Ensure AWS DB instance gets all minor upgrades automatically
Error: AWS DB instance does not get all minor upgrades automatically
Bridgecrew Policy ID: BC_AWS_GENERAL_121
Checkov Check ID: CKV_AWS_226
Severity: LOW
AWS DB instance does not get all minor upgrades automatically
Description
When Amazon Relational Database Service (Amazon RDS) supports a new version of a database engine, you can upgrade your DB instances to the new version. There are two kinds of upgrades: major version upgrades and minor version upgrades. Minor upgrades helps maintain a secure and stable RDS with minimal impact on the application. For this reason, we recommend that your automatic minor upgrade is enabled. Minor version upgrades only occur automatically if a minor upgrade replaces an unsafe version, such as a minor upgrade that contains bug fixes for a previous version.
Fix - Runtime
AWS Console
Enable RDS auto minor version upgrades.
- Go to the AWS console RDS dashboard.
- In the navigation pane, choose Instances.
- Select the database instance you wish to configure.
- From the Instance actions menu, select Modify.
- Under the Maintenance section, choose Yes for Auto minor version upgrade.
- Select Continue and then Modify DB Instance.
CLI Command
aws rds modify-db-instance \
--region ${region} \
--db-instance-identifier ${resource_name} \
--auto-minor-version-upgrade \
--apply-immediately
Fix - Buildtime
CloudFormation
Resources:
Example:
Type: 'AWS::RDS::DBInstance'
Properties:
DBName: 'example'
DBInstanceClass: 'db.t3.micro'
Engine: 'mysql'
MasterUsername: 'master'
MasterUserPassword: 'password'
+ AutoMinorVersionUpgrade: true
Terraform
resource "aws_db_instance" "example" {
allocated_storage = 20
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
parameter_group_name = "default.mysql5.7"
+ auto_minor_version_upgrade = true
}
Updated 6 months ago