RDS Using Default Port
- Query id: bca7cc4d-b3a4-4345-9461-eb69c68fcd26
- Query name: RDS Using Default Port
- Platform: Terraform
- Severity: Low
- Category: Networking and Firewall
- URL: Github
Description¶
RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_db_instance" "positive1" {
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
parameter_group_name = aws_elasticache_parameter_group.default.id
skip_final_snapshot = true
port = 3306
}
Positive test num. 2 - tf file
resource "aws_db_instance" "positive2" {
allocated_storage = 10
engine = "postgres"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
skip_final_snapshot = true
port = 5432
}
Positive test num. 3 - tf file
resource "aws_db_instance" "positive3" {
allocated_storage = 10
engine = "oracle-ee"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
skip_final_snapshot = true
port = 1521
}
Positive test num. 4 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_db_instance" "negative1" {
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
parameter_group_name = aws_elasticache_parameter_group.default.id
skip_final_snapshot = true
port = 3307
}
Negative test num. 2 - tf file
resource "aws_db_instance" "negative2" {
allocated_storage = 10
engine = "postgres"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
skip_final_snapshot = true
port = 5433
}