Skip to main content

🛡️ AWS RDS Multi-AZ Cluster Auto Minor Version Upgrade is not enabled🟢

  • Contextual name: 🛡️ Multi-AZ Cluster Auto Minor Version Upgrade is not enabled🟢
  • ID: /ce/ca/aws/rds/cluster-auto-minor-version-upgrade
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Stats

not available

Logic

Similar Policies

Description

Open File

Description

This policy identifies AWS RDS Multi-AZ Clusters where the Auto Minor Version Upgrade feature is disabled.

Rationale

Enabling automatic minor version upgrades ensures that clusters receive the latest engine updates, which may include critical security patches, bug fixes, and performance improvements. For Multi-AZ clusters designed to provide high availability, maintaining consistent updates across all instances is essential for stability, security, and uniform behavior, particularly during failover events.

Audit

This policy flags a Multi-AZ AWS RDS Cluster as INCOMPLIANT if the Auto Minor Version Upgrade field is set to No.

A Cluster is marked as INAPPLICABLE if the Multi-AZ field is set to false.

Remediation

Open File

Remediation

Enable Automatic Minor Version Upgrades

Using AWS CloudFormation
  • CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Enables automatic minor version upgrades for an existing RDS cluster.

Parameters:
  DBClusterId:
    Type: String
    Description: ID of the existing RDS cluster

Resources:
  AutoMinorUpgradeRDS:
    Type: AWS::RDS::DBCluster
    Properties:
      DBClusterIdentifier: !Ref DBClusterId
      AutoMinorVersionUpgrade: true
From Command Line
aws rds modify-db-cluster
  --db-cluster-identifier {{cluster-id}}
  --auto-minor-version-upgrade
  [--apply-immediately]

To apply the change during the next maintenance window, omit the --apply-immediately flag.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.35] RDS DB clusters should have automatic minor version upgrade enabled1no data
💼 AWS Well-Architected → 💼 OPS05-BP05 Perform patch management4no data
💼 Cloudaware Framework → 💼 Infrastructure Modernization18no data
💼 FedRAMP High Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)2724no data
💼 FedRAMP High Security Controls → 💼 SI-2(2) Automated Flaw Remediation Status (M)(H)9no data
💼 FedRAMP Low Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)24no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)224no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2(2) Automated Flaw Remediation Status (M)(H)9no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations47no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties62no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities62no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2 Flaw Remediation6621no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status19no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(4) Flaw Remediation _ Automated Patch Management Tools9no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates29no data
💼 PCI DSS v3.2.1 → 💼 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.7no data
💼 PCI DSS v4.0.1 → 💼 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates7no data
💼 PCI DSS v4.0 → 💼 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates7no data