EC2 instance does not allow ingress from the Internet to TCP port 3306 (MySQL)
ec2_instance_port_mysql_exposed_to_internet
EC2 instances with security groups that expose MySQL on TCP 3306 to the Internet (0.0.0.0/0 or ::/0) are identified, with context on public IP and subnet exposure.
Risk
Publicly reachable MySQL enables Internet scanning, brute force, and credential stuffing, leading to unauthorized queries and data dumps (confidentiality). Attackers can alter or delete data (integrity), overload the service with query floods (availability), and pivot from the DB host into adjacent workloads.
prowler aws --checks ec2_instance_port_mysql_exposed_to_internet
prowler aws --checks ec2_instance_port_mysql_exposed_to_internet --fixer
Recommendation
Restrict TCP 3306 to trusted sources per least privilege:
- Allow DB access only from specific application subnets or security groups
- Place database hosts in private subnets without public IPs
- Apply defense in depth with VPN/peering for admin access, TLS for connections, and host firewalls; optionally reinforce with NACLs
Remediation
aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 3306 --cidr 0.0.0.0/0
- In the AWS Console, go to EC2 > Security Groups
- Select the security group attached to the affected instance
- Click Inbound rules > Edit inbound rules
- Find the rule allowing TCP 3306 from 0.0.0.0/0 or ::/0 and delete it
- (If access is required) Add a rule for TCP 3306 from a specific private CIDR or trusted IP range only
- Save rules
Source Code
Resource Type
AwsEc2Instance