Profile Applicability:

  • Level 2

Description:

Amazon RDS (Relational Database Service) allows you to configure the port on which the database instance or cluster listens for incoming connections. By default, RDS uses standard ports for each database engine (e.g., MySQL uses port 3306, PostgreSQL uses port 5432). However, using non-default ports is a good security practice because it helps obscure the database service from being easily discovered by attackers who might be scanning for default ports.

This SOP ensures that RDS clusters are configured to use non-default ports to enhance the security posture of the database environment and reduce the likelihood of unauthorized access.

Rationale:

  • Security Through Obscurity: Changing default ports can help reduce the attack surface by making it less obvious to attackers where the database is listening.

  • Best Practice: Using non-default ports is recommended as part of a defense-in-depth strategy. While it is not a replacement for strong security measures (e.g., firewalls, encryption, and IAM), it is a useful technique to add an additional layer of security.

  • Compliance: Helps align with security guidelines and compliance standards that recommend reducing exposure to standard attack vectors.

  • Operational Control: Using non-default ports can also help prevent inadvertent exposure of the RDS instances to the public internet, especially in large-scale environments.

Impact:

Pros:

  • Improved Security: Makes it harder for attackers to locate your RDS instances by scanning for well-known database ports.

  • Minimized Exposure: Reduces the chance of the RDS instance being targeted by automated scanning tools.

  • Better Access Control: Helps ensure that only users who know the correct port can connect to the database.

Cons:

  • Increased Configuration Complexity: Requires additional configuration in your application and firewall to ensure that the correct port is used for connections.

  • Potential Access Issues: If not properly managed, changing ports might cause access issues for clients or services that expect to use default ports.

Default Value:

By default, RDS clusters are created with the default port for the selected database engine (e.g., MySQL uses port 3306, PostgreSQL uses port 5432).

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:ModifyDBCluster

  • AWS CLI installed and configured.

  • Ensure that networking configurations (e.g., VPC, security groups, firewalls) are updated to allow communication over the new non-default port.

  • RDS Cluster should not be publicly accessible unless secured by proper network access control mechanisms.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the DB cluster you want to check.

  4. In the Connectivity & Security section, check the Endpoint and Port settings.

    • Ensure the Port is not set to the default value (e.g., 3306 for MySQL or 5432 for PostgreSQL).

  5. If the Port is set to a default value, click Modify and change the port to a non-default port (e.g., 3307 for MySQL).

  6. Save the changes and verify that the RDS instance is now running on the non-default port.

Using AWS CLI:

  1. To check the port of an RDS cluster, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,Port:Endpoint.Port}'

  2. Review the output and ensure the Port is not the default value (e.g., 3306 for MySQL or 5432 for PostgreSQL).

  3. If the port is set to a default value, run:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --port <new-port> --apply-immediately

  4. Verify the updated port:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,Port:Endpoint.Port}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. Select the RDS DB cluster for which you want to change the port.

  3. Click Modify in the Cluster Details section.

  4. In the Connectivity & Security section, change the Port from the default value to a non-default port (e.g., 3307 for MySQL).

  5. Review the settings and click Continue, then Apply Changes.

Using AWS CLI:

  1. To modify the port for an RDS DB cluster, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --port <new-port> --apply-immediately

  2. Verify the port change:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,Port:Endpoint.Port}'

Backout Plan:

Using AWS Console:

  1. If changing the port causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB cluster, and click Modify.

  3. Revert the port back to the default port for the database engine (e.g., 3306 for MySQL, 5432 for PostgreSQL).

  4. Save the changes and verify that the RDS cluster is using the default port again.

Using AWS CLI:

  1. To revert the port back to the default value, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --port <DEFAULT_PORT> --apply-immediately

  2. Verify that the port has been reverted:

    aws rds describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.