Why We Migrated From Aurora to RDS: The Security-Patching Question Nobody Asks
We migrated from Aurora to RDS. Here's why — and why the deciding factor wasn't the one most teams weigh.
Everyone assumes Aurora is the better PostgreSQL option on AWS: more features, better performance, managed scaling. For the most part, that's true. It's the default "premium" answer.
But here's something nobody talks about: security patching.
The question that actually mattered
We run healthcare workloads. When a critical CVE drops for PostgreSQL, we need it patched. Not in three months. Not "when Aurora gets around to it." Now.
What we found is that AWS does not commit to a timeline for shipping PostgreSQL security patches to Aurora. RDS, by contrast, gets them significantly faster because it runs closer to upstream PostgreSQL.
For us, that was a dealbreaker. When you're in a regulated environment handling patient data, "we'll get to it" isn't an acceptable answer for a critical vulnerability. The threat model doesn't care how nice your managed scaling is.
So we moved: Aurora → RDS PostgreSQL.
What happened
- Security patches now land weeks earlier — the entire reason for the move, and it delivered.
- Database costs dropped ~8% — Aurora's pricing model isn't cheap, and RDS came out lower for our workload.
- Zero downtime during the migration.
- Same availability, same performance for our workloads — we gave up nothing that mattered to us.
The takeaway
Aurora is genuinely great for a lot of use cases. But if your threat model requires timely CVE patching, RDS might actually be the more secure choice — and "more secure" is not the adjective most people would attach to the non-premium option.
The broader lesson: don't pick the "premium" tier on reputation alone. Ask the hard questions about the parts nobody markets — the patch lifecycle, the SLAs that aren't on the pricing page, the operational guarantees your compliance posture actually depends on. The best choice for a regulated workload isn't always the one with the longest feature list.
If you work in a regulated industry, I'd genuinely like to know: have you hit the same wall?
About the Author
Ankit Bhardwaj
Site Reliability Engineer with 12+ years in software engineering and 4+ years operating production cloud infrastructure on AWS and Kubernetes. Currently running six Kubernetes clusters at 99.99% uptime.
Get in touch