For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-rds-using-default-port.md.
A documentation index is available at /llms.txt.
Using the database engine’s default port makes instances easy for attackers to discover and target with automated scanning and exploit tooling, increasing the likelihood of brute-force, credential stuffing, or other network-based attacks. For Ansible RDS tasks using the amazon.aws.rds_instance or rds_instance modules, the port property must not be set to the engine default. Choose a non-default port and ensure access is restricted at the network level (security groups/ACLs).
This rule flags module tasks where port equals the engine default: MySQL/MariaDB/Aurora = 3306, PostgreSQL = 5432, Oracle = 1521, and SQL Server = 1433. This check flags explicit port settings that match defaults. If port is omitted, the engine may still use its default port, so also verify engine behavior and enforce least-privilege network access.
Secure configuration example (MySQL using a non-default port):
- name:Create RDS instance with non-default portamazon.aws.rds_instance:db_instance_identifier:my-dbengine:mysqlport:3307
Compliant Code Examples
- name:create minimal aurora instance in default VPC and default subnet groupamazon.aws.rds_instance:engine:auroradb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-cluster # This cluster must exist - see rds_cluster to manage itbackup_retention_period:7port:3307
- name:create minimal aurora instance in default VPC and default subnet group2amazon.aws.rds_instance:engine:postgresdb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-cluster # This cluster must exist - see rds_cluster to manage itbackup_retention_period:7port:5433
- name:create minimal aurora instance in default VPC and default subnet group2amazon.aws.rds_instance:engine:oracle-eedb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-cluster # This cluster must exist - see rds_cluster to manage itbackup_retention_period:7port:1522
Non-Compliant Code Examples
- name:create minimal aurora instance in default VPC and default subnet groupamazon.aws.rds_instance:engine:auroradb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-cluster # This cluster must exist - see rds_cluster to manage itbackup_retention_period:7port:3306
- name:create minimal aurora instance in default VPC and default subnet group2amazon.aws.rds_instance:engine:postgresdb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-cluster # This cluster must exist - see rds_cluster to manage itbackup_retention_period:7port:5432
- name:create minimal aurora instance in default VPC and default subnet group2amazon.aws.rds_instance:engine:oracle-eedb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-cluster # This cluster must exist - see rds_cluster to manage itbackup_retention_period:7port:1521
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
