Ensure RDS Clusters Do Not Use Default Master Username

Overview

This check verifies that your Amazon RDS database clusters are not using default master usernames like admin or postgres. Using unique, custom usernames is a simple but effective security hardening measure.

Risk

Default usernames are well-known and publicly documented. When attackers attempt to gain unauthorized access to your database, they typically start by trying these common usernames:

• Brute-force attacks become easier - Attackers only need to guess the password, not the username
• Credential stuffing attacks - Automated tools specifically target default usernames
• Data breach potential - Successful attacks can lead to data theft, modification, or deletion

Severity: Medium

Remediation Steps

Prerequisites

You need:

• AWS Console access with permissions to create and manage RDS clusters
• A plan for migrating data from your existing cluster (if applicable)

Important: The master username cannot be changed after a cluster is created. You must create a new cluster with a custom username and migrate your data.

AWS Console Method

1. Sign in to the AWS RDS Console
2. Click Create database
3. Choose your database engine (Aurora MySQL, Aurora PostgreSQL, etc.)
4. Under Settings, find the Master username field
5. Enter a custom username that is:
   • NOT admin, postgres, administrator, or root
   • Unique to your organization (e.g., dbadmin_myapp, rds_master_prod)
   • Between 1-16 alphanumeric characters, starting with a letter
6. Complete the remaining configuration and click Create database

If you have an existing cluster with a default username:

1. Create a snapshot of your current cluster
2. Create a new cluster with a custom username
3. Migrate your data using AWS DMS or native database tools
4. Update your application connection strings
5. Delete the old cluster after verifying the migration

AWS CLI (optional)

List clusters to identify those with default usernames:

aws rds describe-db-clusters \
    --region us-east-1 \
    --query 'DBClusters[*].[DBClusterIdentifier,MasterUsername,Engine]' \
    --output table

Create a new cluster with a custom username:

aws rds create-db-cluster \
    --region us-east-1 \
    --db-cluster-identifier my-secure-cluster \
    --engine aurora-mysql \
    --master-username dbadmin_myapp \
    --master-user-password "YourSecurePassword123!" \
    --backup-retention-period 7 \
    --storage-encrypted \
    --deletion-protection

Create cluster instances (required for Aurora):

aws rds create-db-instance \
    --region us-east-1 \
    --db-instance-identifier my-secure-cluster-instance-1 \
    --db-cluster-identifier my-secure-cluster \
    --db-instance-class db.r6g.large \
    --engine aurora-mysql

Use Secrets Manager for password management (recommended):

# Create a secret with your credentials
aws secretsmanager create-secret \
    --region us-east-1 \
    --name my-rds-cluster-credentials \
    --secret-string '{"username":"dbadmin_myapp","password":"YourSecurePassword123!"}'

CloudFormation (optional)

This template creates an Aurora MySQL cluster with a custom master username and integrates with AWS Secrets Manager for secure credential management.

AWSTemplateFormatVersion: '2010-09-09'
Description: RDS Aurora Cluster with custom admin username using Secrets Manager

Parameters:
  MasterUsername:
    Type: String
    Description: Master username for the database (avoid admin/postgres)
    MinLength: 1
    MaxLength: 16
    AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
    ConstraintDescription: Must begin with a letter and contain only alphanumeric characters

Resources:
  DBSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: RDS cluster master credentials
      GenerateSecretString:
        SecretStringTemplate: !Sub '{"username": "${MasterUsername}"}'
        GenerateStringKey: password
        PasswordLength: 32
        ExcludeCharacters: '"@/\'

  RDSCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      Engine: aurora-mysql
      MasterUsername: !Sub '{{resolve:secretsmanager:${DBSecret}:SecretString:username}}'
      MasterUserPassword: !Sub '{{resolve:secretsmanager:${DBSecret}:SecretString:password}}'
      DBClusterIdentifier: my-secure-cluster
      BackupRetentionPeriod: 7
      StorageEncrypted: true
      DeletionProtection: true

  SecretTargetAttachment:
    Type: AWS::SecretsManager::SecretTargetAttachment
    Properties:
      SecretId: !Ref DBSecret
      TargetId: !Ref RDSCluster
      TargetType: AWS::RDS::DBCluster

Outputs:
  ClusterEndpoint:
    Description: Aurora cluster endpoint
    Value: !GetAtt RDSCluster.Endpoint.Address
  SecretArn:
    Description: ARN of the secret containing database credentials
    Value: !Ref DBSecret

Deploy the stack:

aws cloudformation create-stack \
    --region us-east-1 \
    --stack-name secure-rds-cluster \
    --template-body file://template.yaml \
    --parameters ParameterKey=MasterUsername,ParameterValue=dbadmin_myapp

Terraform (optional)

This configuration creates an Aurora MySQL cluster with validation to prevent default usernames.

variable "master_username" {
  description = "Master username for the RDS cluster (avoid admin/postgres)"
  type        = string

  validation {
    condition     = !contains(["admin", "postgres", "administrator", "root"], lower(var.master_username))
    error_message = "Master username must not be a default value like admin, postgres, administrator, or root."
  }
}

variable "master_password" {
  description = "Master password for the RDS cluster"
  type        = string
  sensitive   = true
}

resource "aws_rds_cluster" "secure_cluster" {
  cluster_identifier      = "my-secure-cluster"
  engine                  = "aurora-mysql"
  engine_version          = "8.0.mysql_aurora.3.04.0"
  master_username         = var.master_username
  master_password         = var.master_password
  backup_retention_period = 7
  storage_encrypted       = true
  deletion_protection     = true
  skip_final_snapshot     = false
  final_snapshot_identifier = "my-secure-cluster-final-snapshot"
}

resource "aws_rds_cluster_instance" "cluster_instances" {
  count              = 2
  identifier         = "my-secure-cluster-${count.index}"
  cluster_identifier = aws_rds_cluster.secure_cluster.id
  instance_class     = "db.r6g.large"
  engine             = aws_rds_cluster.secure_cluster.engine
  engine_version     = aws_rds_cluster.secure_cluster.engine_version
}

output "cluster_endpoint" {
  description = "Aurora cluster endpoint"
  value       = aws_rds_cluster.secure_cluster.endpoint
}

Apply the configuration:

terraform init
terraform apply -var="master_username=dbadmin_myapp" -var="master_password=YourSecurePassword123!"

For production, use a terraform.tfvars file or environment variables to avoid exposing passwords in command history.

Verification

After creating your cluster with a custom username:

1. Go to the RDS Console
2. Click on your cluster name
3. In the Configuration tab, verify the Master username is not admin or postgres

CLI verification

aws rds describe-db-clusters \
    --region us-east-1 \
    --db-cluster-identifier my-secure-cluster \
    --query 'DBClusters[0].MasterUsername' \
    --output text

Run Prowler to confirm the fix:

prowler aws --checks rds_cluster_default_admin --region us-east-1

Additional Resources

• AWS RDS User Guide: Creating a DB Cluster
• AWS Security Hub: RDS Controls
• AWS Secrets Manager Integration with RDS
• AWS Database Migration Service

Notes

• Master username cannot be changed - You must create a new cluster and migrate data
• Plan for downtime - Data migration requires careful planning to minimize application disruption
• Update connection strings - All applications connecting to the database must be updated with the new username
• Consider IAM authentication - For additional security, enable IAM database authentication to eliminate the need for passwords
• Use Secrets Manager - Store database credentials in AWS Secrets Manager and enable automatic rotation