RDS Cluster Non-Default Port
Overview
This check verifies that your Amazon RDS database clusters use non-default ports instead of well-known defaults. Default ports include:
- MySQL/Aurora MySQL: 3306
- PostgreSQL/Aurora PostgreSQL: 5432
- SQL Server: 1433
- Oracle: 1521
- DB2: 50000
Using a custom port adds an extra layer of obscurity to your database configuration.
Risk
Using default database ports makes your clusters easier targets for attackers. When databases run on well-known ports:
- Automated scanners can quickly identify your database engine
- Attackers can launch engine-specific exploits without reconnaissance
- Brute-force credential attacks become more likely
- Your infrastructure is more susceptible to mass scanning campaigns
While changing ports is not a substitute for proper security controls, it reduces exposure to opportunistic attacks.
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify RDS clusters
- Knowledge of which applications connect to the database (you will need to update their connection settings)
Important: Changing the database port requires a brief outage. Plan this change during a maintenance window.
AWS Console Method
- Open the Amazon RDS Console
- In the left navigation, click Databases
- Select the cluster you want to modify
- Click Modify
- Scroll to Additional configuration
- Change the Database port to a non-default value (for example, 3307 for MySQL or 5433 for PostgreSQL)
- Scroll down and click Continue
- Under Schedule modifications, select Apply immediately (or schedule for your maintenance window)
- Review your changes and click Modify cluster
After the port change:
- Update your application connection strings to use the new port
- Modify your security groups to allow inbound traffic on the new port
- If using a firewall, update rules to permit the new port
AWS CLI (optional)
Check Current Port
First, identify your cluster's current port:
aws rds describe-db-clusters \
--db-cluster-identifier <your-cluster-identifier> \
--region us-east-1 \
--query 'DBClusters[0].Port'
Modify the Cluster Port
Change the cluster to use a non-default port:
aws rds modify-db-cluster \
--db-cluster-identifier <your-cluster-identifier> \
--port 3307 \
--region us-east-1 \
--apply-immediately
Replace 3307 with your preferred non-default port. Common choices:
- MySQL: 3307, 3308, or any unused port above 1024
- PostgreSQL: 5433, 5434, or any unused port above 1024
Update Security Group
Ensure your security group allows traffic on the new port:
aws ec2 authorize-security-group-ingress \
--group-id <your-security-group-id> \
--protocol tcp \
--port 3307 \
--source-group <application-security-group-id> \
--region us-east-1
CloudFormation (optional)
Use the Port property when defining your RDS cluster:
AWSTemplateFormatVersion: '2010-09-09'
Description: RDS Aurora cluster with non-default port
Parameters:
DBClusterIdentifier:
Type: String
Description: Identifier for the DB cluster
DatabasePort:
Type: Number
Default: 3307
Description: Non-default port for the database (avoid 3306, 5432, 1433, 1521)
MasterUsername:
Type: String
Description: Master username for the database
MasterUserPassword:
Type: String
NoEcho: true
Description: Master password for the database
VPCSecurityGroupId:
Type: AWS::EC2::SecurityGroup::Id
Description: Security group ID that allows access to the custom port
DBSubnetGroupName:
Type: String
Description: DB subnet group name
Resources:
RDSCluster:
Type: AWS::RDS::DBCluster
Properties:
DBClusterIdentifier: !Ref DBClusterIdentifier
Engine: aurora-mysql
EngineVersion: '8.0.mysql_aurora.3.04.0'
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
Port: !Ref DatabasePort
VpcSecurityGroupIds:
- !Ref VPCSecurityGroupId
DBSubnetGroupName: !Ref DBSubnetGroupName
StorageEncrypted: true
DeletionProtection: true
BackupRetentionPeriod: 7
Outputs:
ClusterEndpoint:
Description: Cluster endpoint
Value: !GetAtt RDSCluster.Endpoint.Address
ClusterPort:
Description: Cluster port
Value: !GetAtt RDSCluster.Endpoint.Port
Key configuration:
- The
Portproperty is set to a non-default value via theDatabasePortparameter - Default value of 3307 avoids the standard MySQL port of 3306
Terraform (optional)
Use the port argument in your aws_rds_cluster resource:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "cluster_identifier" {
description = "Identifier for the RDS cluster"
type = string
}
variable "database_port" {
description = "Non-default port for the database"
type = number
default = 3307
}
variable "master_username" {
description = "Master username for the database"
type = string
}
variable "master_password" {
description = "Master password for the database"
type = string
sensitive = true
}
variable "vpc_security_group_ids" {
description = "List of VPC security group IDs"
type = list(string)
}
variable "db_subnet_group_name" {
description = "DB subnet group name"
type = string
}
resource "aws_rds_cluster" "main" {
cluster_identifier = var.cluster_identifier
engine = "aurora-mysql"
engine_version = "8.0.mysql_aurora.3.04.0"
master_username = var.master_username
master_password = var.master_password
port = var.database_port
vpc_security_group_ids = var.vpc_security_group_ids
db_subnet_group_name = var.db_subnet_group_name
storage_encrypted = true
deletion_protection = true
backup_retention_period = 7
skip_final_snapshot = false
final_snapshot_identifier = "${var.cluster_identifier}-final-snapshot"
}
output "cluster_endpoint" {
description = "The cluster endpoint"
value = aws_rds_cluster.main.endpoint
}
output "cluster_port" {
description = "The port the cluster is listening on"
value = aws_rds_cluster.main.port
}
Key configuration:
- The
portargument specifies the non-default database port - Default value of 3307 ensures MySQL clusters do not use the standard 3306 port
Verification
After making changes, verify the cluster is using the new port:
- In the RDS Console, select your cluster and check the Port value in the Connectivity & security tab
- Test connectivity from your application using the new port
- Re-run the Prowler check to confirm the finding is resolved:
prowler aws --check rds_cluster_non_default_port --region us-east-1
CLI Verification
aws rds describe-db-clusters \
--db-cluster-identifier <your-cluster-identifier> \
--region us-east-1 \
--query 'DBClusters[0].{Identifier:DBClusterIdentifier,Port:Port,Endpoint:Endpoint}'
Expected output should show your custom port (not 3306, 5432, etc.):
{
"Identifier": "my-cluster",
"Port": 3307,
"Endpoint": "my-cluster.cluster-xxxxxxxxxxxx.us-east-1.rds.amazonaws.com"
}
Additional Resources
Notes
- Downtime required: Changing the port causes a brief service interruption. The cluster will restart with the new port configuration.
- Application updates: All applications connecting to the database must be updated with the new port number before or immediately after the change.
- Security groups: Ensure security groups are updated to allow traffic on the new port. Consider removing rules for the old default port after migration.
- Load balancers: If using a proxy or load balancer in front of your database, update its configuration as well.
- Defense in depth: Changing ports is one layer of security. Always combine this with proper network segmentation, encryption, IAM authentication, and monitoring.