RDS Using Default Port

  • Query id: 2cb674f6-32f9-40be-97f2-62c0dc38f0d5
  • Query name: RDS Using Default Port
  • Platform: Ansible
  • Severity: Low
  • Category: Networking and Firewall
  • CWE: Ongoing
  • URL: Github

Description

RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group
  community.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 7
    port: 3306
Positive test num. 2 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group2
  community.aws.rds_instance:
    engine: postgres
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 7
    port: 5432
Positive test num. 3 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group2
  community.aws.rds_instance:
    engine: oracle-ee
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 7
    port: 1521

Positive test num. 4 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group2
  community.aws.rds_instance:
    engine: sqlserver-ee
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 7
    port: 1433

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group
  community.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 7
    port: 3307
Negative test num. 2 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group2
  community.aws.rds_instance:
    engine: postgres
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 7
    port: 5433
Negative test num. 3 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group2
  community.aws.rds_instance:
    engine: oracle-ee
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 7
    port: 1522

Negative test num. 4 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group2
  community.aws.rds_instance:
    engine: sqlserver-ee
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 7
    port: 1434