Open menu
-->

RDS Database Master Username

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your Amazon RDS production databases are not using 'awsuser' as master username, regardless of the RDS database engine type used, instead a unique alphanumeric string must be defined as the login ID for the master user.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Since 'awsuser' is the Amazon's example (default) for the RDS database master username, many AWS customers will use this username for their RDS databases in production, therefore malicious users can use this information to their advantage and frequently try to use 'awsuser' for the master username during brute-force attacks.

Audit

To determine if your existing RDS database instances are using "awsuser" as master username, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select See Details.

06 On the Details tab, in the Configuration Details section, check the Username attribute value. If the current value is set to "awsuser", i.e.

awsuser

the selected RDS instance is not using a unique master username for its database. To change the database master username, follow the steps outlined in the Remediation/Resolution section of the conformity rule.

07 Repeat steps no. 4 - 6 to verify the master username for other RDS database instances provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the names (identifiers) of all RDS database instances available in the selected AWS region:

aws rds describe-db-instances
    --region us-east-1
    --output table
    --query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return a table with the requested identifiers:

-------------------------
|  DescribeDBInstances  |
+-----------------------+
|  postgresql-prod-db   |
|  aurora-prod-db       |
+-----------------------+

03 Run again describe-db-instances command (OSX/Linux/UNIX) using your RDS database instance identifier and custom query filters to determine the master username set for the selected resource:

aws rds describe-db-instances
    --region us-east-1
    --db-instance-identifier postgresql-prod-db
    --query 'DBInstances[*].MasterUsername'

04 The command output should return the master username used by the RDS instance:

[
    "awsuser"
]

If the value returned by the command output is "awsuser", the selected RDS instance is not using a secure master username for its database. To change the RDS database master username, follow the steps outlined in the Remediation/Resolution section.

05 Repeat step no. 3 and 4 to verify the master username for other RDS database instances available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To change the master username for your RDS database instances you need to re-create them and migrate the existing data to the new instances. To set secure master usernames for all your RDS databases, perform the following steps:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS database instance that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click Instance Actions button from the dashboard top menu and select Take Snapshot.

06 On the Take DB Snapshot page, enter a name for the instance snapshot in the Snapshot Name field and click Take Snapshot (the backup process may take few minutes and depends on your RDS instance storage size).

07 In the left navigation panel, click Instances.

08 Click the Launch DB Instance button to relaunch the database instance with a new username.

09 On the Select Engine page, choose the required database engine type then click Select.

10 On the Specify DB Details page, in the Master Username box, type a unique alphanumeric string for your database master username. Configure the rest of the options available on the page to match your current database instance.

11 Click Next Step to continue the setup process.

12 On Configure Advanced Settings page, set the database name and all other options based on your existing database configuration.

13 Click Launch DB Instance to launch the new database instance.

14 As soon as the provisioning process for the new instance is completed (its status becomes available), migrate the data to the newly created database and update your application configuration file to refer to the endpoint of the new (secured) database instance. Once the data is successfully moved and the endpoint URL is changed at your application level, you can remove the old instance.

15 Repeat steps no. 4 – 14 for each RDS database instance that has an insecure master username, available in the current region.

16 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to describe the database instance that you want to re-create (see Audit section part II to identify the right RDS resource) and gather configuration information that will be useful later when the new instance will be launched:

aws rds describe-db-instances
    --region us-east-1
    --db-instance-identifier postgresql-prod-db

02 The command output should return the requested configuration metadata:

{
    "DBInstances": [
        {
            "PubliclyAccessible": true,
            "MasterUsername": "awsuser",
            "MonitoringInterval": 0,
            "LicenseModel": "postgresql-license",
            "VpcSecurityGroups": [
                {
                    "Status": "active",
                    "VpcSecurityGroupId": "sg-ba201ad2"
                }
            ],

            ...

            "DBInstanceStatus": "available",
            "EngineVersion": "9.5.4",
            "AvailabilityZone": "us-east-1a",
            "DomainMemberships": [],
            "StorageType": "gp2",
            "DbiResourceId": "db-BU6YVVBC33PI4R547NOVTJDRJX",
            "CACertificateIdentifier": "rds-ca-2015",
            "StorageEncrypted": false,
            "DBInstanceClass": "db.m3.medium",
            "DbInstancePort": 0,
            "DBInstanceIdentifier": "postgresql-prod-db"
        }
    ]
}

03 Run create-db-snapshot command (OSX/Linux/UNIX) to take the necessary backup:

aws rds create-db-snapshot
    --region us-east-1
    --db-instance-identifier postgresql-prod-db
    --db-snapshot-identifier postgresql-prod-db-snapshot

04 The command output should return the database instance snapshot (backup) metadata:

{
    "DBSnapshot": {
        "Engine": "postgres",
        "Status": "creating",
        "AvailabilityZone": "us-east-1a",
        "PercentProgress": 0,
        "MasterUsername": "awsuser",
        "Encrypted": false,
        "LicenseModel": "general-public-license",
        "StorageType": "gp2",
        "VpcId": "vpc-4ca56543",
        "DBSnapshotIdentifier": "postgresql-prod-db-snapshot",
        "InstanceCreateTime": "2015-01-05T17:34:19.396Z",
        "OptionGroupName": "default:postgres-9-5",
        "AllocatedStorage": 150,
        "EngineVersion": "9.5.4",
        "SnapshotType": "manual",
        "Port": 5432,
        "DBInstanceIdentifier": "postgresql-prod-db"
    }
}

05 Now run create-db-instance command (OSX/Linux/UNIX) to create the new RDS database instance based on the configuration details returned at step no. 2. The following command example launch an RDS PostgreSQL database instance with 'postgresuser01' as the master username:

aws rds create-db-instance
    --db-instance-identifier postgresql-prod-secure-db
    --allocated-storage 150
    --db-instance-class db.m3.medium
    --engine postgres
    --vpc-security-group-ids sg-af201ad2
    --master-username postgresuser01
    --master-user-password postgres-db-pwd

06 The command output should reveal the configuration metadata for the new RDS database instance:

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "postgresuser01",
        "MonitoringInterval": 0,
        "LicenseModel": "postgresql-license",
        "VpcSecurityGroups": [
            {
                "Status": "active",
                "VpcSecurityGroupId": "sg-af201ad2"
            }
        ],

        ...

        "BackupRetentionPeriod": 1,
        "PreferredMaintenanceWindow": "fri:07:14-fri:07:44",
        "DBInstanceStatus": "creating",
        "EngineVersion": "9.5.4",
        "DomainMemberships": [],
        "StorageType": "standard",
        "DbiResourceId": "db-6SJ5QSVVMDGGCITMLZMZHQHZAY",
        "CACertificateIdentifier": "rds-ca-2015",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.m3.medium",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "postgresql-prod-secure-db"
    }
}

07 Once the instance provisioning process is completed (its status becomes available), you can migrate the data to the new instance and update your application configuration to refer to the endpoint of the new (secured) instance. As soon as the data is successfully moved and the endpoint URL is changed at your application level, you can remove the old (insecure) database instance.

08 Repeat steps no. 1 – 7 for each RDS database instance that has an insecure master username, available in the current region.

09Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 8 to perform the entire process for other regions.

References

Publication date Jan 7, 2017