Profile Applicability:

  • Level 1

Description:

Amazon RDS allows you to configure the port on which the database instance listens for incoming connections. By default, RDS uses standard ports for each database engine (e.g., MySQL uses port 3306, PostgreSQL uses port 5432). Changing the default port is a good security practice as it can help obscure the database service from attackers who may scan for commonly used ports.

This SOP ensures that RDS instances are configured to use non-default ports to increase security and reduce the risk of unauthorized access.

Rationale:

  • Security through Obscurity: Changing default ports helps reduce the exposure of database instances to potential attackers scanning for default ports.

  • Layered Defense: While not a complete security measure on its own, changing ports is an additional layer of defense, complementing other security mechanisms such as encryption and access control.

  • Reduced Risk of Automated Attacks: Many automated attacks specifically target the default database ports. Using non-default ports makes it more difficult for attackers to gain access.

Impact:

Pros:

  • Improved Security: Changing the default port for databases can reduce the risk of unauthorized access from attackers scanning for default ports.

  • Better Access Control: Using non-default ports forces attackers to perform additional reconnaissance steps, potentially deterring automated attacks.

  • Operational Flexibility: Custom ports allow for better segmentation and isolation of different database services on a network.

Cons:

  • Configuration Complexity: Changing default ports may require updating applications and other dependent services to ensure they are connecting to the correct port.

  • Potential Access Issues: If not configured properly, non-default ports could lead to access issues for applications that expect default ports.

Default Value:

By default, RDS instances are created with the default port for the selected database engine (e.g., 3306 for MySQL, 5432 for PostgreSQL). You need to configure non-default ports manually when creating or modifying the RDS instance.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

  • AWS CLI installed and configured.

  • Security Groups configured to allow access to the new port.

  • RDS instances must be running a database engine that supports custom port configuration (e.g., MySQL, PostgreSQL).

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the DB instance you want to check.

  4. In the Configuration tab, check the Port setting.

    • If the Port is set to a default value (e.g., 3306 for MySQL or 5432 for PostgreSQL), it needs to be updated.

  5. If the Port is set to a default value, click Modify.

  6. Change the Port to a non-default port (e.g., 3307 for MySQL or 5433 for PostgreSQL).

  7. Save the changes and ensure that the RDS instance is now listening on the non-default port.

Using AWS CLI:

  1. To check if RDS instances are using non-default ports, run the following command:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, Port:Endpoint.Port}'

  2. Review the output to verify that the Port is not the default port (e.g., 3306 for MySQL, 5432 for PostgreSQL).

    aws rds modify-db-instance --db-instance-identifier <instance-id> --port <new-port> --apply-immediately

  3. If the Port is set to a default value, change it using:

  4. Verify the new port by running:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, Port:Endpoint.Port}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the DB instance to modify.

  3. Click Modify.

  4. In the Connectivity & Security section, change the Port from the default value to a non-default port (e.g., 3307 for MySQL).

  5. Click Continue, then Apply Changes.

Using AWS CLI:

  1. To change the port for the RDS instance, run:

    aws rds modify-db-instance --db-instance-identifier <instance-id> --port <new-port> --apply-immediately

  2. To verify the changes, run:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, Port:Endpoint.Port}'

Backout Plan:

Using AWS Console:

  1. If changing the port causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB instance, and click Modify.

  3. Revert the port back to the default port for the database engine (e.g., 3306 for MySQL, 5432 for PostgreSQL).

  4. Save the changes and verify that the RDS instance is using the default port again.

Using AWS CLI:

  1. To revert the port back to the default value, run the following command:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --port <DEFAULT_PORT> --apply-immediately

  2. Verify that the port has been reverted:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.