More Info:

Port obfuscation is as an additional layer of defense against non-targeted attacks. In order to leverage this, your Amazon RDS databases instances should not use their default ports (MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432)

Risk Level

Low

Address

Security

Compliance Standards

PCIDSS

Remediation

How to ensure RDS Database Instances do not use default ports.

Using AWS Console

  1. Identify the Amazon RDS database instances for which you want to ensure that default ports are not used. (In the Cloudanix Console, navigate to “Misconfig” page and look for Affected Assets for “RDS Database Instances Should Not Use Default Ports” Policy.)
  2. Determine the default ports associated with the database engine you are using. Here are some common default ports:
    • MySQL: 3306
    • PostgreSQL: 5432
    • Oracle Database: 1521
    • SQL Server: 1433
  3. Open the AWS Management Console and navigate to the Amazon RDS service.
  4. Click on the name of the RDS instance for which you want to modify the port.
  5. In the instance details page, click on the “Configuration” tab.
  6. Under the “Connectivity & security” section, locate the “Endpoint & port” information.
  7. Click on the “Modify” button next to the “Endpoint & port” information.
  8. In the “Modify DB instance” window, locate the “Port” field.
  9. Change the value in the “Port” field to a non-default port that you want to use for the RDS instance. Ensure that the new port is not already used by any other service or application.
  10. Click on the “Apply immediately” checkbox to apply the changes immediately. If you don’t select this option, the changes will be applied during the next maintenance window for the RDS instance.
  11. Click on the “Modify DB instance” button to save the changes and modify the port.
  12. Repeat these steps for each Amazon RDS database instance that you want to ensure is not using the default port.

Additional Reading: