07 - RDS Default Port

Ensure your RDS instances are not using there default port

Ensure that your RDS database instances have specified another port to use other than there default port. This will help limit attacks against your database as understanding what port is open can give a hacker insight into what database you are running and craft and exploit directly targeting that specific database engine. This is why this is considered a security best practice and should be enabled. Ensuring this is enabled will help with NIST compliance.

Audit & Remediation

Login into your AWS account
Navigate to the RDS service at: https://console.aws.amazon.com/rds
On the left hand panel select Databases.

Select the DB Identifier hyperlink for the database instance you would like to check.
Under Connectivity & security check if the Port is currently using the standard part for your database engine:
- mysql: 3306
- sqlserver: 1433
- postgres: 5432
- oracle: 1521
- documentdb: 27017

At top right corner of this page select the Modify button.
Under Connectivity expand Additional connectivity configuration and change the Database port to something other than the default port for your database engine.
!Important - you will need to ensure security groups and connection strings are updated in order to allow traffic on this port.

Repeat the outlined steps for each RDS instances that you have.

See all of your AWS RDS Instances in a single place!

Do you want to see all of your RDS Instances in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.
demo.intelligentdiscovery.io

Other Key Features

Inventory

Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.