- Knowledge Base
- Amazon Web Services
- Amazon Relational Database Service
- RDS Master Username
Ensure that your Amazon RDS production databases are not using admin as the master username, regardless of the RDS database engine type used. Instead a unique alphanumeric string must be defined as the login ID for the master user.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Since admin is the Amazon's example for the RDS database master username, many AWS customers will use this username for their RDS database instances in production, therefore malicious users can use this information to their advantage and frequently try to use admin for the master username during brute-force attacks.
Audit
To determine if your Amazon RDS database instances are using admin as the master username, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.
03 In the navigation panel, under Amazon RDS, choose Databases.
04 Click on the name (link) of the Amazon RDS database instance that you want to examine. To identify RDS database instances, check the database role available in the Role column (i.e. Instance).
05 Select the Configuration tab and check the Master username attribute value. If the Master username value is set to admin, the selected Amazon RDS database instance is not using a unique master username for its database.
06 Repeat steps no. 4 and 5 for each Amazon RDS database instance available within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-db-instances command (OSX/Linux/UNIX) with custom query filters to list the names of the Amazon RDS database instances provisioned in the selected AWS region:
aws rds describe-db-instances --region us-east-1 --output table --query 'DBInstances[*].DBInstanceIdentifier'
02 The command output should return a table with the requested database instance names:
-------------------------------- | DescribeDBInstances | +------------------------------+ | cc-project5-mysql-database | | cc-prod-postgres-database | +------------------------------+
03 Run describe-db-instances command (OSX/Linux/UNIX) using the name of the Amazon RDS database instance that you want to examine as the identifier parameter and custom query filters to describe the master username set for the selected database instance:
aws rds describe-db-instances --region us-east-1 --db-instance-identifier cc-project5-mysql-database --query 'DBInstances[*].MasterUsername'
04 The command output should return the master username configured for the selected instance:
[ "admin" ]
If the describe-db-instances command output returns false, as shown in the output example above, the encryption of data at rest is not enabled for the selected Amazon RDS database instance.
If the value returned by the describe-db-instances command output is "admin", the selected Amazon RDS database instance is not using a secure master username for its database.
05 Repeat steps no. 3 and 4 for each Amazon RDS database instance available in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To change the master username configured for your Amazon RDS database instances you must re-create them and migrate the existing data to the new instances. To configure secure master usernames for your RDS database instances, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Change the database master username by updating the DBInstanceName and DBUsername parameters", "Parameters": { "DBInstanceName": { "Default": "mysql-database-instance", "Description": "RDS database instance name", "Type": "String", "MinLength": "1", "MaxLength": "63", "AllowedPattern": "^[0-9a-zA-Z-/]*$", "ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens." }, "DBInstanceClass": { "Default": "db.t2.micro", "Description": "DB instance class/type", "Type": "String", "ConstraintDescription": "Must provide a valid DB instance type." }, "DBAllocatedStorage": { "Default": "20", "Description": "The size of the database (GiB)", "Type": "Number", "MinValue": "20", "MaxValue": "65536", "ConstraintDescription": "Must be between 20 and 65536 GiB." }, "DBName": { "Default": "mysqldb", "Description": "Database name", "Type": "String", "MinLength": "1", "MaxLength": "64", "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters." }, "DBUsername": { "Description": "Master username for database access", "Type": "String", "MinLength": "1", "MaxLength": "16", "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters." }, "DBPassword": { "NoEcho": "true", "Description": "Password for database access", "Type": "String", "MinLength": "8", "MaxLength": "41", "AllowedPattern": "[a-zA-Z0-9]*", "ConstraintDescription": "Must contain only alphanumeric characters." } }, "Resources": { "RDSInstance": { "Type": "AWS::RDS::DBInstance", "Properties": { "DBInstanceIdentifier": { "Ref": "DBInstanceName" }, "DBName": { "Ref": "DBName" }, "MasterUsername": { "Ref": "DBUsername" }, "MasterUserPassword": { "Ref": "DBPassword" }, "DBInstanceClass": { "Ref": "DBInstanceClass" }, "AllocatedStorage": { "Ref": "DBAllocatedStorage" }, "Engine": "MySQL", "EngineVersion": "5.7.36" } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Change the database master username by updating the DBInstanceName and DBUsername parameters Parameters: DBInstanceName: Default: mysql-database-instance Description: RDS database instance name Type: String MinLength: '1' MaxLength: '63' AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens. DBInstanceClass: Default: db.t2.micro Description: DB instance class/type Type: String ConstraintDescription: Must provide a valid DB instance type. DBAllocatedStorage: Default: '20' Description: The size of the database (GiB) Type: Number MinValue: '20' MaxValue: '65536' ConstraintDescription: Must be between 20 and 65536 GiB. DBName: Default: mysqldb Description: Database name Type: String MinLength: '1' MaxLength: '64' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. DBUsername: Description: Master username for database access Type: String MinLength: '1' MaxLength: '16' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. DBPassword: NoEcho: 'true' Description: Password for database access Type: String MinLength: '8' MaxLength: '41' AllowedPattern: '[a-zA-Z0-9]*' ConstraintDescription: Must contain only alphanumeric characters. Resources: RDSInstance: Type: AWS::RDS::DBInstance Properties: DBInstanceIdentifier: !Ref 'DBInstanceName' DBName: !Ref 'DBName' MasterUsername: !Ref 'DBUsername' MasterUserPassword: !Ref 'DBPassword' DBInstanceClass: !Ref 'DBInstanceClass' AllocatedStorage: !Ref 'DBAllocatedStorage' Engine: MySQL EngineVersion: 5.7.36
Using Terraform
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.27" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_db_instance" "rds-database-instance" { allocated_storage = 20 engine = "mysql" engine_version = "5.7" instance_class = "db.t2.micro" name = "mysqldb" # Change the database master username by updating the 'username' parameter username = "ccmysqluser01" password = "ccmysqluserpwd" parameter_group_name = "default.mysql5.7" final_snapshot_identifier = "rds-instance-final-snapshot" apply_immediately = true }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.
03 In the navigation panel, under Amazon RDS, choose Databases.
04 Click on the name of the Amazon RDS database instance that you want to re-create and note the instance configuration details required for creating a new database instance (network and connectivity, instance type/class, storage and availability, etc.).
05 Navigate back to the Databases page and choose Create database to create a new Amazon RDS database instance.
06 On the Create database setup page, perform the following actions:
- Enter a unique name for your new database instance in the DB instance identifier box.
- Provide a name for the database master username in the Master username box and specify a string that defines the password for the master user. The master username must be a unique username, other than admin.
- Configure the instance network and connectivity, instance type/class, storage and availability settings, to match the database configuration of the source Amazon RDS instance selected at step no. 4.
- Choose Create database to create your new Amazon RDS database instance.
07 As soon as your new database instance is ready (i.e. instance status becomes Available), you can migrate the data to the newly created database and update your application configuration to refer to the new (secured) database endpoint.
08 (Optional) Once the data is successfully moved and the instance endpoint is changed at your application level, you can delete the source database instance to stop incurring charges for that RDS resource. To remove the source instance from your AWS cloud account, perform the following actions:
- Select the source database instance that you want to delete, choose Actions, and select Delete.
- In the Delete <instance-name> instance? confirmation box, select Create final snapshot?, type delete me into the required field, then choose Delete to confirm your action.
09 Repeat steps no. 4 – 8 for each non-compliant Amazon RDS database instance available within the current AWS region.
10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run describe-db-instances command (OSX/Linux/UNIX) using the name of the Amazon RDS database instance that you want to re-create as the identifier parameter and custom query filters to describe the configuration information available for selected database instance:
aws rds describe-db-instances --region us-east-1 --db-instance-identifier cc-project5-mysql-database
02 The command output should return the requested configuration details. Note the instance configuration details required for creating a new database instance (network and connectivity, instance type/class, storage and availability, etc.):
{ "DBInstance": { "PubliclyAccessible": true, "MasterUsername": "admin", "MonitoringInterval": 0, "LicenseModel": "general-public-license", "VpcSecurityGroups": [ { "Status": "active", "VpcSecurityGroupId": "sg-0abcd1234abcd1234" } ], "InstanceCreateTime": "2021-05-12T08:00:00.677Z", "CopyTagsToSnapshot": true, "OptionGroupMemberships": [ { "Status": "in-sync", "OptionGroupName": "default:mysql-5-7" } ], "Engine": "mysql", "MultiAZ": false, "DBSecurityGroups": [], "DBParameterGroups": [ { "DBParameterGroupName": "default.mysql5.7", "ParameterApplyStatus": "in-sync" } ], "PerformanceInsightsEnabled": true, "AutoMinorVersionUpgrade": true, "PreferredBackupWindow": "06:02-06:32", "DBSubnetGroup": { "Subnets": [ { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcd1234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1d" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-1234abcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1e" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcdabcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1b" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-12341234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1a" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcd1234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1f" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-1234abcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1c" } } ], "DBSubnetGroupName": "default-vpc-abcdabcd", "VpcId": "vpc-abcdabcd", "DBSubnetGroupDescription": "Created from the AWS Management Console", "SubnetGroupStatus": "Complete" }, "ReadReplicaDBInstanceIdentifiers": [], "AllocatedStorage": 20, "DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-project5-mysql-database", "BackupRetentionPeriod": 0, "PreferredMaintenanceWindow": "thu:03:27-thu:03:57", "Endpoint": { "HostedZoneId": "ABCDABCDABCD", "Port": 3306, "Address": "cc-project5-mysql-database.abcdabcdabcd.us-east-1.rds.amazonaws.com" }, "DBInstanceStatus": "available", "IAMDatabaseAuthenticationEnabled": true, "EngineVersion": "5.7.30", "DeletionProtection": true, "AvailabilityZone": "us-east-1a", "DomainMemberships": [], "StorageType": "gp2", "DbiResourceId": "db-ABCDABCDABCDABCDABCDABCDAB", "CACertificateIdentifier": "rds-ca-2019", "StorageEncrypted": true, "AssociatedRoles": [], "DBInstanceClass": "db.t3.medium", "DbInstancePort": 0, "DBInstanceIdentifier": "cc-project5-mysql-database" } }
03 Run create-db-instance command (OSX/Linux/UNIX) to create a new Amazon RDS database instance based on the configuration information returned at the previous step. The following command example creates an Amazon RDS MySQL database instance with ccmysqluser01 as the master username:
aws rds create-db-instance --region us-east-1 --db-instance-identifier cc-project5-mysql-secure-database --allocated-storage 20 --db-instance-class db.t3.medium --engine mysql --vpc-security-group-ids sg-0abcd1234abcd1234 --master-username ccmysqluser01 --master-user-password ccmysqluserpwd
04 The command output should return the configuration metadata available for the new database instance:
{ "DBInstance": { "PubliclyAccessible": true, "MasterUsername": "ccmysqluser01", "MonitoringInterval": 0, "LicenseModel": "general-public-license", "VpcSecurityGroups": [ { "Status": "active", "VpcSecurityGroupId": "sg-0abcd1234abcd1234" } ], "InstanceCreateTime": "2021-05-29T08:00:00.677Z", "CopyTagsToSnapshot": true, "OptionGroupMemberships": [ { "Status": "in-sync", "OptionGroupName": "default:mysql-5-7" } ], "Engine": "mysql", "MultiAZ": false, "DBSecurityGroups": [], "DBParameterGroups": [ { "DBParameterGroupName": "default.mysql5.7", "ParameterApplyStatus": "in-sync" } ], "PerformanceInsightsEnabled": true, "AutoMinorVersionUpgrade": true, "PreferredBackupWindow": "06:02-06:32", "DBSubnetGroup": { "Subnets": [ { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcd1234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1d" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-1234abcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1e" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcdabcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1b" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-12341234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1a" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcd1234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1f" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-1234abcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1c" } } ], "DBSubnetGroupName": "default-vpc-abcdabcd", "VpcId": "vpc-abcdabcd", "DBSubnetGroupDescription": "Created from the AWS Management Console", "SubnetGroupStatus": "Complete" }, "ReadReplicaDBInstanceIdentifiers": [], "AllocatedStorage": 20, "DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-project5-mysql-secure-database", "BackupRetentionPeriod": 0, "PreferredMaintenanceWindow": "thu:03:27-thu:03:57", "Endpoint": { "HostedZoneId": "ABCDABCDABCD", "Port": 3306, "Address": "cc-project5-mysql-secure-database.abcdabcdabcd.us-east-1.rds.amazonaws.com" }, "DBInstanceStatus": "available", "IAMDatabaseAuthenticationEnabled": true, "EngineVersion": "5.7.30", "DeletionProtection": true, "AvailabilityZone": "us-east-1a", "DomainMemberships": [], "StorageType": "gp2", "DbiResourceId": "db-ABCDABCDABCDABCDABCDABCDAB", "CACertificateIdentifier": "rds-ca-2019", "StorageEncrypted": true, "AssociatedRoles": [], "DBInstanceClass": "db.t3.medium", "DbInstancePort": 0, "DBInstanceIdentifier": "cc-project5-mysql-secure-database" } }
05 As soon as your new database instance is ready (i.e. instance status becomes "available"), you can migrate the data to the newly created database and update your application configuration to refer to the new (secured) database endpoint.
06 (Optional) Once the data is successfully moved and the instance endpoint is changed at your application level, you can delete the source database instance to stop incurring charges for that RDS resource. To remove the source database instance from your AWS cloud account, run delete-db-instance command (OSX/Linux/UNIX):
aws rds delete-db-instance --region us-east-1 --db-instance-identifier cc-project5-mysql-database --final-db-snapshot-identifier cc-project5-mysql-database-final-snapshot
07 The command output should return the delete-db-instance command request metadata:
{ "DBInstance": { "PubliclyAccessible": true, "MasterUsername": "admin", "MonitoringInterval": 0, "LicenseModel": "general-public-license", "VpcSecurityGroups": [ { "Status": "active", "VpcSecurityGroupId": "sg-0abcd1234abcd1234" } ], "InstanceCreateTime": "2021-05-12T08:00:00.677Z", "CopyTagsToSnapshot": true, "OptionGroupMemberships": [ { "Status": "in-sync", "OptionGroupName": "default:mysql-5-7" } ], "Engine": "mysql", "MultiAZ": false, "DBSecurityGroups": [], "DBParameterGroups": [ { "DBParameterGroupName": "default.mysql5.7", "ParameterApplyStatus": "in-sync" } ], "PerformanceInsightsEnabled": true, "AutoMinorVersionUpgrade": true, "PreferredBackupWindow": "06:02-06:32", "DBSubnetGroup": { "Subnets": [ { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcd1234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1d" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-1234abcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1e" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcdabcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1b" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-12341234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1a" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcd1234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1f" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-1234abcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1c" } } ], "DBSubnetGroupName": "default-vpc-abcdabcd", "VpcId": "vpc-abcdabcd", "DBSubnetGroupDescription": "Created from the AWS Management Console", "SubnetGroupStatus": "Complete" }, "ReadReplicaDBInstanceIdentifiers": [], "AllocatedStorage": 20, "DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-project5-mysql-database", "BackupRetentionPeriod": 0, "PreferredMaintenanceWindow": "thu:03:27-thu:03:57", "Endpoint": { "HostedZoneId": "ABCDABCDABCD", "Port": 3306, "Address": "cc-project5-mysql-database.abcdabcdabcd.us-east-1.rds.amazonaws.com" }, "DBInstanceStatus": "available", "IAMDatabaseAuthenticationEnabled": true, "EngineVersion": "5.7.30", "DeletionProtection": false, "AvailabilityZone": "us-east-1a", "DomainMemberships": [], "StorageType": "gp2", "DbiResourceId": "db-ABCDABCDABCDABCDABCDABCDAB", "CACertificateIdentifier": "rds-ca-2019", "StorageEncrypted": false, "AssociatedRoles": [], "DBInstanceClass": "db.t3.medium", "DbInstancePort": 0, "DBInstanceIdentifier": "cc-project5-mysql-database" } }
08 Repeat steps no. 1 – 7 for each non-compliant Amazon RDS database instance available in the selected AWS region.
09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire process for other regions.
References
- AWS Documentation
- Amazon RDS FAQs
- Best Practices for Amazon RDS
- Step 1: Create an RDS DB Instance
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-db-instances
- create-db-instance
- delete-db-instance
- CloudFormation Documentation
- Amazon Relational Database Service resource type reference
- Terraform Documentation
- AWS Provider