RDS DB instance automatic minor version upgrade should be enabled
Minor version upgrades for RDS engines (MySQL, PostgreSQL, MariaDB, Oracle, SQL Server) include security patches, bug fixes, and performance improvements released by the engine vendor. When auto_minor_version_upgrade is disabled, your database stays on a version with known vulnerabilities until someone manually triggers the upgrade. This creates a window where publicly disclosed CVEs apply to your running instance.
Automatic minor upgrades apply during the configured maintenance window, so they don't cause surprise downtime outside that period. The operational cost of enabling this flag is low compared to the risk of running unpatched database software in production.
Retrofit consideration
Enabling auto minor version upgrade on existing instances may trigger an upgrade at the next maintenance window if a newer minor version is available. Test in staging first, particularly for engines with behavior changes between minor versions.
Implementation
Choose the approach that matches how you manage Terraform.
Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.
module "rds" {
source = "pcidss.compliance.tf/terraform-aws-modules/rds/aws"
version = ">=7.0.0"
allocated_storage = 20
db_name = "myapp"
db_subnet_group_name = "example-db-subnet-group"
engine = "mysql"
engine_version = "8.0.41"
family = "mysql8.0"
identifier = "abc123"
instance_class = "db.t3.micro"
major_engine_version = "8.0"
password_wo = "change-me-in-production"
skip_final_snapshot = true
username = "dbadmin"
vpc_security_group_ids = ["sg-12345678"]
}
module "rds" {
source = "cis.compliance.tf/terraform-aws-modules/rds/aws"
version = ">=7.0.0"
allocated_storage = 20
db_name = "myapp"
db_subnet_group_name = "example-db-subnet-group"
engine = "mysql"
engine_version = "8.0.41"
family = "mysql8.0"
identifier = "abc123"
instance_class = "db.t3.micro"
major_engine_version = "8.0"
password_wo = "change-me-in-production"
skip_final_snapshot = true
username = "dbadmin"
vpc_security_group_ids = ["sg-12345678"]
}
module "rds" {
source = "cisacyberessentials.compliance.tf/terraform-aws-modules/rds/aws"
version = ">=7.0.0"
allocated_storage = 20
db_name = "myapp"
db_subnet_group_name = "example-db-subnet-group"
engine = "mysql"
engine_version = "8.0.41"
family = "mysql8.0"
identifier = "abc123"
instance_class = "db.t3.micro"
major_engine_version = "8.0"
password_wo = "change-me-in-production"
skip_final_snapshot = true
username = "dbadmin"
vpc_security_group_ids = ["sg-12345678"]
}
module "rds" {
source = "cisv500.compliance.tf/terraform-aws-modules/rds/aws"
version = ">=7.0.0"
allocated_storage = 20
db_name = "myapp"
db_subnet_group_name = "example-db-subnet-group"
engine = "mysql"
engine_version = "8.0.41"
family = "mysql8.0"
identifier = "abc123"
instance_class = "db.t3.micro"
major_engine_version = "8.0"
password_wo = "change-me-in-production"
skip_final_snapshot = true
username = "dbadmin"
vpc_security_group_ids = ["sg-12345678"]
}
module "rds" {
source = "ffiec.compliance.tf/terraform-aws-modules/rds/aws"
version = ">=7.0.0"
allocated_storage = 20
db_name = "myapp"
db_subnet_group_name = "example-db-subnet-group"
engine = "mysql"
engine_version = "8.0.41"
family = "mysql8.0"
identifier = "abc123"
instance_class = "db.t3.micro"
major_engine_version = "8.0"
password_wo = "change-me-in-production"
skip_final_snapshot = true
username = "dbadmin"
vpc_security_group_ids = ["sg-12345678"]
}
module "rds" {
source = "acscessentialeight.compliance.tf/terraform-aws-modules/rds/aws"
version = ">=7.0.0"
allocated_storage = 20
db_name = "myapp"
db_subnet_group_name = "example-db-subnet-group"
engine = "mysql"
engine_version = "8.0.41"
family = "mysql8.0"
identifier = "abc123"
instance_class = "db.t3.micro"
major_engine_version = "8.0"
password_wo = "change-me-in-production"
skip_final_snapshot = true
username = "dbadmin"
vpc_security_group_ids = ["sg-12345678"]
}
module "rds" {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/rds/aws"
version = ">=7.0.0"
allocated_storage = 20
db_name = "myapp"
db_subnet_group_name = "example-db-subnet-group"
engine = "mysql"
engine_version = "8.0.41"
family = "mysql8.0"
identifier = "abc123"
instance_class = "db.t3.micro"
major_engine_version = "8.0"
password_wo = "change-me-in-production"
skip_final_snapshot = true
username = "dbadmin"
vpc_security_group_ids = ["sg-12345678"]
}
module "rds" {
source = "rbiitfnbfc.compliance.tf/terraform-aws-modules/rds/aws"
version = ">=7.0.0"
allocated_storage = 20
db_name = "myapp"
db_subnet_group_name = "example-db-subnet-group"
engine = "mysql"
engine_version = "8.0.41"
family = "mysql8.0"
identifier = "abc123"
instance_class = "db.t3.micro"
major_engine_version = "8.0"
password_wo = "change-me-in-production"
skip_final_snapshot = true
username = "dbadmin"
vpc_security_group_ids = ["sg-12345678"]
}
module "rds" {
source = "nistcsfv11.compliance.tf/terraform-aws-modules/rds/aws"
version = ">=7.0.0"
allocated_storage = 20
db_name = "myapp"
db_subnet_group_name = "example-db-subnet-group"
engine = "mysql"
engine_version = "8.0.41"
family = "mysql8.0"
identifier = "abc123"
instance_class = "db.t3.micro"
major_engine_version = "8.0"
password_wo = "change-me-in-production"
skip_final_snapshot = true
username = "dbadmin"
vpc_security_group_ids = ["sg-12345678"]
}
module "rds" {
source = "pcidssv321.compliance.tf/terraform-aws-modules/rds/aws"
version = ">=7.0.0"
allocated_storage = 20
db_name = "myapp"
db_subnet_group_name = "example-db-subnet-group"
engine = "mysql"
engine_version = "8.0.41"
family = "mysql8.0"
identifier = "abc123"
instance_class = "db.t3.micro"
major_engine_version = "8.0"
password_wo = "change-me-in-production"
skip_final_snapshot = true
username = "dbadmin"
vpc_security_group_ids = ["sg-12345678"]
}
If you use terraform-aws-modules/rds/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "rds" {
source = "terraform-aws-modules/rds/aws"
version = ">=7.0.0"
allocated_storage = 20
db_name = "myapp"
db_subnet_group_name = "example-db-subnet-group"
engine = "mysql"
engine_version = "8.0.41"
family = "mysql8.0"
identifier = "abc123"
instance_class = "db.t3.micro"
major_engine_version = "8.0"
password_wo = "change-me-in-production"
skip_final_snapshot = true
username = "dbadmin"
vpc_security_group_ids = ["sg-12345678"]
auto_minor_version_upgrade = true
}
Use AWS provider resources directly. See docs for the resources involved: aws_db_instance.
resource "aws_db_instance" "this" {
allocated_storage = 20
enabled_cloudwatch_logs_exports = ["general", "slowquery"]
engine = "mysql"
identifier = "pofix-abc123"
instance_class = "db.t3.micro"
monitoring_interval = 60
monitoring_role_arn = "arn:aws:iam::123456789012:role/example-role"
password = "ChangeMe123!"
skip_final_snapshot = true
username = "dbadmin"
auto_minor_version_upgrade = true
}
What this control checks
For every aws_db_instance resource, auto_minor_version_upgrade must be true. The argument defaults to true in the AWS provider, so an explicit false is the primary failure case. If your module or organization template sets it to false, the control flags it. No other resources or arguments are involved. Evaluation is at plan time: true passes, false fails.
Common pitfalls
Default is true but can be overridden silently
The Terraform AWS provider defaults
auto_minor_version_upgradetotrueonaws_db_instance. Shared modules or variable-driven configs may override this tofalse, and the absence of an explicit setting in your root module doesn't guarantee the module internals preserve the default. Review module inputs carefully.Read replicas inherit the setting independently
RDS read replicas created via
aws_db_instancewithreplicate_source_dbhave their ownauto_minor_version_upgradeattribute. A replica can have the flag set tofalseeven if the primary has it set totrue. Each instance is evaluated separately.Multi-AZ failover during upgrade
For Multi-AZ deployments, the minor version upgrade applies to the standby first, then a failover occurs, resulting in a brief outage. Teams sometimes disable auto upgrades to avoid this, but the security tradeoff rarely justifies it.
Aurora instances use a different resource
Aurora DB instances use
aws_rds_cluster_instance, notaws_db_instance. This control applies to non-Aurora RDS instances only. Aurora cluster-level auto minor version upgrade is a separate control (rds_db_cluster_automatic_minor_version_upgrade_enabled).
Audit evidence
An auditor expects AWS Config rule evaluation results for rds-automatic-minor-version-upgrade-enabled showing all RDS DB instances as compliant. Supporting evidence includes CLI output from aws rds describe-db-instances with "AutoMinorVersionUpgrade": true for each instance. Screenshots from the RDS Console showing 'Auto minor version upgrade' set to 'Yes' on each instance's configuration tab work as supplemental evidence.
For ongoing compliance posture, a Security Hub dashboard or CSPM report showing historical compliance status for this rule strengthens the audit trail.
Framework-specific interpretation
PCI DSS v4.0: Requirement 6.3.3 calls for installing applicable security patches and updates. Automatic minor version upgrades deliver vendor-released engine fixes during the maintenance window, which is one way to satisfy the timely remediation expectation under 6.3.
Related controls
RDS DB clusters should have automatic minor version upgrade enabled
MQ brokers should have automatic minor version upgrade enabled
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
rds_db_instance_automatic_minor_version_upgrade_enabledAWS Config Managed Rule:
RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLEDCheckov Check:
CKV_AWS_226Powerpipe Control:
aws_compliance.control.rds_db_instance_automatic_minor_version_upgrade_enabledProwler Checks:
rds_cluster_minor_version_upgrade_enabled,rds_instance_minor_version_upgrade_enabledAWS Security Hub Controls:
RDS.13,RDS.35KICS Query:
3b6d777b-76e3-4133-80a3-0d6f667ade7f
Last reviewed: 2026-03-09