Skip to main content

πŸ›‘οΈ AWS DMS Replication Instance Auto Minor Version Upgrade is not enabled🟒

  • Contextual name: πŸ›‘οΈ Replication Instance Auto Minor Version Upgrade is not enabled🟒
  • ID: /ce/ca/aws/dms/replication-instance-auto-minor-upgrade
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-0d66ed991

Description​

Open File

Description​

Ensure that all AWS Database Migration Service (DMS) Replication Instances have the Auto Minor Version Upgrade feature enabled.

Rationale​

Enabling auto minor version upgrades ensures that your DMS replication instances automatically receive the latest minor engine updates from AWS. These upgrades can include security patches, bug fixes, and performance improvements without requiring manual intervention.

Impact​

Updates are deployed during the instance’s defined maintenance window, which may incur a brief service interruption. Schedule this setting during periods of low traffic to minimize impact on ongoing migrations.

Audit​

This policy marks an AWS DMS Replication Instance as INCOMPLIANT if the Minor Version Automatic Update checkbox is set to false.

Remediation​

Open File

Remediation​

To enable automatic minor version upgrades for existing DMS replication instances, use one of the following approaches:

Using AWS CloudFormation​

  • CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Auto Minor Version Upgrade on an existing DMS replication instance

Parameters:
  ReplicationInstanceIdentifier:
    Type: String
    Description: ARN of the existing DMS replication instance
  ReplicationInstanceClass:
    Type: String
    Description: DMS instance class (e.g., dms.c4.large)

Resources:
  AutoMinorUpgradeDMS:
    Type: AWS::DMS::ReplicationInstance
    Properties:
      ReplicationInstanceIdentifier: !Ref ReplicationInstanceIdentifier
      ReplicationInstanceClass: !Ref ReplicationInstanceClass
      AutoMinorVersionUpgrade: true

Note: Ensure that the ReplicationInstanceArn parameter matches the target instance’s ARN.

From Command Line​

Run the following command to modify the replication instance:

aws dms modify-replication-instance \
    --replication-instance-arn {{replication-instance-arn}} \

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16c information security operations and administration;44no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36h patch management controls β€” to manage the assessment and application of patches and other updates that address known vulnerabilities in a timely manner;77no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 40 An important aspect of information asset life-cycle management involves minimising vulnerabilities and maintaining support. Information security exposures could arise from hardware and software which is outdated or has limited or no support (whether through a third party, a related party or in-house). Technology that is end-of-life5 , out-of-support or in extended support is typically less secure by design, has a dated security model and can take longer, or is unable, to be updated to address new threats.77no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DMS.6] DMS replication instances should have automatic minor version upgrade enabled11no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό OPS05-BP05 Perform patch management2no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Infrastructure Modernization14no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)2712no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-2(2) Automated Flaw Remediation Status (M)(H)3no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)12no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)212no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-2(2) Automated Flaw Remediation Status (M)(H)3no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.5.1 Installation of software on operational systems55no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-5: Unauthorized mobile code is detected1111no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.AM-2: Software platforms and applications within the organization are inventoried57no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.RA-1: Asset vulnerabilities are identified and documented1315no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity2226no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)426no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-3: Configuration change control processes are in place55no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-12: A vulnerability management plan is developed and implemented79no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events120no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events139no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained9no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations24no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties37no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities38no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded29no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked30no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected118no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SI-2 FLAW REMEDIATION622no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2 Flaw Remediation669no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(4) Flaw Remediation _ Automated Patch Management Tools3no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates23no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(6) Flaw Remediation _ Removal of Previous Versions of Software and Firmware66no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1921no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.3no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates3no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates3no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 3.1 All software on in-scope devices must be licensed and supported66no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 3.3 All software on in-scope devices must have automatic updates enabled where possible22no data