Compliance

Keep software and engines patched

One capability across databases, runtimes, clusters and instances: make sure no workload runs on an unsupported or unpatched version that has stopped receiving security fixes.

14 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: DMS.6 EC2.24 ECS.10 EKS.2 EKS.9 ElastiCache.2 ElasticBeanstalk.2 Glue.4 Lambda.2 Opensearch.10 RDS.13 RDS.35 RDS.51 Redshift.6 SSM.2

Keeping software patched: the basics

What does "unpatched" actually mean across managed AWS services?

"Managed" does not mean "automatically kept current." AWS manages the infrastructure, but whether a workload follows the supported version track is a setting your team chooses, and it shows up in many shapes. RDS, DMS and ElastiCache have an auto-minor-version-upgrade flag that, when off, freezes the engine on a version accumulating CVEs. Lambda runtimes, EKS Kubernetes versions, ECS Fargate platform versions, Elastic Beanstalk platforms, Glue versions, OpenSearch and Redshift engines all have a deprecation lifecycle: when the upstream project stops shipping security fixes, AWS follows, and a workload left behind runs on a frozen base. SSM patch compliance (SSM.2) tracks the same idea for the OS on managed EC2 instances. The risk is identical everywhere: code or an engine running on a version nobody is patching any more.

AWS Security Hub turns each of these into its own control, which is why a single estate can fail a dozen patching checks at once. RDS.13, RDS.35 and RDS.51 cover auto minor upgrades on instances and clusters, DMS.6 and ElastiCache.2 cover their engines, Redshift.6 covers major-version upgrades, Lambda.2 covers deprecated runtimes, EKS.2 and EKS.9 cover the cluster control plane and node groups, ECS.10 covers Fargate platform versions, ElasticBeanstalk.2 covers managed platform updates, Glue.4 covers supported Glue versions, Opensearch.10 covers the latest service software, EC2.24 covers paravirtual instance types, and SSM.2 covers OS patch compliance. They look like separate problems, but they are one capability: stay on a version that is still getting security fixes.

Most of this is drift, not intent. A launch template left the auto-upgrade flag off, a Lambda runtime quietly hit end-of-life, an EKS cluster slipped past standard support, an instance fell out of patch compliance. Unlike many findings, several of these have a hard expiry: AWS publishes deprecation dates 12 or more months in advance and will eventually force the change on its own schedule. The job is to find every workload on an unsupported or unpatched version, upgrade the production ones before the deadline, and enforce supported versions as the default so the finding stops recurring.

In this lesson you will learn how AWS expresses version support across databases, runtimes, clusters and instances, how to find every workload on an unsupported or unpatched version, and how to bring them current without breaking the few that legitimately pin a version. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The patch that arrived at 2 a.m. anyway

A team running a production PostgreSQL instance turned its auto-minor-version-upgrade flag off years earlier to avoid surprises, then never scheduled a manual upgrade, and the engine drifted toward end-of-support. AWS reserves the right to apply a minor upgrade even when the flag is off for a critical security issue or an end-of-support version, and that is exactly what happened: AWS forced the upgrade in the next maintenance window. The team got the surprise they had spent years trying to avoid, on AWS's schedule instead of their own. The pattern repeats across the capability: leave a Lambda runtime past its published deprecation date and AWS eventually blocks invocations, leave an EKS cluster past extended support and AWS auto-upgrades the control plane when it chooses. Falling behind does not avoid the upgrade; it just hands AWS the timing.

Finding unpatched workloads across an estate

Dev runs the security cadence at a mid-sized SaaS company mid-way through a SOC 2 and PCI renewal. Security Hub shows patching failures spread across RDS, Lambda and EKS in three accounts, and the auditor's pre-read has flagged unpatched systems as an area of focus.

Rather than work the findings one by one, he starts with the data tier, where an unpatched engine is the highest-impact and most audit-relevant, listing which RDS instances have automatic minor upgrades disabled so he can separate the production databases that must be fixed from the dev instances that the flag was simply left off on, before changing anything.

Start with the data tier. RDS instances with auto minor version upgrade off will sit on an old engine accumulating CVEs until a human intervenes.

$ aws rds describe-db-instances --query 'DBInstances[?AutoMinorVersionUpgrade==`false`].[DBInstanceIdentifier,Engine,EngineVersion]' --output table

------------------------------------------------

| prod-orders | mysql | 8.0.35 |

| prod-billing | postgres | 15.4 |

| dev-sandbox | mysql | 8.0.35 |

------------------------------------------------

# Two production databases frozen on old minor versions; the dev sandbox can follow later.

Auto-upgrade-off production databases are the highest-value target in this group, especially anything in audit scope. Fix the production ones first, then document any deliberate version pin as an exception.

How AWS decides a version is unsupporteddeep dive

Most patching controls resolve to one of two mechanisms. The first is an opt-in upgrade flag: RDS, DMS and ElastiCache expose an AutoMinorVersionUpgrade boolean (Redshift has an equivalent for major versions, Elastic Beanstalk a managed-platform-updates setting) that, when on, applies recommended backwards-compatible upgrades during the maintenance window. A minor upgrade never crosses a major boundary, so it is safe to enable broadly: it cannot silently jump you to a version your application has not been tested against. The second is a published deprecation lifecycle: Lambda runtimes, EKS Kubernetes versions, ECS Fargate platforms, Glue versions and OpenSearch service software each have dated end-of-support, after which AWS stops patching and eventually forces or blocks the workload. SSM.2 is a third shape entirely: it reads OS patch compliance reported by the SSM agent on managed EC2 instances.

The lifecycle services share a hard edge that the flag-based ones soften. Lambda deprecates runtimes in three phases roughly 60 days apart, ending in blocked invocations and a failure mode that is silent except in CloudWatch. EKS gives roughly 14 months of standard support, then about a year of extended support at a per-cluster-hour surcharge, then a forced auto-upgrade. In both cases the schedule is published 12 or more months ahead, so a missed deadline is a planning gap, not a surprise. Upgrades are also often sequential and irreversible: EKS moves one minor version at a time and cannot roll back, so deprecated-API pre-flight checks matter.

Several capabilities split control plane from workers because they version independently, which is why EKS.2 (the cluster) and EKS.9 (node groups) are scored separately and almost always fail together: you upgrade the control plane first, then bring the nodes up to match. Read replicas carry their own auto-upgrade flag independent of the primary. The strongest end state is not just upgrading today but enforcing supported versions as a provisioning default through infrastructure-as-code and AWS Config rules (for example rds-automatic-minor-version-upgrade-enabled), backed by SNS or EventBridge alerts on the published deprecation events so upgrades are scheduled while a version is still supported.

What is the impact of running unpatched versions?

The direct impact is unpatched security vulnerabilities on systems that often hold or process sensitive data. Minor versions and supported runtimes are where engine and language CVEs get fixed: privilege-escalation bugs, denial-of-service flaws, authentication weaknesses. With upgrades off or a runtime deprecated, a workload can sit for months on a version with publicly documented, exploitable holes. NIST 800-53 SI-2 (flaw remediation) and PCI DSS 6.3.3 exist specifically because unpatched data stores and runtimes are a top-tier breach vector.

The second-order impact is operational risk concentrated into the worst possible moment. Falling behind does not exempt you from the upgrade: AWS forces RDS minor upgrades for critical issues, blocks Lambda invocations at the end of the deprecation lifecycle, and auto-upgrades EKS clusters past extended support. So the realistic outcome of "leave it" is not "never upgrade," it is "upgrade on AWS's emergency timeline, often with little room to test, possibly during your peak." You trade many small, scheduled, low-risk upgrades for a few large, unscheduled, high-stress ones, and the lifecycle failures (blocked Lambda invocations, an EKS auto-upgrade) tend to surface as silent outages.

On the compliance side, these controls map to CIS, NIST and PCI DSS, so an unpatched workload is a direct audit finding, and a persistent High-severity finding past a published deprecation date is impossible to wave away as a recent oversight. The cost angle runs in your favour: most fixes are free, the EKS surcharge falls off once you upgrade, and newer runtimes bill less per invocation, so this is one of the highest-leverage-to-effort moves in the whole control set.

How do you bring workloads current safely?

Work the capability as one loop rather than chasing individual findings. The order matters: prioritise production and anything in audit scope or near a published deadline, pre-flight breaking changes, and enforce supported versions as the default so the finding stops recurring.

1. Inventory every workload by version and support status

Across services and every account and region, list the workloads that are behind: RDS, DMS and ElastiCache instances with auto-upgrade off (including read replicas, which have their own flag), Lambda functions on deprecated runtimes, EKS clusters and node groups past standard support, ECS Fargate platform versions, Glue versions, and EC2 instances out of SSM patch compliance. Map each against the published deprecation calendar, capture the environment tag, and flag anything already past end-of-support: those carry live, exploitable vulnerabilities right now.

2. Pre-flight breaking changes before upgrading the lifecycle services

Minor RDS, DMS and ElastiCache upgrades are backwards-compatible and safe to enable broadly. The lifecycle services are not free upgrades: a Lambda runtime bump can hit changed language APIs or native-binary layers, and an EKS upgrade can break workloads calling removed Kubernetes APIs. Test on the target version in staging with production-like input, check addon compatibility, and rebuild custom layers against the new base image before touching production.

3. Upgrade production first, on a planned window

For flag-based services, enable the auto-upgrade flag and leave the change to land in the maintenance window rather than mid-traffic. For lifecycle services, upgrade one minor version at a time where required (EKS), update Lambda runtimes through your IaC pipeline, and do it during a planned change window rather than waiting for AWS to force it on its own schedule. For a database or Kubernetes version that must stay pinned (vendor certification, a known regression), record it as a tracked exception with an owner and a re-review date, not a silent skip.

4. Ratchet it in with defaults and a deprecation calendar

Set the auto-upgrade flag and supported-version pins in your CloudFormation and Terraform modules so new workloads arrive current, add AWS Config rules to catch drift, and subscribe to the AWS Health Dashboard and EKS deprecation events via SNS or EventBridge. Put each published deprecation date on the team calendar with 90 days of lead time so upgrades are scheduled while a version is still supported, which keeps the EKS surcharge from ever starting and the Lambda invocation block from ever arriving.

# Enable auto minor version upgrade on every RDS instance that has it disabled.
for id in $(aws rds describe-db-instances \
    --query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --auto-minor-version-upgrade --no-apply-immediately
done

# Move a deprecated Lambda function to a supported runtime.
aws lambda update-function-configuration --function-name auth-token-issuer \
  --runtime nodejs20.x

# Upgrade an out-of-support EKS control plane one minor version at a time (then catch up node groups).
aws eks update-cluster-version --name prod-payments --kubernetes-version 1.29

Quick quiz

Question 1 of 5

Security Hub shows patching failures across RDS, Lambda and EKS. What is the most efficient way to think about them?

Keep learning

Go deeper on how version support and patching work across the services in this capability.

You can now treat patching as one capability rather than a scatter of findings: inventory every workload by version and support status, pre-flight breaking changes on the lifecycle services, upgrade production first on a planned window (ahead of any published deadline), and ratchet the estate shut with supported-version defaults, Config rules and a deprecation calendar. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Keeping software patched: the cost and risk view

A near-free default that quietly shifts security and audit liability onto your team

Most of this capability costs nothing on the invoice to fix. A minor version upgrade is free, enabling an auto-upgrade flag is free, and moving a Lambda function to a current runtime is free. So this is rarely a budget decision. The cost is contingent: it is the expected value of a breach on an unpatched data store, a failed audit, or an emergency upgrade when a version reaches end-of-support and AWS forces the change with little notice.

There are two places where staying behind has a direct dollar consequence, and both run in your favour when you fix them. EKS extended support adds a per-cluster-hour surcharge, several times the base rate, for every hour a cluster runs on an out-of-support version, so the finding is also a recurring penalty with no offsetting value. And newer Lambda runtimes routinely run 15 to 30 percent faster than deprecated ones with no code change, cutting GB-second billing, so a runtime migration often pays for itself. Frame remediation as removing avoidable spend and contingent risk at once.

Auditors under PCI DSS and frameworks built on NIST 800-53 treat unpatched databases and runtimes as a direct finding, not a soft recommendation, so this is the line item that can fail a compliance review and stall a customer deal. The right framing is that enabling supported-version defaults converts an unpredictable, lumpy, high-stress cost (emergency upgrades, breach response, audit remediation) into a predictable, near-zero one.

This lesson is for the finance partner who sees "managed" on the AWS bill and assumes security patching is included. It explains why that assumption is incomplete, that most of these fixes carry no invoice line but real contingent risk, where staying behind actually costs money (the EKS extended-support surcharge and slower Lambda runtimes), and the governance moves, reporting cadence, supported-version defaults and signed-off exceptions, that keep the number near zero.

Fun fact

The patch that arrived at 2 a.m. anyway

How a finance partner frames the patching decision

Lena is the finance partner for a mid-sized SaaS company mid-way through a SOC 2 and PCI renewal. Security Hub has thrown patching failures across RDS, Lambda and EKS in three accounts, and the auditor's pre-read has flagged unpatched systems as an area of focus. Her first instinct is not to ask for a budget, because she already knows most of these fixes carry no invoice line. It is to ask which workloads are in audit scope and which sit near a published deprecation deadline, so the work is ordered by the risk it removes rather than by the order the report lists it.

The team pulls the inventory. Two production databases (prod-orders and prod-billing) have auto minor version upgrade off and are sitting on old engines accumulating CVEs, a couple of Lambda functions are on deprecated runtimes, and one EKS cluster has slipped into extended support. Lena's framing for the finance pack has two halves. First, the contingent risk: an unpatched data store in PCI scope is a direct audit finding that can stall the certification and the revenue gated behind it, with the breach tail (forensics, notification, churn) landing in a different part of the P&L entirely. Second, the savings: the EKS extended-support surcharge is a pure, fully-avoidable penalty several times the base rate per cluster-hour that no Reserved Instance covers, and migrating the Lambda functions to current runtimes cuts GB-second billing by 15 to 30 percent. She frames remediation as removing avoidable spend and contingent risk at the same time, which moves the tickets up the backlog faster than a security finding alone.

Why this belongs on the risk register and sometimes the savings list

Most of this capability carries no invoice line: a minor version upgrade and an auto-upgrade flag are free, and the brief maintenance-window downtime has no incremental charge. That is exactly why it is easy to under-prioritise next to categories that do show up on the bill. The cost is contingent and asymmetric: small and predictable if you stay current, large and lumpy if you do not (breach response, emergency upgrades, audit remediation). The most direct financial impact is on audit and sales, because an unpatched fleet is a finding auditors write up and a question on enterprise security questionnaires, and an open finding can delay a certification and the revenue gated behind it.

Two parts of the capability run the other way and make remediation a savings item. The EKS extended-support surcharge is a pure, fully-avoidable penalty, several times the base control-plane rate per cluster-hour, that no Reserved Instance or Savings Plan covers, so the only lever is upgrading on time; you can put an exact monthly figure on a slipped upgrade, which moves a maintenance ticket up the backlog faster than a security finding alone. And migrating Lambda functions to current runtimes cuts GB-second billing by 15 to 30 percent on real workloads, often paying for the migration sprint in the first billing cycle. The finance role is to track the count of unpatched workloads (and in-scope ones) as a risk indicator, quantify the EKS slip cost and the Lambda savings to fund the work, and require a recorded, dated exception for any deliberate version pin.

What finance can actually do about patching

Finance cannot bump a runtime, but it owns the framing that makes staying current the default and the audit metric. Three levers, used at the regular cadence.

1. Put unpatched workloads on the audit-readiness pack

Add the count of workloads on unsupported or unpatched versions to the security and audit-readiness review, with the in-scope subset (PCI, SOC 2) called out as the urgent part. If either trends up two months running, that is the prompt to escalate before an auditor finds it for you, because the cheapest time to catch drift is monthly, not the week before an audit.

2. Quantify the slip cost and the savings to force prioritisation

For EKS, the surcharge is a known per-cluster-hour rate, so "this cluster costs an extra few hundred dollars every month it is not upgraded" moves the ticket faster than a security finding. For Lambda, model the 15 to 30 percent duration reduction on high-invocation functions and present the migration as an investment with a payback period. Both turn patching from a diffuse to-do into a funded, prioritised sprint.

3. Make staying current a precondition and require sign-off for pins

Agree that supported versions are the default for every new workload and that pinning requires a documented, signed-off exception with a named owner and a re-review date. A short, dated exception list is healthy; a long or undated one means "behind" has quietly become the default again. Watch the trend, not just the absolute number.

Quick quiz

Question 1 of 5

Most patching fixes (a minor upgrade, enabling an auto-upgrade flag, moving Lambda to a current runtime) cost what on the AWS invoice?

Keep learning

Go deeper on how version support and patching work across the services in this capability.

You have finished the finance view of patching. You know that most of this capability carries no invoice line, that the cost is contingent and asymmetric (small if you stay current, large and lumpy if you do not), and that two parts run in your favour: the avoidable EKS extended-support surcharge and the 15 to 30 percent saving from moving Lambda to current runtimes. Next time these findings land, you will track the in-scope count, quantify the slip cost and the savings to fund the work, and require a dated sign-off for any deliberate version pin.

Back to the library

Keeping software patched: the headline

Whether workloads stay on supported versions, or quietly fall behind a published deadline

"Managed" does not mean "automatically kept secure." AWS applies routine security patches to an engine or runtime only if the workload is configured to follow the supported track. When a workload falls behind, it stops receiving security fixes and carries any published vulnerabilities until someone intervenes, which routinely does not happen on time. The report shows this as a scatter of findings across databases, runtimes, clusters and instances, but the underlying question is one: is anything running on a version nobody is patching?

What makes this a leadership item is that several of these findings have a hard expiry. AWS publishes deprecation dates 12 or more months in advance and will eventually force the change (blocking Lambda invocations, auto-upgrading an EKS cluster) on its own schedule. Missing a deadline means the team knew about a published, often High-severity obligation and did not act, which reads in an audit as a process-maturity gap rather than a one-off misconfiguration.

The defensible end state is that staying current is the default, with manual control reserved for a short, named list of documented exceptions, and deprecation dates on a shared calendar so upgrades are planned events rather than fire drills. For the EKS surcharge and the slower-runtime billing, the fix even removes cost while removing risk.

A short read for the leader who needs to know what unpatched workloads expose, why several of these findings carry a published deadline that makes them a process-maturity signal rather than a cost line, and what a defensible end state looks like: staying current by default, a short list of documented exceptions, and deprecation dates on a calendar.

Fun fact

The patch that arrived at 2 a.m. anyway

What it looks like when staying current is the default

After a production PostgreSQL instance, whose auto-minor-version-upgrade flag had been switched off years earlier to avoid surprises, got force-upgraded by AWS in a maintenance window anyway because the engine had drifted toward end-of-support, the CTO asked a pointed question at the review: are we managing version lifecycle, or are we just hoping AWS does not call the deadline on us first? The honest answer was the latter. Falling behind had not avoided the upgrade, it had simply handed AWS the timing, on its schedule rather than the team's.

The response was to stop treating patching as a per-workload choice and make staying current the default. Auto-upgrade flags and supported-version pins went into the CloudFormation and Terraform modules so new workloads arrive current, AWS Config rules catch drift, and every published deprecation date now sits on the team calendar with 90 days of lead time, so upgrades are planned change windows rather than fire drills. The handful of workloads that legitimately pin a version (a vendor certification, a known regression) are tracked exceptions with an owner and a re-review date, not silent skips. A quarter on, the same CTO asked the simpler question, is anything running on a version nobody is patching, and the answer was a short, flat, documented list instead of a scramble. That shift, from reactive emergency upgrades to a calendar-driven process, is the whole point, and for the EKS surcharge and the slower-runtime billing it removed cost while it removed risk.

Why this is a board-level risk

These findings mostly carry no dollar cost, which is the whole reason they need a leadership frame: there is no invoice pressure to fix them, so they only get done if the org treats staying patched as a default rather than a per-workload decision. They sit squarely in the security and compliance lane, unpatched workloads are a top breach vector and a direct finding under the frameworks customers audit against, and several have a published deadline that turns deferral into a guaranteed incident.

The second-order point is what the number says about discipline. A small, flat count with documented exceptions means the org has a working patching policy applied to new systems automatically. A growing count means workloads are launching without the policy and quietly accumulating risk that surfaces only at an audit or an incident. Both the CISO and the CFO have a stake: one in the breach risk, the other in the audit and deal exposure, plus the avoidable EKS surcharge and slower-runtime billing that staying behind quietly racks up.

The leadership move on patching

The executive handle is not to mandate a specific version. It is to require that version lifecycle is a managed, calendar-driven process rather than a reactive scramble.

1. Make staying current the default, not a decision

Every workload should launch on a supported version with auto-upgrade on. The moment patching is a per-workload choice, some workloads will be left behind, not maliciously but by omission. Defaults are the highest-leverage control you can set without any technical depth.

2. Require a deprecation calendar and a named exception list

Published EOL dates should be tracked in sprint planning with 90 days of lead time, and any pinned workload should be a deliberate, owned, time-boxed decision rather than a silent setting. If the team cannot show a calendar, that is the process gap to close, because the dated services guarantee an incident if the deadline is missed.

3. Treat persistent findings as an audit-readiness signal

Ask one question at the review: is the count of unpatched workloads flat and documented, or growing, and is anything past a published deadline without a plan? A flat, near-zero answer for several quarters means the estate maintains itself: a one-minute item that needs no technical detail to interpret.

Quick quiz

Question 1 of 5

Why do leadership treat patching as a default to set rather than a per-workload decision to approve?

Keep learning

Go deeper on how version support and patching work across the services in this capability.

Two takeaways: unpatched workloads are a top breach vector and a direct audit finding, and several carry a published deadline that turns deferral into a guaranteed incident on AWS's timing rather than yours. The right metric is not the raw finding count, it is whether staying current is the default with a deprecation calendar and a short, named exception list, because a flat, documented number for several quarters means the estate maintains itself.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

EKS

ElastiCache

ElastiCache.2 Medium ElastiCache is not auto-applying minor patches

ElasticBeanstalk

ElasticBeanstalk.2 High Managed platform updates are disabled

Glue

Glue.4 Medium Glue Spark jobs on supported versions

Lambda

Lambda.2 Medium Lambdas run on deprecated, unpatched runtimes

Opensearch

Opensearch.10 Medium OpenSearch should have latest software update

RDS

Redshift

Redshift.6 Medium Redshift should auto-upgrade major versions

SSM

SSM.2 Medium Instances are missing security patches

Part of the learning path Build in resilience

Keep software and engines patched

Keeping software patched: the basics

The patch that arrived at 2 a.m. anyway

Finding unpatched workloads across an estate

How AWS decides a version is unsupporteddeep dive

What is the impact of running unpatched versions?

How do you bring workloads current safely?

1. Inventory every workload by version and support status

2. Pre-flight breaking changes before upgrading the lifecycle services

3. Upgrade production first, on a planned window

4. Ratchet it in with defaults and a deprecation calendar

Quick quiz

Keep learning

Keeping software patched: the cost and risk view

The patch that arrived at 2 a.m. anyway

How a finance partner frames the patching decision

Why this belongs on the risk register and sometimes the savings list

What finance can actually do about patching

1. Put unpatched workloads on the audit-readiness pack

2. Quantify the slip cost and the savings to force prioritisation

3. Make staying current a precondition and require sign-off for pins

Quick quiz

Keep learning

Keeping software patched: the headline

The patch that arrived at 2 a.m. anyway

What it looks like when staying current is the default

Why this is a board-level risk

The leadership move on patching

1. Make staying current the default, not a decision

2. Require a deprecation calendar and a named exception list

3. Treat persistent findings as an audit-readiness signal

Quick quiz

Keep learning

Controls this lesson covers

DMS

EC2

ECS

EKS

ElastiCache

ElasticBeanstalk

Glue

Lambda

Opensearch

RDS

Redshift

SSM

Related compliance lessons