Ensure that your Amazon RDS databases instances are not using their default endpoint ports (i.e. MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432, etc) in order to promote port obfuscation as an additional layer of defense against non-targeted attacks.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Running your database instances on default ports represent a potential security concern. Moving RDS instances ports (the ports on which the database accepts connections) to non-default ports will add an extra layer of security, protecting your publicly accessible AWS RDS databases from brute force and dictionary attacks.
Audit
The following table lists the endpoint default port for each AWS RDS database engine available:
Database Engine | Default Port Number |
Aurora/MySQL/MariaDB | 3306 |
PostgreSQL | 5432 |
Oracle | 1521 |
SQL Server | 1433 |
To determine if your existing RDS database instances are using their default ports, perform the following:
Remediation / Resolution
To change the default port number for your existing RDS database instances, perform the following steps:
References
- AWS Documentation:
- Amazon RDS FAQs
- Best Practices for Amazon RDS
- Modifying an Amazon RDS DB Instance and Using the Apply Immediately Parameter
- AWS Command Line Interface (CLI) Documentation:
- rds
- describe-db-instances
- create-db-snapshot
- modify-db-instance
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
RDS Default Port
Risk level: Low