Automatic Minor Upgrades Disabled
- Query id: f0104061-8bfc-4b45-8a7d-630eb502f281
- Query name: Automatic Minor Upgrades Disabled
- Platform: CloudFormation
- Severity: Low
- Category: Best Practices
- CWE: 710
- URL: Github
Description¶
RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Description": "AWS CloudFormation Sample "
Parameters:
DBInstanceID:
Default: mydbinstance
Description: My database instance
Type: String
MinLength: '1'
MaxLength: '63'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: >-
Must begin with a letter and must not end with a hyphen or contain two
consecutive hyphens.
Resources:
MyDB:
Type: 'AWS::RDS::DBInstance'
Properties:
DBInstanceIdentifier: !Ref DBInstanceID
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
EngineVersion: 8.0.16
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
MonitoringInterval: '60'
MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role'
MyDB2:
Type: 'AWS::RDS::DBInstance'
Properties:
DBInstanceIdentifier: !Ref DBInstanceID
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
EngineVersion: 8.0.16
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
MonitoringInterval: '60'
MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role'
AutoMinorVersionUpgrade: false
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.",
"Parameters": {
"DBUsername": {
"NoEcho": "true",
"Description": "Username for MySQL database access",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric characters."
}
},
"Resources": {
"MyDB": {
"Properties": {
"DBInstanceIdentifier": "DBInstanceID",
"DBInstanceClass": "DBInstanceClass",
"Engine": "MySQL",
"MasterUserPassword": "DBPassword",
"MonitoringInterval": "60",
"MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role",
"DBName": "DBName",
"AllocatedStorage": "DBAllocatedStorage",
"EngineVersion": "8.0.16",
"MasterUsername": "DBUsername"
},
"Type": "AWS::RDS::DBInstance"
},
"MyDB2": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier": "DBInstanceID",
"DBInstanceClass": "DBInstanceClass",
"EngineVersion": "8.0.16",
"MasterUserPassword": "DBPassword",
"MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role",
"DBName": "DBName",
"AllocatedStorage": "DBAllocatedStorage",
"Engine": "MySQL",
"MasterUsername": "DBUsername",
"MonitoringInterval": "60",
"AutoMinorVersionUpgrade": false
}
}
}
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Description": "AWS CloudFormation Sample "
Parameters:
DBInstanceID:
Default: mydbinstance
Description: My database instance
Type: String
MinLength: '1'
MaxLength: '63'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: >-
Must begin with a letter and must not end with a hyphen or contain two
consecutive hyphens.
Resources:
MyDB:
Type: 'AWS::RDS::DBInstance'
Properties:
DBInstanceIdentifier: !Ref DBInstanceID
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
EngineVersion: 8.0.16
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
MonitoringInterval: '60'
MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role'
MyDB2:
Type: 'AWS::RDS::DBInstance'
Properties:
DBInstanceIdentifier: !Ref DBInstanceID
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
EngineVersion: 8.0.16
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
MonitoringInterval: '60'
MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role'
AutoMinorVersionUpgrade: "false"
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.",
"Parameters": {
"DBUsername": {
"NoEcho": "true",
"Description": "Username for MySQL database access",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric characters."
}
},
"Resources": {
"MyDB": {
"Properties": {
"DBInstanceIdentifier": "DBInstanceID",
"DBInstanceClass": "DBInstanceClass",
"Engine": "MySQL",
"MasterUserPassword": "DBPassword",
"MonitoringInterval": "60",
"MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role",
"DBName": "DBName",
"AllocatedStorage": "DBAllocatedStorage",
"EngineVersion": "8.0.16",
"MasterUsername": "DBUsername"
},
"Type": "AWS::RDS::DBInstance"
},
"MyDB2": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier": "DBInstanceID",
"DBInstanceClass": "DBInstanceClass",
"EngineVersion": "8.0.16",
"MasterUserPassword": "DBPassword",
"MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role",
"DBName": "DBName",
"AllocatedStorage": "DBAllocatedStorage",
"Engine": "MySQL",
"MasterUsername": "DBUsername",
"MonitoringInterval": "60",
"AutoMinorVersionUpgrade": "false"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Description": "AWS CloudFormation Sample"
Parameters:
DBInstanceID:
Default: mydbinstance
Description: My database instance
Type: String
MinLength: '1'
MaxLength: '63'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: >-
Must begin with a letter and must not end with a hyphen or contain two
consecutive hyphens.
ConstraintDescription: must contain only alphanumeric characters.
Resources:
MyDB:
Type: 'AWS::RDS::DBInstance'
Properties:
DBInstanceIdentifier: !Ref DBInstanceID
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
EngineVersion: 8.0.16
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
MonitoringInterval: '60'
MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role'
AutoMinorVersionUpgrade: true
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.",
"Parameters": {
"DBInstanceClass": {
"Type": "String",
"ConstraintDescription": "Must select a valid DB instance type.",
"Default": "db.m5.large",
"Description": "DB instance class"
}
},
"Resources": {
"MyDB": {
"Properties": {
"EngineVersion": "8.0.16",
"MasterUsername": "DBUsername",
"MonitoringInterval": "60",
"MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role",
"AutoMinorVersionUpgrade": true,
"DBInstanceIdentifier": "DBInstanceID",
"DBInstanceClass": "DBInstanceClass",
"Engine": "MySQL",
"MasterUserPassword": "DBPassword",
"DBName": "DBName",
"AllocatedStorage": "DBAllocatedStorage"
},
"Type": "AWS::RDS::DBInstance"
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Description": "AWS CloudFormation Sample"
Parameters:
DBInstanceID:
Default: mydbinstance
Description: My database instance
Type: String
MinLength: '1'
MaxLength: '63'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: >-
Must begin with a letter and must not end with a hyphen or contain two
consecutive hyphens.
ConstraintDescription: must contain only alphanumeric characters.
Resources:
MyDB:
Type: 'AWS::RDS::DBInstance'
Properties:
DBInstanceIdentifier: !Ref DBInstanceID
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
EngineVersion: 8.0.16
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
MonitoringInterval: '60'
MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role'
AutoMinorVersionUpgrade: "true"
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.",
"Parameters": {
"DBInstanceClass": {
"Type": "String",
"ConstraintDescription": "Must select a valid DB instance type.",
"Default": "db.m5.large",
"Description": "DB instance class"
}
},
"Resources": {
"MyDB": {
"Properties": {
"EngineVersion": "8.0.16",
"MasterUsername": "DBUsername",
"MonitoringInterval": "60",
"MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role",
"AutoMinorVersionUpgrade": "true",
"DBInstanceIdentifier": "DBInstanceID",
"DBInstanceClass": "DBInstanceClass",
"Engine": "MySQL",
"MasterUserPassword": "DBPassword",
"DBName": "DBName",
"AllocatedStorage": "DBAllocatedStorage"
},
"Type": "AWS::RDS::DBInstance"
}
}
}