RDS Default Port

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features

Knowledge Base Amazon Web Services Amazon Relational Database Service RDS Default Port

Risk level: Low (generally tolerable level of risk)

Rule ID: RDS-011

Ensure that your Amazon RDS databases instances are not using their default endpoint ports (i.e. MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432, etc) in order to promote port obfuscation as an additional layer of defense against non-targeted attacks.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Running your database instances on default ports represent a potential security concern. Moving RDS instances ports (the ports on which the database accepts connections) to non-default ports will add an extra layer of security, protecting your publicly accessible AWS RDS databases from brute force and dictionary attacks.

Audit

The following table lists the endpoint default port for each AWS RDS database engine available:

Database Engine	Default Port Number
Aurora/MySQL/MariaDB	3306
PostgreSQL	5432
Oracle	1521
SQL Server	1433

To determine if your existing RDS database instances are using their default ports, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select See Details.

06 On the Details tab, in the Security and Network section, check the Port number:

If the current number is the default port number for the database engine used (verify the section table), the selected RDS instance is not using a non-default port for incoming connections, therefore is vulnerable to brute force and dictionary attacks. To change your RDS database endpoint port, follow the steps outlined in the Remediation/Resolution section.

07 Repeat steps no. 4 - 6 to verify the database port for other RDS database instances provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all RDS database instances available in the selected AWS region:

aws rds describe-db-instances
    --region us-east-1
    --output table
    --query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return a table with the requested database identifiers:

-------------------------
|  DescribeDBInstances  |
+-----------------------+
|  mysql-prod-db        |
|  postgresql-prod-db   |
|  aurora-prod-db       |
+-----------------------+

03 Run again describe-db-instances command (OSX/Linux/UNIX) using your RDS database instance identifier and custom query filters to determine the port number used by the selected resource:

aws rds describe-db-instances
    --region us-east-1
    --db-instance-identifier mysql-prod-db
    --query 'DBInstances[*].Endpoint.Port'

04 The command output should return the port number used by the RDS instance (MySQL default port in this case):

[
    3306
]

If the command output returns the default port number for the database engine used (i.e. port 3306 for MySQL/Aurora/MariaDB, port 1433 for SQL Server, port 5432 for PostgreSQL, port 1521 for Oracle), the selected RDS instance is not running on a non-default port, therefore is vulnerable to dictionary and brute force attacks.

05 Repeat step no. 3 and 4 to check the database port number for other RDS database instances provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To change the default port number for your existing RDS database instances, perform the following steps:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS database instance that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click Instance Actions button from the dashboard top menu and select Take Snapshot to create a database snapshot (backup).

06 On the Take DB Snapshot page, in the Snapshot Name box, enter a unique name for the database backup then click Take Snapshot to send the request.

07 Go back to the Instances page and select again the RDS instance that you want to modify.

08 Click Instance Actions button from the dashboard top menu and select Modify.

09 On the Modify DB Instance: <instance identifier> page, perform the following actions:

In the Database Port box, replace the database default port number with your custom port number. The valid port numbers that can be used are 1150 to 65535 for MySQL/MariaDB/Aurora/PostgreSQL/Oracle and 1150 to 65535 except for 1434, 3389, 47001, 49152, and 49152-49156 for SQL Server.
At the bottom of the page select Apply Immediately checkbox to apply the endpoint port number change immediately. (!) IMPORTANT: when you modify the database instance port number, an immediate outage will occur if a custom parameter group is used. If the selected database instance is used in production consider leaving Apply Immediately option disabled before applying the changes in order to avoid any downtime. If Apply Immediately is not selected, the database port number change will be processed during the next maintenance window.

10 Click the Continue button to continue the process.

11 Review the database port changes and click Modify DB Instance to apply the changes. During the modification process the instance status should change from available to modifying and back to available (it may take few minutes depending on the instance configuration).

12 Once the database configuration is successfully updated, you can change the endpoint port number at your application level to match the non-default port set at step no. 9.

13 Repeat steps no. 4 – 12 for each RDS database instance that runs on the default port number, available in the current region.

14 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, run create-db-snapshot command (OSX/Linux/UNIX) to take an instance snapshot (backup):

aws rds create-db-snapshot
    --region us-east-1
    --db-instance-identifier mysql-prod-db
    --db-snapshot-identifier mysql-prod-db-snapshot

02 The command output should return the database instance snapshot metadata:

{
    "DBSnapshot": {
        "Engine": "mysql",
        "Status": "creating",
        "AvailabilityZone": "us-east-1a",
        "PercentProgress": 0,
        "MasterUsername": "mySQLuser03",
        "Encrypted": false,
        "LicenseModel": "general-public-license",
        "StorageType": "gp2",
        "VpcId": "vpc-cb75654a",
        "DBSnapshotIdentifier": "mysql-prod-db-snapshot",
        "InstanceCreateTime": "2015-01-20T18:25:07.280Z",
        "OptionGroupName": "default:mysql-5-6",
        "AllocatedStorage": 150,
        "EngineVersion": "5.6.27",
        "SnapshotType": "manual",
        "Port": 3306,
        "DBInstanceIdentifier": "mysql-prod-db"
    }
}

03 Run modify-db-instance command (OSX/Linux/UNIX) to modify the selected RDS instance configuration in order to change the default port number to a custom one. The valid port numbers that can be used are between 1150 and 65535 for MySQL/MariaDB/Aurora/PostgreSQL/Oracle and between 1150 and 65535 except for 1434, 3389, 47001, 49152, and 49152-49156 for the SQL Server. (!) IMPORTANT: the following example is using the Apply Immediately option to apply the change asynchronously and trigger an immediate outage. In order to avoid any downtime in production, skip adding the --apply-immediately command parameter and the RDS service will apply the port number change during the next maintenance window. The following command example replace the MySQL default port number (3306) with a non-default one, i.e. 3691:

aws rds modify-db-instance
    --region us-east-1
    --db-instance-identifier mysql-prod-db
    --db-port-number 3691
    --apply-immediately

04 The command output should reveal the configuration metadata for the modified RDS database instance:

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "mySQLuser03",
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        "VpcSecurityGroups": [
            {
                "Status": "active",
                "VpcSecurityGroupId": "sg-bcd8a1c1"
            }
        ],
        "InstanceCreateTime": "2017-01-06T16:20:54.081Z",
        "CopyTagsToSnapshot": false,

        ...

        "DBInstanceStatus": "available",
        "EngineVersion": "5.6.27",
        "AvailabilityZone": "us-east-1a",
        "DomainMemberships": [],
        "StorageType": "gp2",
        "DbiResourceId": "db-BXQWHEI54YFTFUODG32WYLOWDB",
        "CACertificateIdentifier": "rds-ca-2015",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.m3.medium",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "mysql-prod-db"
    }
}

05 Once the database instance configuration is successfully updated (it may take few minutes to apply the changes), you can change the endpoint port number at your application level to match the non-default one set at step no. 2.

06 Repeat steps no. 1 – 5 for each RDS database instance that runs on the default port number, available in the current region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 6 to perform the entire process for other regions.