DMS replication instances should have automatic minor version upgrade enabled¶

This control checks if automatic minor version upgrade is enabled for an AWS DMS replication instance. The control fails if automatic minor version upgrade isn't enabled for a DMS replication instance.

How to fix¶

Attribute auto_minor_version_upgrade of aws_dms_replication_instance must be true.

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Open source module (terraform-aws-modules)¶

If you use terraform-aws-modules/dms/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "dms" {
  source  = "terraform-aws-modules/dms/aws"
  version = ">=2.0.0"

  repl_instance_class                  = "dms.t3.micro"
  repl_instance_id                     = "abc123"
  repl_instance_vpc_security_group_ids = ["sg-12345678"]
  repl_subnet_group_subnet_ids         = ["subnet-12345678", "subnet-12345678"]

  repl_instance_auto_minor_version_upgrade = true
}

Option 2: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_dms_replication_instance.

resource "aws_dms_replication_instance" "this" {
  replication_instance_class = "dms.t3.micro"
  replication_instance_id    = "pofix-example-repl"

  auto_minor_version_upgrade = true
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: dms_replication_instance_automatic_minor_version_upgrade_enabled

• AWS Config Managed Rule: DMS_AUTO_MINOR_VERSION_UPGRADE_CHECK

• Checkov Check: CKV_AWS_222

• Powerpipe Control: aws_compliance.control.dms_replication_instance_automatic_minor_version_upgrade_enabled