Profile Applicability:

  • Level 1

Description:

By default, when an Amazon RDS instance is created, AWS assigns a master username, typically "admin", to the database. This default username is widely known and used, and it can present a security risk. Ensuring that RDS instances use a non-default master username increases the security of your database by reducing the likelihood of unauthorized access. This SOP ensures that all Amazon RDS instances are configured with a unique, non-default master username.

Rationale:

  • Security: The default master username, often set to "admin", is commonly known and can be a target for attackers. Using a unique, non-default username reduces the risk of brute-force attacks or exploitation.

  • Best Practices: Following the principle of least privilege, each RDS instance should have a custom, secure master username for proper access management.

  • Compliance: Security standards like PCI-DSS, SOC 2, and HIPAA often require the use of unique usernames and credentials for database systems.

Impact:

Pros:

  • Improved Security: By using a non-default master username, you make it more difficult for unauthorized users to gain access to your RDS instance.

  • Reduced Risk of Attacks: Minimizes the attack surface, making brute-force and automated attacks less likely to succeed.

  • Compliance: Meets security and regulatory requirements for custom username management.

Cons:

  • Application Compatibility: If the master username is changed, applications or scripts that reference the old username will need to be updated accordingly.

  • Management Overhead: Requires careful documentation of the custom master usernames for future reference.

Default Value:

The default master username for Amazon RDS instances is "admin". This can be changed during the creation of the RDS instance or by modifying the instance later.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

    • rds:CreateDBInstance

  • AWS CLI installed and configured.

  • Ensure you have appropriate permissions to modify RDS instance configurations.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases.

  4. Select the RDS instance you want to check.

  5. In the Configuration tab, look for the Master Username:

    • If the Master Username is "admin" (or any other default username), it needs to be changed to a custom, unique username.

  6. If the Master Username is set to "admin", click Modify and enter a new, unique username under the Master Username field.

  7. Save the changes and verify that the RDS instance now uses a non-default master username.

Using AWS CLI:

  1. To check the Master Username for an RDS instance, run the following command:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,MasterUsername:MasterUsername}'

  2. Review the output:

  • If MasterUsername is "admin", the instance is using the default username.

  • If it’s set to something else, the instance is using a custom username.

  1. To change the Master Username, run the following command:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --master-username <new-username> --apply-immediately

  2. Verify that the Master Username has been updated by running:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,MasterUsername:MasterUsername}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the RDS instance for which you want to modify the master username.

  3. Click Modify.

  4. Under the Settings section, change the Master Username from "admin" (or any default username) to a unique, custom username.

  5. Click Continue, then Apply Changes.

Using AWS CLI:

  1. To change the Master Username for an RDS instance, run:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --master-username <new-username> --apply-immediately

  2. Verify that the Master Username has been updated:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,MasterUsername:MasterUsername}'

Backout Plan:

Using AWS Console:

  1. If changing the master username causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB instance, and click Modify.

  3. Change the Master username back to admin (or another previously used username).

  4. Save the changes and allow the instance to reboot.

Using AWS CLI:

  1. To revert the master username back to admin (if required), run the following command:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --master-user-password <PREVIOUS_PASSWORD> --apply-immediately

  2. Verify that the master username has been reverted:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.