🛡️ AWS Redshift Cluster automatic major version upgrade is not enabled🟢

Contextual name: 🛡️ Cluster automatic major version upgrade is not enabled🟢
ID: /ce/ca/aws/redshift/cluster-version-upgrade
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: RELIABILITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS Redshift Cluster
- 🔌 AWS Redshift Cluster - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
Cloud Conformity: Redshift Cluster Allow Version Upgrade

Description

Description

This policy identifies AWS Redshift Clusters that do not have automatic major version upgrades enabled. When enabled, this feature allows major engine version upgrades to be applied automatically during the cluster’s scheduled maintenance window.

Rationale

Keeping the database engine up to date is critical for the long-term health, performance, and security of your Redshift cluster. Major version upgrades often introduce new features, expanded SQL support, improved integrations, and performance optimizations that can reduce query execution times and resource usage. While minor versions primarily deliver security patches and bug fixes, major versions address architectural improvements and remove deprecated or insecure legacy behaviors.

Enabling automatic major version upgrades reduces the operational overhead of planning and executing version migrations manually.

Impact

If automatic upgrades are not enabled, your team must track engine end-of-life dates and perform manual upgrades, increasing the risk of version lag, potential vulnerabilities, and operational errors.

... see more

Remediation

Open File

Remediation

Enable Automatic Major Version Upgrades

Enabling automatic major version upgrades ensures that the cluster receives new engine versions during its scheduled maintenance window, reducing manual maintenance overhead and improving long-term stability, performance, and security.

From Command Line

Run the following AWS CLI command to enable automatic major version upgrades for the selected Redshift cluster:
```sh
aws redshift modify-cluster \
    --cluster-identifier {{cluster-id}} \
    --allow-version-upgrade
```

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled			1	no data
💼 Cloudaware Framework → 💼 Infrastructure Modernization			21	no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	47	no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	14	no data
💼 FedRAMP High Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2	7	23	no data
💼 FedRAMP High Security Controls → 💼 SI-2(2) Automated Flaw Remediation Status (M)(H)			8	no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			45	no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			12	no data
💼 FedRAMP Low Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)			23	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		47	no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		14	no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2		23	no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2(2) Automated Flaw Remediation Status (M)(H)			8	no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			45	no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			59	no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			60	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			185	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			183	no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			15	no data
💼 NIST CSF v2.0 → 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration			9	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		46	no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		11	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			24	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2 Flaw Remediation	6	6	20	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status		1	8	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(4) Flaw Remediation _ Automated Patch Management Tools			8	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates		2	8	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Impact​

Remediation​

Remediation​

Enable Automatic Major Version Upgrades​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Impact

Remediation

Remediation

Enable Automatic Major Version Upgrades

From Command Line

policy.yaml

Linked Framework Sections