AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
RDS Database Instances Should Not Use Default Ports
More Info:
Port obfuscation is as an additional layer of defense against non-targeted attacks. In order to leverage this, your Amazon RDS databases instances should not use their default ports (MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432)
Risk Level
Low
Address
Security
Compliance Standards
PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration of RDS Database Instances using default ports in AWS, follow these step-by-step instructions using the AWS Management Console:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to the AWS Management Console.
-
Navigate to RDS Service: Click on the “Services” dropdown menu at the top left corner of the console, then select “RDS” under the Database category.
-
Select the RDS Instance: From the list of RDS instances, select the instance that is currently using default ports.
-
Modify the RDS Instance: Click on the instance name to open the details page. Then, click on the “Modify” button at the top of the page.
-
Update the Port Configuration: In the “Network & Security” section, locate the “Public accessibility” setting. If the RDS instance is publicly accessible, you will see an option to specify the “Publicly accessible” setting and the “Port” number.
-
Change the Port Number: Update the “Port” number to a non-default port number of your choice. Ensure that the new port number is not commonly used or reserved for other services.
-
Save the Changes: Scroll down to the bottom of the page and click on the “Continue” button. Review the summary of changes, and then click on the “Modify DB Instance” button to apply the changes.
-
Verify the Configuration: Once the modification is complete, verify that the RDS instance is now using the updated port number. You can also test the connectivity to the RDS instance using the new port number to ensure that it is working correctly.
By following these steps, you have successfully remediated the misconfiguration of RDS Database Instances using default ports in AWS.
To remediate the misconfiguration of RDS database instances using default ports in AWS, you can follow these steps using AWS CLI:
-
Identify the RDS instances that are using default ports:
Run the following AWS CLI command to list all your RDS instances and their associated configurations:
aws rds describe-db-instancesLook for instances that are using default ports (3306 for MySQL, 5432 for PostgreSQL, 1433 for SQL Server, etc.).
-
Modify the RDS instance to use a non-default port:
Run the following AWS CLI command to modify the RDS instance to use a non-default port (replace
your-db-instance-identifierandnew-port-numberwith your actual values):aws rds modify-db-instance --db-instance-identifier your-db-instance-identifier --port new-port-number -
Update the security group settings:
If you have security groups attached to your RDS instance, you will need to update the inbound rules to allow traffic on the new port. Run the following AWS CLI command to update the inbound rules of the security group (replace
your-security-group-idandnew-port-numberwith your actual values):aws ec2 authorize-security-group-ingress --group-id your-security-group-id --protocol tcp --port new-port-number --cidr 0.0.0.0/0 -
Verify the changes:
Run the following AWS CLI command to describe the modified RDS instance and ensure that the port has been updated successfully:
aws rds describe-db-instances --db-instance-identifier your-db-instance-identifier
By following these steps, you can remediate the misconfiguration of RDS database instances using default ports in AWS and enhance the security of your RDS instances.
To remediate the misconfiguration of RDS Database Instances using default ports in AWS, you can use the AWS SDK for Python (Boto3) to modify the security group associated with the RDS instance to restrict access to a specific port. Here are the step-by-step instructions to remediate this issue:
- Install the Boto3 library:
pip install boto3
-
Configure your AWS credentials by either setting environment variables or using the AWS CLI
aws configurecommand. -
Use the following Python script to modify the security group associated with the RDS instance to restrict access to a specific port (e.g., 3306):
import boto3
# Initialize the RDS client
rds_client = boto3.client('rds')
# Specify the RDS instance identifier and the desired port
db_instance_identifier = 'YOUR_DB_INSTANCE_IDENTIFIER'
desired_port = 3306
# Get the current security group of the RDS instance
response = rds_client.describe_db_instances(DBInstanceIdentifier=db_instance_identifier)
security_group_id = response['DBInstances'][0]['VpcSecurityGroups'][0]['VpcSecurityGroupId']
# Authorize inbound traffic on the desired port for the security group
ec2_client = boto3.client('ec2')
response = ec2_client.authorize_security_group_ingress(
GroupId=security_group_id,
IpPermissions=[
{
'FromPort': desired_port,
'ToPort': desired_port,
'IpProtocol': 'tcp',
'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
}
]
)
print('Security group updated to allow inbound traffic on port', desired_port)
-
Replace
YOUR_DB_INSTANCE_IDENTIFIERwith the identifier of your RDS instance. -
Run the Python script. It will modify the security group associated with the RDS instance to allow inbound traffic only on the specified port (3306 in this case).
By following these steps, you can remediate the misconfiguration of RDS Database Instances using default ports in AWS.