Skip to main content

πŸ“ AWS RDS Instance Auto Minor Version Upgrade is not enabled 🟠🟒

  • Contextual name: πŸ“ Instance Auto Minor Version Upgrade is not enabled 🟠🟒
  • ID: /ce/ca/aws/rds/instance-auto-minor-version-upgrade
  • Located in: πŸ“ AWS RDS

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY
    • PERFORMANCE

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-215302da1

Logic​

Internal Notes πŸŸ β€‹

Open File

Notes​

  • For some reason, similar policies mention only mysql and postgres engines in the policy audit and remediation sections. However, AWS documentation tells that AutoMinorVersionUpgrade attribute is supported on ALL DB engines: docs

  • We've modified the ssh commands to include all engines (see remediation.md).

  • Our policy document also accepts all engines (doesn't filter any).

Description​

Open File

Description​

Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.

Rationale​

AWS RDS will occasionally deprecate minor engine versions and provide new ones for an upgrade. When the last version number within the release is replaced, the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes, and security patches for their database engines.

Audit​

From Console​
  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.
  2. In the left navigation panel, click on Databases.
  3. Select the RDS instance that wants to examine.
  4. Click on the Maintenance and backups panel.

... see more

Remediation​

Open File

Remediation​

Remediate AWS RDS Instances​

Using AWS CLoudFormation​
  • CloudFormation template (JSON):
{
 "AWSTemplateFormatVersion": "2010-09-09",
 "Description": "Enable Auto Minor Version Upgrade for Database Instances",
 "Parameters": {
  "DBInstanceName": {
   "Default": "mysql-database-instance",
   "Description": "RDS database instance name",
   "Type": "String",
   "MinLength": "1",
   "MaxLength": "63",
   "AllowedPattern": "^[0-9a-zA-Z-/]*$",
   "ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
  },
  "DBInstanceClass": {
   "Default": "db.t2.small",
   "Description": "DB instance class/type",
   "Type": "String",
   "ConstraintDescription": "Must provide a valid DB instance type."
  },
  "DBAllocatedStorage": {
   "Default": "20",
   "Description": "The size of the database (GiB)",
   "Type": "Number",
   "MinValue": "20",
   "MaxValue": "65536",
   "ConstraintDescription": "Must be between 20 and 65536 GiB."
  },
  "DBName": {
   "Default": "mysqldb",

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36h patch management controls β€” to manage the assessment and application of patches and other updates that address known vulnerabilities in a timely manner;55
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 40 An important aspect of information asset life-cycle management involves minimising vulnerabilities and maintaining support. Information security exposures could arise from hardware and software which is outdated or has limited or no support (whether through a third party, a related party or in-house). Technology that is end-of-life5 , out-of-support or in extended support is typically less secure by design, has a dated security model and can take longer, or is unable, to be updated to address new threats.55
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.13] RDS automatic minor version upgrades should be enabled11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances - Level 1 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances - Level 1 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances - Level 1 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 2.2.2 Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 2.2.2 Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 2.2.2 Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Infrastructure Modernization9
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)21517
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)31821
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-11 User-installed Software (L)(M)(H)44
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)279
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-2(2) Automated Flaw Remediation Status (M)(H)1
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)8
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)18
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-11 User-installed Software (L)(M)(H)4
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)9
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)217
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)321
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-11 User-installed Software (L)(M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)29
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-2(2) Automated Flaw Remediation Status (M)(H)1
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.5.1 Installation of software on operational systems44
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.8 Management of technical vulnerabilities99
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2124
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-5: Unauthorized mobile code is detected1111
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.AM-2: Software platforms and applications within the organization are inventoried46
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.RA-1: Asset vulnerabilities are identified and documented1415
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity1819
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)414
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-3: Configuration change control processes are in place44
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-12: A vulnerability management plan is developed and implemented78
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2125
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations10
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities24
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked24
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SI-2 FLAW REMEDIATION611
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2 Flaw Remediation656
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(4) Flaw Remediation _ Automated Patch Management Tools1
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(6) Flaw Remediation _ Removal of Previous Versions of Software and Firmware55
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1820
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.1
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates1
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates1
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 3.1 All software on in-scope devices must be licensed and supported55
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 3.3 All software on in-scope devices must have automatic updates enabled where possible11