RDS instance does not use the default master username (admin or postgres)
rds_instance_default_admin
RDS DB instances are evaluated for use of a custom administrator username. The finding identifies instances or clusters where the admin user matches common defaults like admin or postgres (checked at the instance or cluster level).
Risk
Using a predictable admin name enables password spraying, credential stuffing, and username enumeration. A successful login can expose data (confidentiality), allow tampering (integrity), and disrupt service (availability). Defaults also attract automated scans targeting known usernames.
prowler aws --checks rds_instance_default_admin
Recommendation
Adopt a unique, non-default admin username for each database and avoid enabling default accounts.
- Enforce least privilege with separate admin and app users
- Use strong, rotated secrets in a manager and prefer IAM DB authentication
- Restrict network exposure and audit authentication activity
Remediation
- In the AWS Console, go to RDS > Databases and click Create database
- Choose your engine and select Standard create
- In Settings, set Master username to a value that is not "admin" or "postgres"
- Complete creation and note the new endpoint
- Migrate data from the old instance to the new one (e.g., dump/restore or replication)
- Update applications to use the new endpoint, then delete the old instance
- If the instance is part of an Aurora cluster, create a new cluster with a non-default master username and migrate to it
Source Code
Resource Type
AwsRdsDbInstance