v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 23 RDS databases and clusters should not use a database engine default port

Description

This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.

If you use a known port to deploy an RDS cluster or instance, an attacker can guess information about the cluster or instance. The attacker can use this information in conjunction with other information to connect to an RDS cluster or instance or gain additional information about your application.

When you change the port, you must also update the existing connection strings that were used to connect to the old port. You should also check the security group of the DB instance to ensure that it includes an ingress rule that allows connectivity on the new port.

Remediation

To modify the default port of an existing DB instance

  1. Open the Amazon RDS console

  2. Choose Databases.

  3. Select the DB instance to modify

  4. Choose Modify.

  5. Under Database options, change Database port to a non-default value.

  6. Choose Continue.

  7. Under Scheduling of modifications, choose when to apply modifications. You can choose either Apply during the next scheduled maintenance window or Apply immediately.

  8. For clusters, choose Modify cluster. For instances, choose Modify DB Instance.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_23

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_23 --share

SQL

This control uses a named query:

rds_db_instance_and_cluster_no_default_port

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_network_configuration
foundational_security_item_id = rds_23
plugin = aws
service = AWS/RDS