Rule: RDS Databases Must Not Use Database Engine Default Port
This rule ensures RDS databases and clusters do not utilize a database engine default port for enhanced security measures.
| Rule | RDS databases and clusters should not use a database engine default port |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Low |
Rule Description:
RDS (Relational Database Service) databases and clusters hosted on AWS should not use the default port for the database engine. This requirement is in line with AWS Foundational Security Best Practices, as using the default port can make the database more vulnerable to unauthorized access or attacks.
Troubleshooting Steps:
- 1.Identify the database instances or clusters that are using the default port.
- 2.Check the current port configuration for each identified instance or cluster.
- 3.Determine if there are any dependencies or requirements for the database engine to use the default port.
- 4.Evaluate the potential risks associated with changing the port and consider alternative security controls to mitigate those risks if necessary.
- 5.Plan and schedule the port change during a maintenance window or low-traffic period to minimize disruption.
Necessary Codes:
There are no specific codes associated with this rule. However, you may need to use AWS CLI or AWS Management Console to manage and modify the port configuration of your RDS instances or clusters.
Step-by-Step Guide for Remediation:
- 1.
Log in to the AWS Management Console and navigate to the RDS service.
- 2.
Select the region where your RDS instances or clusters are located.
- 3.
Identify the specific RDS instances or clusters that are using the default port.
- 4.
Determine the current port configuration for each identified instance or cluster.
- 5.
Consult the documentation and support resources for the specific database engine you are using to understand the impact and implications of changing the port.
- 6.
If necessary, create a backup or snapshot of the database instances or clusters to ensure data integrity.
- 7.
Plan and schedule a maintenance window or low-traffic period for the port change.
- 8.
Modify the port configuration for each identified instance or cluster using one of the following methods:
a. AWS Management Console: i. Select the instance or cluster and click on "Modify" or "Edit" button. ii. Locate the "Port" or "Endpoint" field and enter the desired non-default port number. iii. Save the changes and wait for the modification process to complete.
b. AWS CLI: i. Open the AWS CLI or AWS CLI tools such as AWS CloudShell. ii. Run the following command to modify the port for a specific RDS instance:
Replaceaws rds modify-db-instance --db-instance-identifier <instance-id> --vpc-security-group-ids <security-group-ids> --apply-immediately --port <port-number>
with the identifier of the RDS instance and<instance-id>
with the desired non-default port.<port-number>c. AWS SDKs: i. Use the appropriate SDK for your preferred programming language to modify the port configuration programmatically.
- 9.
Once the modification is completed, verify that the RDS instances or clusters are accessible through the new port.
- 10.
Update any relevant configurations or applications that connect to the RDS instances or clusters to reflect the new port number.
- 11.
Perform thorough testing to ensure that all functionalities dependent on the RDS instances or clusters are working correctly.
- 12.
Monitor the database instances or clusters for any issues or anomalies after the port change.
Note: It is highly recommended to consult the documentation and support resources provided by AWS for detailed instructions specific to your database engine and use case.