--- title: RDS using default port description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RDS using default port --- # RDS using default port {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-rds-using-default-port` **Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#port) ### Description{% #description %} Databases provisioned using Amazon RDS should not be configured to use default ports—for example, MySQL/Aurora/MariaDB (3306), PostgreSQL (5432), Oracle (1521), or SQL Server (1433)—as these are well-known and commonly targeted by attackers during automated scans and brute-force attacks. By specifying the port attribute in a Terraform configuration (for example, `port = 3306`), the database remains easily discoverable by attackers who search for open default ports, increasing the risk of unauthorized access and exploitation. Altering the port to a non-standard value (for example, `port = 3307`) reduces the likelihood of automated attacks by introducing a layer of obscurity, helping to protect the database from opportunistic threats. If left unaddressed, using the default port can lead to a higher exposure risk and potential data breaches, even if other security controls are in place. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_db_instance" "negative1" { allocated_storage = 10 engine = "mysql" engine_version = "5.7" instance_class = "db.t3.micro" name = "mydb" username = "foo" password = "foobarbaz" parameter_group_name = aws_elasticache_parameter_group.default.id skip_final_snapshot = true port = 3307 } ``` ```terraform resource "aws_db_instance" "negative2" { allocated_storage = 10 engine = "postgres" engine_version = "5.7" instance_class = "db.t3.micro" name = "mydb" username = "foo" password = "foobarbaz" skip_final_snapshot = true port = 5433 } ``` ```terraform resource "aws_db_instance" "negative3" { allocated_storage = 10 engine = "oracle-ee" engine_version = "5.7" instance_class = "db.t3.micro" name = "mydb" username = "foo" password = "foobarbaz" skip_final_snapshot = true port = 1522 } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_db_instance" "positive1" { allocated_storage = 10 engine = "mysql" engine_version = "5.7" instance_class = "db.t3.micro" name = "mydb" username = "foo" password = "foobarbaz" parameter_group_name = aws_elasticache_parameter_group.default.id skip_final_snapshot = true port = 3306 } ``` ```terraform resource "aws_db_instance" "positive2" { allocated_storage = 10 engine = "postgres" engine_version = "5.7" instance_class = "db.t3.micro" name = "mydb" username = "foo" password = "foobarbaz" skip_final_snapshot = true port = 5432 } ``` ```terraform resource "aws_db_instance" "positive3" { allocated_storage = 10 engine = "oracle-ee" engine_version = "5.7" instance_class = "db.t3.micro" name = "mydb" username = "foo" password = "foobarbaz" skip_final_snapshot = true port = 1521 } ```