RDS instance with default port
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

RDS instance with default port

rds

Classification:

compliance

Set up the rds integration.

Overview

Description

Confirm Amazon RDS database instances are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.

Rationale

Using a custom port can protect against potential brute-force and dictionary attacks.

Remediation

Console

Follow the Modifying an Amazon RDS DB instance docs to verify you’re not using a default. You can modify your port by modifying that DB instance settings.

CLI

  1. Run create-db-snapshot with your database instance and snapshot identifiers to create a snapshot.

    create-db-snapshot.sh

        aws rds create-db-snapshot \
            --db-instance-identifier database-mysql \
            --db-snapshot-identifier snapshotidentifier
        
  2. Run modify-db-instance with a new, valid port number. A list of port numbers are available.

    modify-db-instance.sh

        aws rds modify-db-instance \
            --db-instance-identifier database-identifier \
            --option-group-name test-group-name \
            --db-parameter-group-name test-sqlserver-name \
            --apply-immediately