Ensure RDS Instances Do Not Use Default Master Username

Overview

This check verifies that your Amazon RDS database instances use a custom master username instead of common defaults like admin, postgres, or root. Using unique administrative usernames is a simple but effective security measure that reduces the risk of automated attacks.

Risk

Default usernames like admin and postgres are well-known and frequently targeted by attackers. When you use these predictable values:

• Brute-force attacks become easier: Attackers already know half of your credentials
• Automated scanning tools specifically look for databases using default usernames
• Credential stuffing attacks are more likely to succeed
• A successful compromise could lead to data exposure, unauthorized modifications, or complete service disruption

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to create and manage RDS instances
• If migrating an existing database: familiarity with database backup and restore procedures

Important: You cannot change the master username on an existing RDS instance. You must create a new instance with a custom username and migrate your data.

AWS Console Method

1. Open the Amazon RDS console in us-east-1
2. Click Databases in the left navigation
3. Click Create database
4. Select your preferred database engine (MySQL, PostgreSQL, etc.)
5. Under Settings, find the Master username field
6. Enter a custom username that is:
   • Not admin, postgres, root, or administrator
   • Unique to this database
   • At least 8 characters (recommended)
7. For the password, choose Manage master credentials in AWS Secrets Manager (recommended)
8. Complete the remaining configuration and click Create database

If you have an existing database with a default username:

1. Create a backup or snapshot of your existing database
2. Create a new database instance with a custom username (steps above)
3. Migrate your data from the old instance to the new one
4. Update your application connection strings to point to the new database
5. Delete the old database instance once migration is verified

AWS CLI (optional)

List instances using default usernames

aws rds describe-db-instances \
  --region us-east-1 \
  --query "DBInstances[?MasterUsername=='admin' || MasterUsername=='postgres' || MasterUsername=='root'].[DBInstanceIdentifier,MasterUsername,Engine]" \
  --output table

Create a new RDS instance with a custom username

aws rds create-db-instance \
  --region us-east-1 \
  --db-instance-identifier my-secure-database \
  --db-instance-class db.t3.micro \
  --engine mysql \
  --allocated-storage 20 \
  --master-username <your-custom-username> \
  --manage-master-user-password \
  --storage-encrypted \
  --no-publicly-accessible

Replace <your-custom-username> with a unique username that is not admin, postgres, or root.

Create a snapshot of an existing instance (for migration)

aws rds create-db-snapshot \
  --region us-east-1 \
  --db-instance-identifier <old-instance-id> \
  --db-snapshot-identifier <snapshot-name>

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: RDS instance with custom master username

Parameters:
  MasterUsername:
    Type: String
    Description: Custom master username (avoid admin, postgres, root)
    MinLength: 1
    MaxLength: 16
    AllowedPattern: ^[a-zA-Z][a-zA-Z0-9_]*$
    ConstraintDescription: Must begin with a letter and contain only alphanumeric characters or underscores

  DBInstanceClass:
    Type: String
    Default: db.t3.micro
    Description: Database instance class

  AllocatedStorage:
    Type: Number
    Default: 20
    MinValue: 20
    MaxValue: 65536
    Description: Allocated storage in GB

Resources:
  RDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: my-secure-db
      DBInstanceClass: !Ref DBInstanceClass
      Engine: mysql
      EngineVersion: '8.0.40'
      AllocatedStorage: !Ref AllocatedStorage
      MasterUsername: !Ref MasterUsername
      ManageMasterUserPassword: true
      StorageEncrypted: true
      PubliclyAccessible: false
      DeletionProtection: true
      Tags:
        - Key: Name
          Value: SecureRDSInstance

Outputs:
  DBEndpoint:
    Description: Database endpoint
    Value: !GetAtt RDSInstance.Endpoint.Address
  DBPort:
    Description: Database port
    Value: !GetAtt RDSInstance.Endpoint.Port

Deploy with:

aws cloudformation create-stack \
  --region us-east-1 \
  --stack-name secure-rds-instance \
  --template-body file://template.yaml \
  --parameters ParameterKey=MasterUsername,ParameterValue=<your-custom-username>

Terraform (optional)

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "master_username" {
  description = "Custom master username (avoid admin, postgres, root)"
  type        = string

  validation {
    condition     = !contains(["admin", "postgres", "root", "administrator"], lower(var.master_username))
    error_message = "Master username must not be a default value like admin, postgres, or root."
  }
}

variable "db_instance_class" {
  description = "Database instance class"
  type        = string
  default     = "db.t3.micro"
}

variable "allocated_storage" {
  description = "Allocated storage in GB"
  type        = number
  default     = 20
}

resource "aws_db_instance" "secure_db" {
  identifier                  = "my-secure-db"
  engine                      = "mysql"
  engine_version              = "8.0"
  instance_class              = var.db_instance_class
  allocated_storage           = var.allocated_storage
  username                    = var.master_username
  manage_master_user_password = true
  storage_encrypted           = true
  publicly_accessible         = false
  deletion_protection         = true
  skip_final_snapshot         = false
  final_snapshot_identifier   = "my-secure-db-final-snapshot"

  tags = {
    Name = "SecureRDSInstance"
  }
}

output "db_endpoint" {
  description = "Database endpoint"
  value       = aws_db_instance.secure_db.endpoint
}

Deploy with:

terraform init
terraform apply -var="master_username=<your-custom-username>"

Verification

After creating your new database instance:

1. Open the RDS console in us-east-1
2. Click Databases and select your instance
3. In the Configuration tab, verify the Master username is not admin, postgres, or root

CLI verification

aws rds describe-db-instances \
  --region us-east-1 \
  --db-instance-identifier <your-instance-id> \
  --query "DBInstances[0].MasterUsername" \
  --output text

Re-run the Prowler check to confirm remediation:

prowler aws --checks rds_instance_default_admin --region us-east-1

Additional Resources

• AWS RDS User Guide: Creating a DB Instance
• AWS RDS Best Practices for Security
• AWS Secrets Manager Integration with RDS
• Prowler Check Documentation

Notes

• You cannot rename an existing master user. The only way to change the master username is to create a new database instance and migrate your data.
• Plan for downtime when migrating databases. Coordinate with application teams to minimize service interruption.
• Consider using IAM database authentication for application access instead of the master user credentials.
• Store master credentials in AWS Secrets Manager rather than hardcoding them in application configuration.
• Use separate database users with limited privileges for applications; reserve the master user for administrative tasks only.