DMS.6: DMS instances auto minor version upgrade

What does AWS Security Hub DMS.6 check?

DMS.6 fails when a replication instance has AutoMinorVersionUpgrade turned off. The control reads that flag, which controls whether DMS applies minor engine patches automatically during the instance's maintenance window.

Why does DMS.6 matter?

Replication instances are easy to forget — many run continuous change data capture for years on the version they were launched with. With auto minor upgrades off, those instances quietly drift behind on security and stability patches, sometimes several versions, until someone notices during a security sweep. Letting AWS apply minor patches keeps long-lived infrastructure current with no babysitting.

How do I fix DMS.6?

1. Inventory replication instances and find those with AutoMinorVersionUpgrade disabled.
2. Enable the flag with a single modify-replication-instance call.
3. Confirm the maintenance window is set to a low-traffic period, since the upgrade applies there and can briefly interrupt running tasks.
4. Set the flag on by default in your provisioning template.

# Enable auto minor version upgrade on every RDS instance that has it disabled.
for id in $(aws rds describe-db-instances \
    --query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --auto-minor-version-upgrade --no-apply-immediately
done

# Move a deprecated Lambda function to a supported runtime.
aws lambda update-function-configuration --function-name auth-token-issuer \
  --runtime nodejs20.x

# Upgrade an out-of-support EKS control plane one minor version at a time (then catch up node groups).
aws eks update-cluster-version --name prod-payments --kubernetes-version 1.29