX) to modify the selected RDS instance configuration. The following command example enables Auto Minor Version Upgrade for an RDS instance named prod-mysql-instance (when using –apply-immediately option, the change is asynchronously applied as soon as possible):

aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier prod-mysql-instance
	--auto-minor-version-upgrade
	--apply-immediately

04 The command output should reveal the new configuration metadata for the RDS instance:

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "mysqlwebdb",
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        ... 
        "AutoMinorVersionUpgrade": true,
        ...
        "StorageEncrypted": false,
        "DBInstanceClass": "db.t2.micro",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "prod-mysql-instance"
    }
}

05 Run describe-db-instances command (OSX/Linux/UNIX) using the RDS instance identifier to check if the Auto Minor Version Upgrade feature has been successfully enabled:

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier prod-mysql-instance
	--query 'DBInstances[*].AutoMinorVersionUpgrade'

06 The command output should return the feature current status (true for enabled, false for disabled):

[
    true
]

07 Repeat steps no. 1 – 6 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

References

Publication date Apr 30, 2016