RDS.13: RDS is not receiving automatic minor security patches

What does AWS Security Hub RDS.13 check?

RDS.13 checks whether AutoMinorVersionUpgrade is enabled on each RDS DB instance. It reports FAILED when the flag is off, meaning the instance will sit on its current minor version indefinitely rather than picking up patches in its maintenance window.

Why does RDS.13 matter?

Every RDS engine ships a stream of backwards-compatible minor versions carrying bug fixes and security patches. "Managed database" lulls teams into thinking patching is AWS's job — it isn't, unless you opt in. With the flag off, AWS only forces an upgrade in genuine emergencies, so a database accumulates published, exploitable CVEs until a human remembers to act, and manual upgrades slip every time. It maps to CIS AWS Foundations 2.2.2, NIST 800-53 SI-2, and PCI DSS 6.3.3.

How do I fix RDS.13?

1. Set the flag with modify-db-instance --auto-minor-version-upgrade (it applies in the next maintenance window, no charge).
2. Confirm the maintenance window falls in a low-traffic period.
3. Enable it by default in IaC templates so new instances inherit it.
4. Reserve pinned versions for the few systems that genuinely need them, documented as exceptions.

# Enable auto minor version upgrade on every RDS instance that has it disabled.
for id in $(aws rds describe-db-instances \
    --query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --auto-minor-version-upgrade --no-apply-immediately
done

# Move a deprecated Lambda function to a supported runtime.
aws lambda update-function-configuration --function-name auth-token-issuer \
  --runtime nodejs20.x

# Upgrade an out-of-support EKS control plane one minor version at a time (then catch up node groups).
aws eks update-cluster-version --name prod-payments --kubernetes-version 1.29