Profile Applicability:

  • Level 2

Description:

When creating an Amazon RDS database instance, AWS automatically assigns a default master username (usually "admin") for accessing the database. Using this default username is a potential security risk because it is commonly known, and attackers could attempt to exploit it to gain access to your database. This SOP ensures that RDS clusters are configured with non-default master usernames to improve security and minimize the likelihood of unauthorized access.

Rationale:

  • Security: Using the default master username increases the attack surface of your RDS clusters. By changing it to a unique, strong master username, you make it harder for attackers to gain unauthorized access.

  • Best Practices: Ensuring that custom usernames are used for database instances follows the principle of least privilege and enhances overall security.

  • Compliance: Many regulatory frameworks, such as PCI-DSS and SOC 2, require using unique usernames for systems to reduce the risk of unauthorized access.

Impact:

Pros:

  • Improved Security: Custom master usernames reduce the likelihood of attackers gaining unauthorized access by using common, default credentials.

  • Best Practice Compliance: Following this best practice aligns with security and compliance standards.

  • Accountability: Helps track access by associating actions with individual users instead of a shared, default user account.

Cons:

  • Application Compatibility: Changing the master username may require updates to application configurations and scripts that use the database.

  • Management Overhead: Keeping track of custom usernames requires good documentation and secure storage.

Default Value:

By default, Amazon RDS assigns a default master username (often admin) when creating a new database cluster. It is important to change this to a non-default, unique username.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:ModifyDBCluster

    • rds:CreateDBCluster

  • AWS CLI installed and configured.

  • Ensure that RDS instances support custom usernames.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the RDS cluster you want to check.

  4. In the Configuration tab, review the Master Username.

    • If it is "admin" or any other default username, then it needs to be changed.

  5. If the master username is a default value, click Modify, and under the Settings section, change the Master Username to a unique value.

  6. Save the changes and verify that the RDS cluster now uses a non-default master username.

Using AWS CLI:

  1. To check the Master Username for an RDS cluster, run the following command:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,MasterUsername:MasterUsername}'

  2. Review the output:
    If MasterUsername is     admin, the cluster is using the default master username and needs to be updated.

  3. To change the Master Username, run:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --master-username <new-username> --apply-immediately

  4. Verify the Master Username has been changed:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,MasterUsername:MasterUsername}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the RDS cluster for which you want to change the master username.

  3. Click Modify.

  4. Under the Settings section, change the Master Username from the default value to a unique, non-default value.

  5. Click Continue, then Apply Changes.

Using AWS CLI:

  1. To change the Master Username for an RDS cluster, run:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --master-username <new-username> --apply-immediately

  2. To verify that the Master Username has been updated, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,MasterUsername:MasterUsername}'

Backout Plan:

Using AWS Console:

  1. If changing the master username causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB cluster, and click Modify.

  3. Set the Master username back to admin (or another previously used default name).

  4. Save the changes and allow the cluster to reboot.

Using AWS CLI:

  1. To revert the master username back to admin, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --master-username admin --apply-immediately

  2. Verify that the master username has been reverted:

    aws rds describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.