--- title: Automatic minor upgrades disabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Automatic minor upgrades disabled --- # Automatic minor upgrades disabled {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-automatic-minor-upgrades-disabled` **Cloud Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Best Practices #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#auto_minor_version_upgrade) ### Description{% #description %} RDS instances in AWS should have automatic minor version upgrades enabled by setting the `auto_minor_version_upgrade` attribute to `true`. This ensures that the database receives timely security patches and important bug fixes without manual intervention. If this attribute is set to `false`, as shown in the following configuration, the RDS instance will not automatically apply minor updates, potentially leaving it exposed to vulnerabilities and unsupported bugs until manually updated. ``` auto_minor_version_upgrade = false ``` This increases the risk of security incidents and database outages due to missed critical patches. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" identifier = "demodb" engine = "mysql" engine_version = "5.7.19" instance_class = "db.t2.large" allocated_storage = 5 auto_minor_version_upgrade = true name = "demodb" username = "user" password = "YourPwdShouldBeLongAndSecure!" port = "3306" iam_database_authentication_enabled = true vpc_security_group_ids = ["sg-12345678"] maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" # Enhanced Monitoring - see example for details on how to create the role # by yourself, in case you don't want to create it automatically monitoring_interval = "30" monitoring_role_name = "MyRDSMonitoringRole" create_monitoring_role = true tags = { Owner = "user" Environment = "dev" } # DB subnet group subnet_ids = ["subnet-12345678", "subnet-87654321"] # DB parameter group family = "mysql5.7" # DB option group major_engine_version = "5.7" # Database Deletion Protection deletion_protection = true parameters = [ { name = "character_set_client" value = "utf8mb4" }, { name = "character_set_server" value = "utf8mb4" } ] options = [ { option_name = "MARIADB_AUDIT_PLUGIN" option_settings = [ { name = "SERVER_AUDIT_EVENTS" value = "CONNECT" }, { name = "SERVER_AUDIT_FILE_ROTATIONS" value = "37" }, ] }, ] } ``` ```terraform resource "aws_db_instance" "negative1" { allocated_storage = 20 storage_type = "gp2" engine = "mysql" engine_version = "5.7" instance_class = "db.t2.micro" name = "mydb" username = "foo" password = "foobarbaz" iam_database_authentication_enabled = true storage_encrypted = true ca_cert_identifier = "rds-ca-2019" auto_minor_version_upgrade = true } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" identifier = "demodb" engine = "mysql" engine_version = "5.7.19" instance_class = "db.t2.large" allocated_storage = 5 auto_minor_version_upgrade = false name = "demodb" username = "user" password = "YourPwdShouldBeLongAndSecure!" port = "3306" iam_database_authentication_enabled = true vpc_security_group_ids = ["sg-12345678"] maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" # Enhanced Monitoring - see example for details on how to create the role # by yourself, in case you don't want to create it automatically monitoring_interval = "30" monitoring_role_name = "MyRDSMonitoringRole" create_monitoring_role = true tags = { Owner = "user" Environment = "dev" } # DB subnet group subnet_ids = ["subnet-12345678", "subnet-87654321"] # DB parameter group family = "mysql5.7" # DB option group major_engine_version = "5.7" # Database Deletion Protection deletion_protection = true parameters = [ { name = "character_set_client" value = "utf8mb4" }, { name = "character_set_server" value = "utf8mb4" } ] options = [ { option_name = "MARIADB_AUDIT_PLUGIN" option_settings = [ { name = "SERVER_AUDIT_EVENTS" value = "CONNECT" }, { name = "SERVER_AUDIT_FILE_ROTATIONS" value = "37" }, ] }, ] } ``` ```terraform resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" engine = "mysql" engine_version = "5.7" instance_class = "db.t2.micro" name = "mydb" username = "foo" password = "foobarbaz" iam_database_authentication_enabled = true storage_encrypted = true ca_cert_identifier = "rds-ca-2019" auto_minor_version_upgrade = false } ```