Use the Conformity Knowledge Base AI to help improve your Cloud Posture

DMS Auto Minor Version Upgrade

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: DMS-002

Ensure that your Amazon Database Migration Service (DMS) replication instances have the Auto Minor Version Upgrade feature enabled in order to receive automatically minor engine upgrades. The automatic upgrades are applied to DMS replication instances during system maintenance window, defined by the day of the week, the time of day, and the time zone (UTC by default). Each minor version upgrade is fully available only after it is approved by Amazon Web Services.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Amazon Database Migration Service is a managed web service that you can use to migrate data from a source database to a target database. An AWS DMS replication instance initiates the connection between the two data stores, transfers the data and caches any changes that occur on the source data store at the initial data load. The DMS service releases engine version upgrades regularly to introduce new software features, bug fixes, security patches and performance improvements.


Audit

To determine if your AWS DMS replication instances have Auto Minor Version Upgrade feature enabled, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Database Migration Service dashboard at https://console.aws.amazon.com/dms/.

03 In the left navigation panel, choose Replication instances.

04 Select the AWS DMS replication instance that you want to examine to open the panel with the resource configuration details.

05 Select the Overview tab from the dashboard bottom panel and check the Auto minor version upgrade configuration attribute value. If the attribute value is set to No, the feature is not enabled, hence the minor engine upgrades released will not be applied automatically to the selected Amazon DMS replication instance.

06 Repeat step no. 4 and 5 for each DMS replication instance provisioned within the selected AWS region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-replication-instances command (OSX/Linux/UNIX) to list the ARNs of all DMS replication instances available in the selected AWS region:

aws dms describe-replication-instances
	--region us-east-1
	--query "ReplicationInstances[*].ReplicationInstanceArn"

02 The command output should return the requested Amazon Resource Names (ARNs):

[
    "arn:aws:dms:us-east-1:123456789012:rep:ABCDABCDABCDABCDABCDABCDAB",
    "arn:aws:dms:us-east-1:123456789012:rep:AAAABBBBCCCCDDDDAAAABBBBCC"
]

03 Execute again describe-replication-instances command (OSX/Linux/UNIX) using the ARN of the DMS replication instance that you want to examine as identifier and custom query filters to determine the Auto Minor Version Upgrade feature status for the selected DMS instance:

aws dms describe-replication-instances
	--region us-east-1
	--filters Name=replication-instance-arn,Values=arn:aws:dms:us-east-1:123456789012:rep:ABCDABCDABCDABCDABCDABCDAB
	--query "ReplicationInstances[*].AutoMinorVersionUpgrade"

04 The command output should return the requested feature status:

[
    false
]

If the command output returns false, as shown in the example above, the feature is not enabled, therefore the selected Amazon Database Migration Service (DMS) replication instance does not receive minor database engine upgrades during the configured maintenance window.

05 Repeat step no. 3 and 4 for each DMS replication instance provisioned within the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.

Remediation / Resolution

To update your Amazon DMS replication instances configuration in order to enable Auto Minor Version Upgrade, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Database Migration Service dashboard at https://console.aws.amazon.com/dms/.

03 In the left navigation panel, choose Replication instances.

04 Select the AWS DMS replication instance that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click the Modify button from the dashboard top menu to access the resource configuration panel.

06 On the Modify Replication Instance page, click the Maintenance tab and select the Auto minor version upgrade checkbox to enable the feature.

07 Select Apply changes immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as fast as possible, regardless of the maintenance window setting for the selected instance. If Apply changes immediately checkbox is not selected, the changes will be applied automatically during the next scheduled maintenance window.

08 Click Modify to apply the configuration changes.

09 Repeat steps no. 4 – 8 to enable Auto Minor Version Upgrade for other Amazon DMS replication instances available within the current region.

10 Change the AWS region from the navigation bar and repeat the remediation/resolution process for other regions.

Using AWS CLI

01 Run modify-replication-instance command (OSX/Linux/UNIX) to enable Auto Minor Version Upgrade feature for the selected Amazon DMS replication instance (see Audit section part II to identify the right resource). The following command example is using the --apply-immediately parameter to apply the configuration changes asynchronously, as fast as possible. If you add --no-apply-immediately parameter to the command request, Amazon DMS service will apply your configuration changes during the next maintenance window:

aws dms modify-replication-instance
	--region us-east-1
	--replication-instance-arn arn:aws:dms:us-east-1:123456789012:rep:ABCDABCDABCDABCDABCDABCDAB
	--auto-minor-version-upgrade
	--apply-immediately

02 The command output should return the metadata for the modified AWS Database Migration Service replication instance:

{
    "ReplicationInstance": {
        "MultiAZ": true,
        "AvailabilityZone": "us-east-1a",
        "ReplicationInstancePrivateIpAddress": "172.31.13.106",
        "ReplicationInstanceClass": "dms.t2.medium",
        "AutoMinorVersionUpgrade": true,
        "ReplicationInstanceStatus": "available",

        ...

        "InstanceCreateTime": 1548256603.342,
        "AllocatedStorage": 100,
        "EngineVersion": "3.1.2",
        "ReplicationInstanceIdentifier": "cc-db-replication-instance",
        "PubliclyAccessible": true,
        "PreferredMaintenanceWindow": "tue:08:46-tue:09:16",
    }
}

03 Repeat step no. 1 and 2 to enable Auto Minor Version Upgrade for other Amazon DMS replication instances available within the current region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References