RDS Using Default Port
- Query id: 1fe9d958-ddce-4228-a124-05265a959a8b
- Query name: RDS Using Default Port
- Platform: CloudFormation
- Severity: Low
- Category: Networking and Firewall
- CWE: Ongoing
- URL: Github
Description¶
RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
MyDB:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
- Ref: MyDbSecurityByEC2SecurityGroup
- Ref: MyDbSecurityByCIDRIPGroup
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
Engine: oracle-ee
LicenseModel: bring-your-own-license
MasterUsername: master
MasterUserPassword: SecretPassword01
BackupRetentionPeriod: 7
Port: 1521
DeletionPolicy: Snapshot
Positive test num. 2 - json file
{
"Resources": {
"MyDB": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"BackupRetentionPeriod": 7,
"DBSecurityGroups": [
{
"Ref": "MyDbSecurityByEC2SecurityGroup"
},
{
"Ref": "MyDbSecurityByCIDRIPGroup"
}
],
"AllocatedStorage": "5",
"DBInstanceClass": "db.t2.small",
"Engine": "oracle-ee",
"LicenseModel": "bring-your-own-license",
"MasterUsername": "master",
"MasterUserPassword": "SecretPassword01",
"Port": 1521
},
"DeletionPolicy": "Snapshot"
}
}
}
Positive test num. 3 - yaml file
Resources:
MyDB:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
- Ref: MyDbSecurityByEC2SecurityGroup
- Ref: MyDbSecurityByCIDRIPGroup
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
Engine: mysql
LicenseModel: bring-your-own-license
MasterUsername: master
MasterUserPassword: SecretPassword01
BackupRetentionPeriod: 7
Port: 3306
DeletionPolicy: Snapshot
Positive test num. 4 - json file
{
"Resources": {
"MyDB": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"BackupRetentionPeriod": 7,
"DBSecurityGroups": [
{
"Ref": "MyDbSecurityByEC2SecurityGroup"
},
{
"Ref": "MyDbSecurityByCIDRIPGroup"
}
],
"AllocatedStorage": "5",
"DBInstanceClass": "db.t2.small",
"Engine": "mysql",
"LicenseModel": "bring-your-own-license",
"MasterUsername": "master",
"MasterUserPassword": "SecretPassword01",
"Port": 3306
},
"DeletionPolicy": "Snapshot"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
MyDB:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
- Ref: MyDbSecurityByEC2SecurityGroup
- Ref: MyDbSecurityByCIDRIPGroup
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
Engine: oracle-ee
LicenseModel: bring-your-own-license
MasterUsername: master
MasterUserPassword: SecretPassword01
BackupRetentionPeriod: 7
Port: 1522
DeletionPolicy: Snapshot
Negative test num. 2 - json file
{
"Resources": {
"MyDB": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"BackupRetentionPeriod": 7,
"DBSecurityGroups": [
{
"Ref": "MyDbSecurityByEC2SecurityGroup"
},
{
"Ref": "MyDbSecurityByCIDRIPGroup"
}
],
"AllocatedStorage": "5",
"DBInstanceClass": "db.t2.small",
"Engine": "oracle-ee",
"LicenseModel": "bring-your-own-license",
"MasterUsername": "master",
"MasterUserPassword": "SecretPassword01",
"Port": 1522
},
"DeletionPolicy": "Snapshot"
}
}
}
Negative test num. 3 - yaml file
Resources:
MyDB:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
- Ref: MyDbSecurityByEC2SecurityGroup
- Ref: MyDbSecurityByCIDRIPGroup
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
Engine: mysql
LicenseModel: bring-your-own-license
MasterUsername: master
MasterUserPassword: SecretPassword01
BackupRetentionPeriod: 7
Port: 3307
DeletionPolicy: Snapshot
Negative test num. 4 - json file
{
"Resources": {
"MyDB": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"BackupRetentionPeriod": 7,
"DBSecurityGroups": [
{
"Ref": "MyDbSecurityByEC2SecurityGroup"
},
{
"Ref": "MyDbSecurityByCIDRIPGroup"
}
],
"AllocatedStorage": "5",
"DBInstanceClass": "db.t2.small",
"Engine": "mysql",
"LicenseModel": "bring-your-own-license",
"MasterUsername": "master",
"MasterUserPassword": "SecretPassword01",
"Port": 3307
},
"DeletionPolicy": "Snapshot"
}
}
}