Skip to main content

🛡️ AWS RDS Multi-AZ Cluster Auto Minor Version Upgrade is not enabled🟢

  • Contextual name: 🛡️ Multi-AZ Cluster Auto Minor Version Upgrade is not enabled🟢
  • ID: /ce/ca/aws/rds/cluster-auto-minor-version-upgrade
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY, PERFORMANCE

Logic

Similar Policies

Description

Open File

Description

This policy identifies AWS RDS Multi-AZ Clusters where the Auto Minor Version Upgrade feature is disabled.

Rationale

Enabling automatic minor version upgrades ensures that clusters receive the latest engine updates, which may include critical security patches, bug fixes, and performance improvements. For Multi-AZ clusters designed to provide high availability, maintaining consistent updates across all instances is essential for stability, security, and uniform behavior, particularly during failover events.

Audit

This policy flags a Multi-AZ AWS RDS Cluster as INCOMPLIANT if the Auto Minor Version Upgrade field is set to No.

A Cluster is marked as INAPPLICABLE if the Multi-AZ field is set to false.

Remediation

Open File

Remediation

Enable Automatic Minor Version Upgrades

Using AWS CloudFormation
  • CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Enables automatic minor version upgrades for an existing RDS cluster.

Parameters:
  DBClusterId:
    Type: String
    Description: ID of the existing RDS cluster

Resources:
  AutoMinorUpgradeRDS:
    Type: AWS::RDS::DBCluster
    Properties:
      DBClusterIdentifier: !Ref DBClusterId
      AutoMinorVersionUpgrade: true
From Command Line
aws rds modify-db-cluster
  --db-cluster-identifier {{cluster-id}}
  --auto-minor-version-upgrade
  [--apply-immediately]

To apply the change during the next maintenance window, omit the --apply-immediately flag.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.35] RDS DB clusters should have automatic minor version upgrade enabled1no data
💼 AWS Well-Architected → 💼 OPS05-BP05 Perform patch management4no data
💼 Cloudaware Framework → 💼 Infrastructure Modernization21no data
💼 FedRAMP High Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)2723no data
💼 FedRAMP High Security Controls → 💼 SI-2(2) Automated Flaw Remediation Status (M)(H)8no data
💼 FedRAMP Low Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)23no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)223no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2(2) Automated Flaw Remediation Status (M)(H)8no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations45no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties59no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities60no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2 Flaw Remediation6620no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status18no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(4) Flaw Remediation _ Automated Patch Management Tools8no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates28no data
💼 PCI DSS v3.2.1 → 💼 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.6no data
💼 PCI DSS v4.0.1 → 💼 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates6no data
💼 PCI DSS v4.0 → 💼 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates6no data