Enable it with modify-db-cluster --auto-minor-version-upgrade. Confirm the cluster's maintenance window sits in a low-traffic period. Default it to true in IaC so new clusters inherit it. Reserve pinned versions for clusters that genuinely require them, documented as exceptions.

Compliance Medium severity

AWS Security Hub · RDS

RDS.35: RDS clusters auto minor version upgrade

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub RDS.35 check?

RDS.35 checks the AutoMinorVersionUpgrade flag on a Multi-AZ DB cluster (AWS::RDS::DBCluster). It reports FAILED when the flag is off, meaning the cluster stays on its current minor version until a human intervenes. It is the cluster-level sibling of RDS.13's instance check.

Why does RDS.35 matter?

Minor versions ship bug fixes, performance improvements, and security patches. Disabling auto-upgrade is a common, well-intentioned mistake — teams turn it off to avoid surprise maintenance, intending to patch manually, then never do. Months pass, several versions accumulate, and the eventual catch-up is no longer a quiet automatic patch but a large, risky, multi-version jump needing change approval and downtime. It maps to NIST 800-53 SI-2 and PCI DSS 6.3.3.

How do I fix RDS.35?

Enable it with modify-db-cluster --auto-minor-version-upgrade.
Confirm the cluster's maintenance window sits in a low-traffic period.
Default it to true in IaC so new clusters inherit it.
Reserve pinned versions for clusters that genuinely require them, documented as exceptions.

Remediation script · bash

# Enable auto minor version upgrade on every RDS instance that has it disabled.
for id in $(aws rds describe-db-instances \
    --query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --auto-minor-version-upgrade --no-apply-immediately
done

# Move a deprecated Lambda function to a supported runtime.
aws lambda update-function-configuration --function-name auth-token-issuer \
  --runtime nodejs20.x

# Upgrade an out-of-support EKS control plane one minor version at a time (then catch up node groups).
aws eks update-cluster-version --name prod-payments --kubernetes-version 1.29

Full walkthrough (console steps, edge cases and verification) in the lesson Keep software and engines patched.

Is RDS.35 a false positive?

Minor upgrades are backwards-compatible and applied in the maintenance window — the fear of surprise breakage that drives teams to disable the flag is misplaced, and leaving it off only converts small automatic patches into large manual ones later.

Full lesson Keep software and engines patched Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for RDS controls ↗ Check your own account for RDS.35 →

Part of the learning path Build in resilience

RDS.1 An RDS snapshot is shared publicly
RDS.2 An RDS instance is publicly accessible from the internet
RDS.3 RDS DB instances should be encrypted at rest
RDS.4 RDS snapshots should be encrypted at rest
RDS.5 RDS DB instances should use multiple AZs
RDS.6 RDS lacks enhanced monitoring
RDS.7 RDS clusters should have deletion protection
RDS.8 RDS DB instances should have deletion protection
RDS.9 RDS engine logs are not shipped to CloudWatch
RDS.10 RDS relies on long-lived database passwords
RDS.11 RDS instances should have automatic backups
RDS.12 IAM auth should be configured for RDS clusters