RDS Default Port

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select See Details.

06 On the Details tab, in the Security and Network section, check the Port number:

If the current number is the default port number for the database engine used (verify the section table), the selected RDS instance is not using a non-default port for incoming connections, therefore is vulnerable to brute force and dictionary attacks. To change your RDS database endpoint port, follow the steps outlined in the Remediation/Resolution section.

07 Repeat steps no. 4 - 6 to verify the database port for other RDS database instances provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

01 Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all RDS database instances available in the selected AWS region:

aws rds describe-db-instances
    --region us-east-1
    --output table
    --query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return a table with the requested database identifiers:

-------------------------
|  DescribeDBInstances  |
+-----------------------+
|  mysql-prod-db        |
|  postgresql-prod-db   |
|  aurora-prod-db       |
+-----------------------+

03 Run again describe-db-instances command (OSX/Linux/UNIX) using your RDS database instance identifier and custom query filters to determine the port number used by the selected resource:

aws rds describe-db-instances
    --region us-east-1
    --db-instance-identifier mysql-prod-db
    --query 'DBInstances[*].Endpoint.Port'

04 The command output should return the port number used by the RDS instance (MySQL default port in this case):

[
    3306
]

05 Repeat step no. 3 and 4 to check the database port number for other RDS database instances provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS database instance that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click Instance Actions button from the dashboard top menu and select Take Snapshot to create a database snapshot (backup).

06 On the Take DB Snapshot page, in the Snapshot Name box, enter a unique name for the database backup then click Take Snapshot to send the request.

07 Go back to the Instances page and select again the RDS instance that you want to modify.

08 Click Instance Actions button from the dashboard top menu and select Modify.

09 On the Modify DB Instance: <instance identifier> page, perform the following actions:

1. In the Database Port box, replace the database default port number with your custom port number. The valid port numbers that can be used are 1150 to 65535 for MySQL/MariaDB/Aurora/PostgreSQL/Oracle and 1150 to 65535 except for 1434, 3389, 47001, 49152, and 49152-49156 for SQL Server.
2. At the bottom of the page select Apply Immediately checkbox to apply the endpoint port number change immediately. (!) IMPORTANT: when you modify the database instance port number, an immediate outage will occur if a custom parameter group is used. If the selected database instance is used in production consider leaving Apply Immediately option disabled before applying the changes in order to avoid any downtime. If Apply Immediately is not selected, the database port number change will be processed during the next maintenance window.

10 Click the Continue button to continue the process.

11 Review the database port changes and click Modify DB Instance to apply the changes. During the modification process the instance status should change from available to modifying and back to available (it may take few minutes depending on the instance configuration).

12 Once the database configuration is successfully updated, you can change the endpoint port number at your application level to match the non-default port set at step no. 9.

13 Repeat steps no. 4 – 12 for each RDS database instance that runs on the default port number, available in the current region.

14 Change the AWS region from the navigation bar and repeat the process for other regions.

01 First, run create-db-snapshot command (OSX/Linux/UNIX) to take an instance snapshot (backup):

aws rds create-db-snapshot
    --region us-east-1
    --db-instance-identifier mysql-prod-db
    --db-snapshot-identifier mysql-prod-db-snapshot

02 The command output should return the database instance snapshot metadata:

{
    "DBSnapshot": {
        "Engine": "mysql",
        "Status": "creating",
        "AvailabilityZone": "us-east-1a",
        "PercentProgress": 0,
        "MasterUsername": "mySQLuser03",
        "Encrypted": false,
        "LicenseModel": "general-public-license",
        "StorageType": "gp2",
        "VpcId": "vpc-cb75654a",
        "DBSnapshotIdentifier": "mysql-prod-db-snapshot",
        "InstanceCreateTime": "2015-01-20T18:25:07.280Z",
        "OptionGroupName": "default:mysql-5-6",
        "AllocatedStorage": 150,
        "EngineVersion": "5.6.27",
        "SnapshotType": "manual",
        "Port": 3306,
        "DBInstanceIdentifier": "mysql-prod-db"
    }
}

03 Run modify-db-instance command (OSX/Linux/UNIX) to modify the selected RDS instance configuration in order to change the default port number to a custom one. The valid port numbers that can be used are between 1150 and 65535 for MySQL/MariaDB/Aurora/PostgreSQL/Oracle and between 1150 and 65535 except for 1434, 3389, 47001, 49152, and 49152-49156 for the SQL Server. (!) IMPORTANT: the following example is using the Apply Immediately option to apply the change asynchronously and trigger an immediate outage. In order to avoid any downtime in production, skip adding the --apply-immediately command parameter and the RDS service will apply the port number change during the next maintenance window. The following command example replace the MySQL default port number (3306) with a non-default one, i.e. 3691:

aws rds modify-db-instance
    --region us-east-1
    --db-instance-identifier mysql-prod-db
    --db-port-number 3691
    --apply-immediately

04 The command output should reveal the configuration metadata for the modified RDS database instance:

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "mySQLuser03",
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        "VpcSecurityGroups": [
            {
                "Status": "active",
                "VpcSecurityGroupId": "sg-bcd8a1c1"
            }
        ],
        "InstanceCreateTime": "2017-01-06T16:20:54.081Z",
        "CopyTagsToSnapshot": false,

        ...

        "DBInstanceStatus": "available",
        "EngineVersion": "5.6.27",
        "AvailabilityZone": "us-east-1a",
        "DomainMemberships": [],
        "StorageType": "gp2",
        "DbiResourceId": "db-BXQWHEI54YFTFUODG32WYLOWDB",
        "CACertificateIdentifier": "rds-ca-2015",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.m3.medium",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "mysql-prod-db"
    }
}

05 Once the database instance configuration is successfully updated (it may take few minutes to apply the changes), you can change the endpoint port number at your application level to match the non-default one set at step no. 2.

06 Repeat steps no. 1 – 5 for each RDS database instance that runs on the default port number, available in the current region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 6 to perform the entire process for other regions.