CloudWiki
Rules
Description

To enhance the security of your publicly accessible Amazon RDS databases, it is recommended to change the endpoint ports of your RDS instances from their default values. Running your database instances on default ports increases the risk of dictionary and brute force attacks. By moving the RDS instances ports to non-default values, an extra layer of protection is added. Therefore, it is important to ensure that your RDS instances are not utilizing the default endpoint port 3306 (Aurora/MySQL/MariaDB) and to implement port obfuscation as an additional security measure.

Remediation

To ensure that Amazon RDS is not using the default port 3306, you can take the following remediation steps:

  1. Connect to the RDS instance using the AWS Management Console, the AWS CLI, or a third-party client tool.
  2. Check the current port setting for the instance. You can do this by looking at the endpoint information for the instance, which includes the host name and port number.
  3. If the instance is using the default port, you can modify the port number by modifying the instance settings. In the AWS Management Console, go to the "Configuration" tab for the instance, and look for the "Network & Security" section. Here, you can modify the port number.
  4. Select a port number that is not commonly used, to avoid conflicts with other applications. You can choose any available port number between 1024 and 65535.
  5. Save the changes to the instance settings and wait for the changes to take effect. It may take a few minutes for the changes to propagate to all the nodes in the RDS cluster.
  6. Once the changes are complete, verify that the RDS instance is no longer using the default port by connecting to it using the new port number.
  7. Update any applications or scripts that rely on connecting to the RDS instance to use the new port number.
  8. Test the connectivity to the RDS instance from all relevant systems to ensure that the changes have been properly implemented and there are no issues with the new port number.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.