--- title: RDS instances should use a non-default port description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > RDS instances should use a non-default port --- # RDS instances should use a non-default port ## Description{% #description %} Confirm [Amazon RDS database instances](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html) are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432. ## Rationale{% #rationale %} Using a custom port can protect against potential brute-force and dictionary attacks. ## Remediation{% #remediation %} ### From the console{% #from-the-console %} Follow the [Modifying an Amazon RDS instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html) docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings). ### From the command line{% #from-the-command-line %} 1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html). In the `create-db-snapshot.sh` file: ```bash aws rds create-db-snapshot \ --db-instance-identifier database-mysql \ --db-snapshot-identifier snapshotidentifier ``` 1. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options). In the `modify-db-instance.sh` file: ```bash aws rds modify-db-instance \ --db-instance-identifier database-identifier \ --option-group-name test-group-name \ --db-parameter-group-name test-sqlserver-name \ --apply-immediately ```