RDS Instance Non-Default Port
Overview
This check verifies that your Amazon RDS database instances use non-default ports. Default ports are well-known (e.g., MySQL uses 3306, PostgreSQL uses 5432), making them easy targets for automated scanning and attacks.
Risk
Using default database ports increases your exposure to:
- Automated scanning: Attackers routinely scan for databases on default ports
- Service fingerprinting: Default ports make it easier to identify what database engine you are running
- Brute-force attacks: Once identified, attackers can attempt credential guessing
- Known vulnerability exploits: Targeting specific database engines becomes easier
While changing ports is not a substitute for proper network security, it adds a layer of obscurity that reduces noise from automated attacks.
Default ports by database engine:
| Engine | Default Port |
|---|---|
| MySQL / MariaDB / Aurora MySQL | 3306 |
| PostgreSQL / Aurora PostgreSQL | 5432 |
| Oracle | 1521 |
| SQL Server | 1433 |
| Db2 | 50000 |
Remediation Steps
Prerequisites
- Access to the AWS Console with permission to modify RDS instances, or AWS CLI configured with appropriate credentials
- Knowledge of which applications connect to this database (you will need to update their connection settings)
Important: Changing the database port requires a brief outage. Plan this change during a maintenance window.
AWS Console Method
- Sign in to the AWS Console and navigate to RDS
- In the left menu, click Databases
- Select the database instance you want to modify
- Click the Modify button
- Scroll down to Connectivity and find the Database port field
- Change the port to a non-default value (e.g., 3307 for MySQL instead of 3306)
- Scroll to the bottom and click Continue
- Under Schedule modifications, choose when to apply:
- Apply immediately for immediate change (causes brief outage)
- Apply during the next scheduled maintenance window to defer
- Click Modify DB instance
- Update your security group to allow traffic on the new port
- Update all application connection strings to use the new port
AWS CLI Method
Modify the RDS Instance Port
aws rds modify-db-instance \
--region us-east-1 \
--db-instance-identifier <your-db-instance-id> \
--db-port-number <new-port> \
--apply-immediately
Example (changing a MySQL instance from 3306 to 3307):
aws rds modify-db-instance \
--region us-east-1 \
--db-instance-identifier my-mysql-database \
--db-port-number 3307 \
--apply-immediately
Remove --apply-immediately to schedule the change for the next maintenance window instead.
Update Security Group Rules
After changing the port, ensure your security group allows inbound traffic on the new port:
# Get the security group ID for your RDS instance
aws rds describe-db-instances \
--region us-east-1 \
--db-instance-identifier <your-db-instance-id> \
--query 'DBInstances[0].VpcSecurityGroups[*].VpcSecurityGroupId' \
--output text
# Add an inbound rule for the new port (replace values as needed)
aws ec2 authorize-security-group-ingress \
--region us-east-1 \
--group-id <security-group-id> \
--protocol tcp \
--port <new-port> \
--source-group <source-security-group-id>
CloudFormation
Use the Port property when defining your RDS instance:
AWSTemplateFormatVersion: '2010-09-09'
Description: RDS instance with non-default port
Parameters:
DBInstanceIdentifier:
Type: String
Description: The database instance identifier
DBPort:
Type: Number
Default: 3307
Description: The port for the database (use a non-default value)
Resources:
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: !Ref DBInstanceIdentifier
Engine: mysql
EngineVersion: '8.0.35'
DBInstanceClass: db.t3.micro
AllocatedStorage: 20
MasterUsername: admin
ManageMasterUserPassword: true
Port: !Ref DBPort
PubliclyAccessible: false
StorageEncrypted: true
Outputs:
DBEndpoint:
Description: The connection endpoint for the database
Value: !GetAtt DBInstance.Endpoint.Address
DBPort:
Description: The port the database is listening on
Value: !GetAtt DBInstance.Endpoint.Port
Key property:
Port: Set to a non-default value for your database engine
Terraform
Use the port argument in your aws_db_instance resource:
resource "aws_db_instance" "example" {
identifier = "my-database"
engine = "mysql"
engine_version = "8.0"
instance_class = "db.t3.micro"
allocated_storage = 20
username = "admin"
manage_master_user_password = true
# Use a non-default port (MySQL default is 3306)
port = 3307
publicly_accessible = false
storage_encrypted = true
skip_final_snapshot = true
}
# Ensure security group allows the new port
resource "aws_security_group_rule" "rds_ingress" {
type = "ingress"
from_port = 3307
to_port = 3307
protocol = "tcp"
security_group_id = aws_security_group.rds.id
source_security_group_id = aws_security_group.app.id
}
Key argument:
port: Set to a non-default value for your database engine
Verification
After making changes, verify the new port is in use:
- In the AWS Console, go to RDS > Databases
- Select your database instance
- Under the Connectivity & security tab, confirm the Port shows your new value
CLI Verification
aws rds describe-db-instances \
--region us-east-1 \
--db-instance-identifier <your-db-instance-id> \
--query 'DBInstances[0].Endpoint.Port' \
--output text
The output should show your new port number.
To list all RDS instances and their ports:
aws rds describe-db-instances \
--region us-east-1 \
--query 'DBInstances[*].[DBInstanceIdentifier,Endpoint.Port,Engine]' \
--output table
Additional Resources
- AWS RDS User Guide - Modifying a DB Instance
- AWS Security Best Practices for RDS
- Prowler Check Documentation
Notes
- Application updates required: After changing the port, update all applications, scripts, and connection strings that connect to this database.
- Brief outage expected: Port changes cause a brief database restart. Plan accordingly.
- Security groups: Remember to update security group rules to allow the new port and optionally remove rules for the old default port.
- Not a replacement for proper security: Changing ports adds obscurity but does not replace network isolation, strong authentication, and encryption. Always keep databases in private subnets and use security groups to restrict access.
- Aurora clusters: For Aurora, modify the cluster endpoint port rather than individual instances.