Detection rules › Panther
AWS RDS Instance Minor Version Upgrades
If you want Amazon RDS to upgrade the DB engine version of a database automatically, you can enable auto minor version upgrades for the database.
Rule body yaml
AnalysisType: policy
Filename: aws_rds_instance_auto_minor_version_upgrade_enabled.py
PolicyID: "AWS.RDS.Instance.AutoMinorVersionUpgradeEnabled"
DisplayName: "AWS RDS Instance Minor Version Upgrades"
Enabled: true
ResourceTypes:
- AWS.RDS.Instance
Tags:
- AWS
- Panther
- PCI
Reports:
PCI:
- 6.2
Severity: Low
Description: >
If you want Amazon RDS to upgrade the DB engine version of a database automatically,
you can enable auto minor version upgrades for the database.
Runbook: |
For major version upgrades, you must manually modify the DB engine version through the
AWS Management Console, AWS CLI, or RDS API. For minor version upgrades,
you can manually modify the engine version, or you can choose to enable auto minor version upgrades.
Reference: https://amzn.to/2L8POnD
Tests:
- Name: Instance Auto Minor Version Upgrade Enabled
ExpectedResult: true
Resource:
{
"AllocatedStorage": 20,
"AssociatedRoles": null,
"AutoMinorVersionUpgrade": true,
"AvailabilityZone": "us-west-2a",
"BackupRetentionPeriod": 7,
"CACertificateIdentifier": "rds-ca-2015",
"CharacterSetName": null,
"CopyTagsToSnapshot": false,
"DBClusterIdentifier": null,
"DBInstanceArn": "arn:aws:rds:us-west-2:123456789012:db:example-instance",
"DBInstanceClass": "db.m4.xlarge",
"DBInstanceIdentifier": "example-instance",
"DBInstanceStatus": "available",
"DBName": "db_1",
"DBParameterGroups":
[
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync",
},
],
"DBSecurityGroups": null,
"DBSubnetGroup":
{
"DBSubnetGroupArn": null,
"DBSubnetGroupDescription": "default",
"DBSubnetGroupName": "default",
"SubnetGroupStatus": "Complete",
"Subnets":
[
{
"SubnetAvailabilityZone": { "Name": "us-west-2b" },
"SubnetIdentifier": "subnet-111222333",
"SubnetStatus": "Active",
},
{
"SubnetAvailabilityZone": { "Name": "us-west-2d" },
"SubnetIdentifier": "subnet-444555666",
"SubnetStatus": "Active",
},
],
"VpcId": "vpc-111222333",
},
"DbInstancePort": 0,
"DbiResourceId": "db-ABCDEFGHIJKLMNOP",
"DeletionProtection": false,
"DomainMemberships": null,
"EnabledCloudwatchLogsExports": null,
"Endpoint":
{
"Address": "example-instance.abcdefghijkl.us-west-2.rds.amazonaws.com",
"HostedZoneId": "ABCDEF1234",
"Port": 3306,
},
"Engine": "mysql",
"EngineVersion": "5.7.22",
"EnhancedMonitoringResourceArn": null,
"IAMDatabaseAuthenticationEnabled": false,
"InstanceCreateTime": "2019-01-01T00:00:00.000Z",
"Iops": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"LatestRestorableTime": "2019-01-01T00:00:00Z",
"LicenseModel": "general-public-license",
"ListenerEndpoint": null,
"MasterUsername": "superuser",
"MaxAllocatedStorage": null,
"MonitoringInterval": 0,
"MonitoringRoleArn": null,
"MultiAZ": false,
"OptionGroupMemberships":
[{ "OptionGroupName": "default:mysql-5-7", "Status": "in-sync" }],
"PendingModifiedValues":
{
"AllocatedStorage": null,
"BackupRetentionPeriod": null,
"CACertificateIdentifier": null,
"DBInstanceClass": null,
"DBInstanceIdentifier": null,
"DBSubnetGroupName": null,
"EngineVersion": null,
"Iops": null,
"LicenseModel": null,
"MasterUserPassword": null,
"MultiAZ": null,
"PendingCloudwatchLogsExports": null,
"Port": null,
"ProcessorFeatures": null,
"StorageType": null,
},
"PerformanceInsightsEnabled": false,
"PerformanceInsightsKMSKeyId": null,
"PerformanceInsightsRetentionPeriod": null,
"PreferredBackupWindow": "07:31-08:01",
"PreferredMaintenanceWindow": "thu:12:02-thu:12:32",
"ProcessorFeatures": null,
"PromotionTier": null,
"PubliclyAccessible": true,
"ReadReplicaDBClusterIdentifiers": null,
"ReadReplicaDBInstanceIdentifiers": null,
"ReadReplicaSourceDBInstanceIdentifier": null,
"SecondaryAvailabilityZone": null,
"SnapshotAttributes":
[
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-01-07-36",
},
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-08-07-36",
},
],
"StatusInfos": null,
"StorageEncrypted": true,
"StorageType": "gp2",
"TdeCredentialArn": null,
"Timezone": null,
"VpcSecurityGroups":
[{ "Status": "active", "VpcSecurityGroupId": "sg-112233" }],
}
- Name: Instance Auto Minor Version Upgrade Not Enabled
ExpectedResult: false
Resource:
{
"AllocatedStorage": 20,
"AssociatedRoles": null,
"AutoMinorVersionUpgrade": false,
"AvailabilityZone": "us-west-2a",
"BackupRetentionPeriod": 7,
"CACertificateIdentifier": "rds-ca-2015",
"CharacterSetName": null,
"CopyTagsToSnapshot": false,
"DBClusterIdentifier": null,
"DBInstanceArn": "arn:aws:rds:us-west-2:123456789012:db:example-instance",
"DBInstanceClass": "db.m4.xlarge",
"DBInstanceIdentifier": "example-instance",
"DBInstanceStatus": "available",
"DBName": "db_1",
"DBParameterGroups":
[
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync",
},
],
"DBSecurityGroups": null,
"DBSubnetGroup":
{
"DBSubnetGroupArn": null,
"DBSubnetGroupDescription": "default",
"DBSubnetGroupName": "default",
"SubnetGroupStatus": "Complete",
"Subnets":
[
{
"SubnetAvailabilityZone": { "Name": "us-west-2b" },
"SubnetIdentifier": "subnet-111222333",
"SubnetStatus": "Active",
},
{
"SubnetAvailabilityZone": { "Name": "us-west-2d" },
"SubnetIdentifier": "subnet-444555666",
"SubnetStatus": "Active",
},
],
"VpcId": "vpc-111222333",
},
"DbInstancePort": 0,
"DbiResourceId": "db-ABCDEFGHIJKLMNOP",
"DeletionProtection": false,
"DomainMemberships": null,
"EnabledCloudwatchLogsExports": null,
"Endpoint":
{
"Address": "example-instance.abcdefghijkl.us-west-2.rds.amazonaws.com",
"HostedZoneId": "ABCDEF1234",
"Port": 3306,
},
"Engine": "mysql",
"EngineVersion": "5.7.22",
"EnhancedMonitoringResourceArn": null,
"IAMDatabaseAuthenticationEnabled": false,
"InstanceCreateTime": "2019-01-01T00:00:00.000Z",
"Iops": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"LatestRestorableTime": "2019-01-01T00:00:00Z",
"LicenseModel": "general-public-license",
"ListenerEndpoint": null,
"MasterUsername": "superuser",
"MaxAllocatedStorage": null,
"MonitoringInterval": 0,
"MonitoringRoleArn": null,
"MultiAZ": false,
"OptionGroupMemberships":
[{ "OptionGroupName": "default:mysql-5-7", "Status": "in-sync" }],
"PendingModifiedValues":
{
"AllocatedStorage": null,
"BackupRetentionPeriod": null,
"CACertificateIdentifier": null,
"DBInstanceClass": null,
"DBInstanceIdentifier": null,
"DBSubnetGroupName": null,
"EngineVersion": null,
"Iops": null,
"LicenseModel": null,
"MasterUserPassword": null,
"MultiAZ": null,
"PendingCloudwatchLogsExports": null,
"Port": null,
"ProcessorFeatures": null,
"StorageType": null,
},
"PerformanceInsightsEnabled": false,
"PerformanceInsightsKMSKeyId": null,
"PerformanceInsightsRetentionPeriod": null,
"PreferredBackupWindow": "07:31-08:01",
"PreferredMaintenanceWindow": "thu:12:02-thu:12:32",
"ProcessorFeatures": null,
"PromotionTier": null,
"PubliclyAccessible": true,
"ReadReplicaDBClusterIdentifiers": null,
"ReadReplicaDBInstanceIdentifiers": null,
"ReadReplicaSourceDBInstanceIdentifier": null,
"SecondaryAvailabilityZone": null,
"SnapshotAttributes":
[
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-01-07-36",
},
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-08-07-36",
},
],
"StatusInfos": null,
"StorageEncrypted": true,
"StorageType": "gp2",
"TdeCredentialArn": null,
"Timezone": null,
"VpcSecurityGroups":
[{ "Status": "active", "VpcSecurityGroupId": "sg-112233" }],
}
Detection logic
Condition
AutoMinorVersionUpgrade not is_not_null
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
AutoMinorVersionUpgrade | is_not_null |