DMS replication instance has auto minor version upgrade enabled
dms_instance_minor_version_upgrade_enabled
AWS DMS replication instances are evaluated for the auto_minor_version_upgrade setting to confirm automatic minor engine updates are enabled during the maintenance window.
Risk
Without automatic minor upgrades, DMS engines can miss security patches and fixes, enabling exploitation of known flaws and instability.
- Confidentiality: exposure via unpatched components
- Integrity: replication errors or data drift
- Availability: outages during migration or CDC
prowler aws --checks dms_instance_minor_version_upgrade_enabled
Recommendation
Enable auto_minor_version_upgrade on all replication instances to maintain continuous patching.
- Set a maintenance window and validate in non-prod
- Monitor release notes and health metrics
- Enforce least privilege for change control
- Keep backups for rollback
Remediation
aws dms modify-replication-instance --region <REGION> --replication-instance-arn arn:aws:dms:<REGION>:<ACCOUNT_ID>:rep:<REPLICATION_ID> --auto-minor-version-upgrade --apply-immediately
- Open the AWS Console and go to Database Migration Service (DMS)
- Click Replication instances and select your instance
- Choose Actions > Modify
- Check Auto minor version upgrade
- Select Apply immediately
- Click Modify to save
Source Code
Resource Type
AwsDmsReplicationInstance