Skip to content
Ask AI about this
Help improve this page

DMS replication instances should have automatic minor version upgrade enabled

Minor version upgrades for DMS replication instances deliver bug fixes and security patches. Running on a stale minor version means known vulnerabilities sit inside your replication pipeline, and compatibility bugs between the DMS engine and your source or target database stay unresolved.

Replication instances move production data between databases, often including sensitive records. An unpatched engine widens the attack surface on that data path. Automatic upgrades handle this during scheduled maintenance windows, so the engine stays current without manual tracking of patch releases.

Retrofit consideration

Enabling this on existing instances queues the upgrade for the next maintenance window, which includes a restart of the replication instance. Make this change when your migration tasks can tolerate a brief interruption.

Implementation

Choose the approach that matches how you manage Terraform.

If you use terraform-aws-modules/dms/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "dms" {
  source  = "terraform-aws-modules/dms/aws"
  version = ">=2.0.0"

  create_iam_roles                     = false
  repl_instance_class                  = "dms.t3.small"
  repl_instance_id                     = "abc123"
  repl_instance_vpc_security_group_ids = ["sg-abc12345"]
  repl_subnet_group_description        = "DMS Subnet group for pofix testing"
  repl_subnet_group_name               = "abc123"
  repl_subnet_group_subnet_ids         = ["subnet-abc123", "subnet-def456"]

  repl_instance_auto_minor_version_upgrade = true
}

Use AWS provider resources directly. See docs for the resources involved: aws_dms_replication_instance.

resource "aws_dms_replication_instance" "this" {
  replication_instance_class = "dms.t3.small"
  replication_instance_id    = "pofix-abc123"

  auto_minor_version_upgrade = true
}

What this control checks

The aws_dms_replication_instance resource must explicitly set auto_minor_version_upgrade = true. When omitted, the provider default applies, and that default has not been consistent across provider versions. No other arguments affect this control's evaluation.

Common pitfalls

  • Terraform default handling

    Omitting auto_minor_version_upgrade is riskier than it looks. The provider default has changed across versions, so you can't rely on it for consistent behavior. Declare true explicitly in every aws_dms_replication_instance block.

  • Maintenance window misconfiguration

    If preferred_maintenance_window lands during peak migration activity, the restart that accompanies a minor version upgrade will interrupt active replication tasks. Check your window against your migration schedule before enabling this.

  • Multi-AZ failover during upgrade

    Multi-AZ replication instances handle minor version upgrades with a failover, which limits downtime but doesn't eliminate it. If replication tasks aren't configured with CdcStartPosition or an equivalent recovery setting, they may not resume automatically and will need a manual restart.

Audit evidence

An auditor expects Config rule evaluation results from the managed rule dms-auto-minor-version-upgrade-check showing all DMS replication instances as compliant. The DMS console's replication instance detail page shows the "Auto minor version upgrade" field directly; API output from aws dms describe-replication-instances showing "AutoMinorVersionUpgrade": true for each instance also works as point-in-time evidence.

For ongoing assurance, Config compliance history or Security Hub findings filtered to this control show the setting has remained enabled over time, not just at a single snapshot.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: dms_replication_instance_automatic_minor_version_upgrade_enabled

  • AWS Config Managed Rule: DMS_AUTO_MINOR_VERSION_UPGRADE_CHECK

  • Checkov Check: CKV_AWS_222

  • Powerpipe Control: aws_compliance.control.dms_replication_instance_automatic_minor_version_upgrade_enabled

  • Prowler Check: dms_instance_minor_version_upgrade_enabled

  • AWS Security Hub Control: DMS.6

Last reviewed: 2026-03-09