RDS auto minor upgrade

AWS-RDS-004 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for RDS instances with automatic minor version upgrade disabled.

Why it matters

Disabling automatic minor version upgrades means your database engine misses critical security patches that AWS releases to address known CVEs. PostgreSQL alone had 15 security-related minor releases in 2023-2024, including fixes for authentication bypass (CVE-2023-5868) and buffer overflow vulnerabilities. Attackers actively scan for unpatched database engines using version fingerprinting techniques. Minor version upgrades are applied during maintenance windows and typically complete within minutes with minimal downtime. The risk of running an unpatched engine with known exploits far outweighs the small risk of a minor version introducing a regression - which can be tested in staging first.

Common causes

Auto minor upgrade is disabled by teams that experienced a minor version update breaking application compatibility in the past. Database administrators with on-premises experience prefer manual patching control and disable automatic upgrades as a default practice. Some organizations disable it across all environments because their change management process requires explicit approval for every database version change.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws rds modify-db-instance --db-instance-identifier DB_ID --auto-minor-version-upgrade --apply-immediately --region REGION

Remediation: Terraform

resource "aws_db_instance" "db" {
  auto_minor_version_upgrade = true
}