AWS Security ChangesHomeSearch

AWS AmazonRDS high security documentation change

Service: AmazonRDS · 2025-04-11 · Security-related high

File: AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.SQLServer.md

Summary

Added automatic minor version upgrade details and disabled legacy security protocols by default

Security assessment

Explicitly disables insecure protocols (TLS 1.0/1.1, RC4) in newer versions, addressing known cryptographic weaknesses

Diff

diff --git a/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.SQLServer.md b/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.SQLServer.md
index f53856aad..4a5c4ff7a 100644
--- a//AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.SQLServer.md
+++ b//AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.SQLServer.md
@@ -13 +13,27 @@ _Major version upgrades_ can contain database changes that are not backward-comp
-In contrast, _minor version upgrades_ include only changes that are backward-compatible with existing applications. You can initiate a minor version upgrade _manually_ by modifying your DB instance.
+_Minor version upgrades_ contain only changes that are backward-compatible with existing applications. You can upgrade the minor version for your DB instance in two ways:
+
+  * _Manually_ – Modify your DB instance to initiate the upgrade
+
+  * _Automatically_ – Enable automatic minor version upgrades for your DB instance
+
+
+
+
+When you enable automatic minor version upgrades, RDS for SQL Server automatically upgrades your database instance during scheduled maintenance windows when critical security updates are available in a newer minor version.
+
+For minor engine versions after `16.00.4120.1`, `15.00.4365.2`, `14.00.3465.1`, `13.00.6435.1`, the following security protocols are disabled by default:
+
+  * `rds.tls10` (TLS 1.0 protocol)
+
+  * `rds.tls11` (TLS 1.1 protocol)
+
+  * `rds.rc4` (RC4 cipher)
+
+  * `rds.curve25519` (Curve25519 encryption)
+
+  * `rds.3des168` (Triple DES encryption)
+
+
+
+
+For earlier engine versions, Amazon RDS enables these security protocols by default.