RDS instance uses a non-default port for its engine
rds_instance_non_default_port
RDS DB instances are evaluated for use of a port that differs from the engine's default. Matching an engine with its default port-3306 (MySQL/MariaDB/Aurora MySQL), 5432 (PostgreSQL/Aurora), 1521 (Oracle), 1433 (SQL Server), 50000 (Db2)-indicates the instance uses the default listener.
Risk
Using a default DB port increases exposure to broad scans and eases service fingerprinting. With weak network controls, attackers can run credential brute force, target known engine exploits, or trigger DoS on the predictable port, threatening confidentiality and availability.
prowler aws --checks rds_instance_non_default_port
Recommendation
Use a non-default DB port and enforce defense in depth:
- Apply least-privilege network rules
- Keep databases in private subnets; avoid public exposure
- Require strong authentication and audit logging
Update client connection strings and security rules when the port changes.
Remediation
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --db-port <non-default-port>
- In the AWS Console, go to Amazon RDS > Databases
- Select the DB instance and click Modify
- Set "Database port" to a non-default value for the engine (e.g., not 3306, 5432, 1521, 1433, or 50000)
- Click Continue, then Modify DB instance
Source Code
Resource Type
AwsRdsDbInstance