RDS Using Default Port

Query id: bca7cc4d-b3a4-4345-9461-eb69c68fcd26
Query name: RDS Using Default Port
Platform: Terraform
Severity: Low
Category: Networking and Firewall
URL: Github

Description¶

RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - tf file

  allocated_storage   engine   engine_version   instance_class   name   username   password   parameter_group_name  skip_final_snapshot   port }

Positive test num. 2 - tf file

  allocated_storage   engine   engine_version   instance_class   name   username   password   skip_final_snapshot   port }

Positive test num. 3 - tf file

  allocated_storage   engine   engine_version   instance_class   name   username   password   skip_final_snapshot   port }

href="#__codelineno-0-1">resource "aws_db_instance" "positive1" { = 10 = "mysql" = "5.7" = "db.t3.micro" = "mydb" = "foo" = "foobarbaz" class="w"> = aws_elasticache_parameter_group.default.id = true = 3306 href="#__codelineno-1-1">resource "aws_db_instance" "positive2" { = 10 = "postgres" = "5.7" = "db.t3.micro" = "mydb" = "foo" = "foobarbaz" = true = 5432 href="#__codelineno-2-1">resource "aws_db_instance" "positive3" { = 10 = "oracle-ee" = "5.7" = "db.t3.micro" = "mydb" = "foo" = "foobarbaz" = true = 1521

Positive test num. 4 - tf file

resource "aws_db_instance" "positive4" {
  allocated_storage    = 10
  engine               = "sqlserver-ee"
  engine_version       = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  skip_final_snapshot  = true
  port                 = 1433
}

Code samples without security vulnerabilities¶

Negative test num. 1 - tf file

resource "aws_db_instance" "negative1" {
  allocated_storage    = 10
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = aws_elasticache_parameter_group.default.id
  skip_final_snapshot  = true
  port                 = 3307
}

Negative test num. 2 - tf file

resource "aws_db_instance" "negative2" {
  allocated_storage    = 10
  engine               = "postgres"
  engine_version       = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  skip_final_snapshot  = true
  port                 = 5433
}

Negative test num. 3 - tf file

resource "aws_db_instance" "negative3" {
  allocated_storage    = 10
  engine               = "oracle-ee"
  engine_version       = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  skip_final_snapshot  = true
  port                 = 1522
}

Negative test num. 4 - tf file

resource "aws_db_instance" "negative4" {
  allocated_storage    = 10
  engine               = "sqlserver-ee"
  engine_version       = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  skip_final_snapshot  = true
  port                 = 1434
}