> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# RDS Database Instances Should Not Use Default Ports

### More Info:

Port obfuscation is as an additional layer of defense against non-targeted attacks. In order to leverage this, your Amazon RDS databases instances should not use their default ports (MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432)

### Risk Level

Low

### Address

Security

### Compliance Standards

PCIDSS

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration of RDS Database Instances using default ports in AWS, follow these step-by-step instructions using the AWS Management Console:

        1. **Sign in to the AWS Management Console**: Go to [https://aws.amazon.com/](https://aws.amazon.com/) and sign in to the AWS Management Console.

        2. **Navigate to RDS Service**: Click on the "Services" dropdown menu at the top left corner of the console, then select "RDS" under the Database category.

        3. **Select the RDS Instance**: From the list of RDS instances, select the instance that is currently using default ports.

        4. **Modify the RDS Instance**: Click on the instance name to open the details page. Then, click on the "Modify" button at the top of the page.

        5. **Update the Port Configuration**: In the "Network & Security" section, locate the "Public accessibility" setting. If the RDS instance is publicly accessible, you will see an option to specify the "Publicly accessible" setting and the "Port" number.

        6. **Change the Port Number**: Update the "Port" number to a non-default port number of your choice. Ensure that the new port number is not commonly used or reserved for other services.

        7. **Save the Changes**: Scroll down to the bottom of the page and click on the "Continue" button. Review the summary of changes, and then click on the "Modify DB Instance" button to apply the changes.

        8. **Verify the Configuration**: Once the modification is complete, verify that the RDS instance is now using the updated port number. You can also test the connectivity to the RDS instance using the new port number to ensure that it is working correctly.

        By following these steps, you have successfully remediated the misconfiguration of RDS Database Instances using default ports in AWS.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration of RDS database instances using default ports in AWS, you can follow these steps using AWS CLI:

        1. Identify the RDS instances that are using default ports:

           Run the following AWS CLI command to list all your RDS instances and their associated configurations:

           ```
           aws rds describe-db-instances
           ```

           Look for instances that are using default ports (3306 for MySQL, 5432 for PostgreSQL, 1433 for SQL Server, etc.).

        2. Modify the RDS instance to use a non-default port:

           Run the following AWS CLI command to modify the RDS instance to use a non-default port (replace `your-db-instance-identifier` and `new-port-number` with your actual values):

           ```
           aws rds modify-db-instance --db-instance-identifier your-db-instance-identifier --port new-port-number
           ```

        3. Update the security group settings:

           If you have security groups attached to your RDS instance, you will need to update the inbound rules to allow traffic on the new port. Run the following AWS CLI command to update the inbound rules of the security group (replace `your-security-group-id` and `new-port-number` with your actual values):

           ```
           aws ec2 authorize-security-group-ingress --group-id your-security-group-id --protocol tcp --port new-port-number --cidr 0.0.0.0/0
           ```

        4. Verify the changes:

           Run the following AWS CLI command to describe the modified RDS instance and ensure that the port has been updated successfully:

           ```
           aws rds describe-db-instances --db-instance-identifier your-db-instance-identifier
           ```

        By following these steps, you can remediate the misconfiguration of RDS database instances using default ports in AWS and enhance the security of your RDS instances.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of RDS Database Instances using default ports in AWS, you can use the AWS SDK for Python (Boto3) to modify the security group associated with the RDS instance to restrict access to a specific port. Here are the step-by-step instructions to remediate this issue:

        1. Install the Boto3 library:

        ```bash theme={null}
        pip install boto3
        ```

        2. Configure your AWS credentials by either setting environment variables or using the AWS CLI `aws configure` command.

        3. Use the following Python script to modify the security group associated with the RDS instance to restrict access to a specific port (e.g., 3306):

        ```python theme={null}
        import boto3

        # Initialize the RDS client
        rds_client = boto3.client('rds')

        # Specify the RDS instance identifier and the desired port
        db_instance_identifier = 'YOUR_DB_INSTANCE_IDENTIFIER'
        desired_port = 3306

        # Get the current security group of the RDS instance
        response = rds_client.describe_db_instances(DBInstanceIdentifier=db_instance_identifier)
        security_group_id = response['DBInstances'][0]['VpcSecurityGroups'][0]['VpcSecurityGroupId']

        # Authorize inbound traffic on the desired port for the security group
        ec2_client = boto3.client('ec2')
        response = ec2_client.authorize_security_group_ingress(
            GroupId=security_group_id,
            IpPermissions=[
                {
                    'FromPort': desired_port,
                    'ToPort': desired_port,
                    'IpProtocol': 'tcp',
                    'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
                }
            ]
        )

        print('Security group updated to allow inbound traffic on port', desired_port)
        ```

        4. Replace `YOUR_DB_INSTANCE_IDENTIFIER` with the identifier of your RDS instance.

        5. Run the Python script. It will modify the security group associated with the RDS instance to allow inbound traffic only on the specified port (3306 in this case).

        By following these steps, you can remediate the misconfiguration of RDS Database Instances using default ports in AWS.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP\_BestPractices.html](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_BestPractices.html)
