🛡️ AWS RDS Cluster has a common master username🟢
- Contextual name: 🛡️ Cluster has a common master username🟢
- ID:
/ce/ca/aws/rds/cluster-master-username - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logic
Similar Policies
Description
Description
This policy identifies AWS RDS Clusters that are configured with a master username matching common or default values provided by database engines or the cloud platform.
When creating an Amazon RDS cluster, the master username should be set to a unique, non-default value. Default or commonly used administrative usernames are widely known and frequently targeted by attackers. Using a unique master username helps reduce the risk of unauthorized access and improves the overall security posture of the cluster.
Rationale
Many database engines and AWS examples reference usernames such as
adminfor the RDS master account. Consequently, several production clusters may use these predictable values. Malicious actors can exploit this information during brute-force or credential-stuffing attacks, targeting well-known administrative usernames. Avoiding default or common master usernames decreases the cluster’s exposure to such attacks.Impact
Requires recreating the database cluster with a custom master username and migrating the existing data to the new cluster.
... see more
Remediation
Remediation
Recreate the RDS Cluster with a Custom Master Username
Amazon RDS does not allow modifying the master username of an existing cluster. To remediate this finding, you must recreate the cluster with a custom master username and migrate the existing data to the new cluster. Restoring the cluster from a snapshot to modify the master username is also not support.
From Command Line
Retrieve the Current Cluster Configuration
Describe the existing RDS cluster to capture the configuration details needed to recreate it (engine, cluster class, networking, storage, availability, and parameter settings).
aws rds describe-db-clusters \
--region {{region}} \
--db-cluster-identifier {{db-cluster-id}}Review the Output and Record Required Settings
From the command output, note the configuration values required for the new cluster, including the current master username, engine, instance classes, VPC security groups, subnet group, and storage settings.
... see more
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.24] RDS Database clusters should use a custom administrator username | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 Secure Access | 74 | no data | |||
| 💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H) | 3 | 1 | 47 | no data | |
| 💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H) | 45 | no data | |||
| 💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H) | 3 | 47 | no data | ||
| 💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks | 54 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration | 7 | 46 | no data | ||
| 💼 PCI DSS v3.2.1 → 💼 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. | 1 | 11 | no data | ||
| 💼 PCI DSS v4.0.1 → 💼 2.2.2 Vendor default accounts are managed. | 11 | no data | |||
| 💼 PCI DSS v4.0 → 💼 2.2.2 Vendor default accounts are managed. | 11 | no data |