Skip to content
Ask AI about this
Help improve this page

RDS DB clusters should have automatic minor version upgrade enabled

Minor version releases from database engine vendors include security patches, bug fixes, and stability improvements. With automatic upgrades disabled, clusters accumulate engine-level vulnerabilities that are often well-documented in public CVEs, giving attackers a known attack surface.

Manual patch processes fall behind at scale. In environments with dozens of clusters across multiple accounts, a minor version update can sit in a backlog for months. Automatic minor version upgrades turn patching into a maintenance window event rather than a tracked work item, cutting mean time to remediation for engine security issues without requiring per-cluster coordination.

Retrofit consideration

Enabling automatic minor version upgrades on existing clusters triggers the next available minor version update during the upcoming maintenance window. Test application compatibility with the target engine version first, especially for Aurora clusters on older minor versions where several patch levels may be applied in a single window.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_rds_cluster_instance.

resource "aws_rds_cluster_instance" "this" {
  cluster_identifier = "pofix-example-cluster"
  engine             = "aurora-mysql"
  instance_class     = "db.t3.medium"

  auto_minor_version_upgrade = true
}

What this control checks

The control checks that auto_minor_version_upgrade is set to true on aws_rds_cluster resources. A cluster passes with auto_minor_version_upgrade = true. It fails when the argument is false or resolves to a non-compliant value.

For Aurora, auto_minor_version_upgrade on aws_rds_cluster controls the cluster-level setting, which is distinct from the same argument on aws_rds_cluster_instance resources. Both should be true for full coverage.

Common pitfalls

  • Cluster-level vs instance-level setting confusion

    Setting auto_minor_version_upgrade only on aws_rds_cluster_instance resources won't satisfy this control. The policy evaluates the cluster-level resource. Also worth noting: setting it on the cluster doesn't automatically propagate to instances created outside Terraform, so check both.

  • Maintenance window must be defined for upgrades to apply

    The upgrade only fires during the cluster's preferred_maintenance_window. If that window is defined but routinely deferred due to operational constraints, the cluster stays unpatched regardless of the setting. Define a window that actually runs.

  • Engine and version support differences can cause surprises

    Don't assume identical auto_minor_version_upgrade behavior across Aurora provisioned, Serverless v1, and Serverless v2. AWS behavior varies by engine family and version. Check the current RDS documentation for your specific engine before treating this as a set-and-forget control.

  • Explicit false in shared modules

    Third-party Terraform modules for RDS sometimes hard-code auto_minor_version_upgrade = false to avoid unexpected restarts during deployments. If you're consuming a shared module, verify its defaults. You might never write false in your own config, but the module variable default can still cause this control to fail.

Audit evidence

Auditors expect AWS Config rule evaluation results showing all RDS clusters as compliant under rds-cluster-auto-minor-version-upgrade-enabled. Console screenshots from the RDS Clusters page with the 'Auto minor version upgrade' column set to 'Yes' support the finding. For historical patching evidence, CloudTrail records for ModifyDBCluster calls that include AutoMinorVersionUpgrade parameter changes show the configuration timeline.

Security Hub findings for this control, filtered to passing status across all evaluated clusters, work well in audit packages as a consolidated compliance view.

Framework-specific interpretation

NIST SP 800-53 Rev 5: SI-2 (Flaw Remediation) requires identifying and correcting system flaws in a timely manner. Automatic minor version upgrades satisfy the patch application piece: vendor-released fixes are applied on a defined schedule without manual intervention. This also touches CM-3 (Configuration Change Control), since version changes follow a predictable, automated cadence rather than ad-hoc updates.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: rds_db_cluster_automatic_minor_version_upgrade_enabled

  • AWS Config Managed Rule: RDS_CLUSTER_AUTO_MINOR_VERSION_UPGRADE_ENABLE

  • Checkov Check: CKV_AWS_226

  • Powerpipe Control: aws_compliance.control.rds_db_cluster_automatic_minor_version_upgrade_enabled

  • Prowler Checks: rds_cluster_minor_version_upgrade_enabled, rds_instance_minor_version_upgrade_enabled

  • AWS Security Hub Controls: RDS.13, RDS.35

Last reviewed: 2026-03-09