🛡️ AWS RDS Instance has a common master username🟢
- Contextual name: 🛡️ Instance has a common master username🟢
- ID:
/ce/ca/aws/rds/instance-master-username - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logic
Similar Policies
Description
Description
This policy identifies Amazon RDS Instances that are configured with a master username matching common or default values provided by database engines or the cloud platform.
When creating an Amazon RDS database, the master username should be set to a unique, non-default value. Default or commonly used administrative usernames are widely known and frequently targeted by attackers. Using a unique master username reduces the risk of unauthorized access and strengthens the overall security posture of the database.
Rationale
Database engines and AWS documentation examples commonly reference usernames such as
adminfor the RDS master account. As a result, many production RDS instances are deployed using these predictable values. Malicious actors can exploit this knowledge during brute-force or credential-stuffing attacks by targeting well-known administrative usernames. Avoiding default or common master usernames significantly reduces the attack surface.Impact
Requires recreating the database instance with a custom master username and migrating the existing data to the new instance.
... see more
Remediation
Remediation
Recreate the RDS Instance with a Custom Master Username
Amazon RDS does not support modifying the master username of an existing database instance. To remediate this finding, you must recreate the database instance with a custom master username and migrate the existing data to the new instance. Restoring the cluster from a snapshot to modify the master username is also not support.
From Command Line
Retrieve the Current Instance Configuration
Describe the existing RDS instance to capture the configuration details required to recreate it (engine, instance class, networking, storage, and availability settings).
aws rds describe-db-instances \
--region {{region}} \
--db-instance-identifier {{db-instance-id}}Review the Output and Record Required Settings
From the command output, note the configuration values needed to create the replacement instance, including the current master username, instance class, engine, VPC security groups, subnet group, and storage configuration.
... see more
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.25] RDS database instances should use a custom administrator username | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 Secure Access | 74 | no data | |||
| 💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H) | 3 | 1 | 47 | no data | |
| 💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H) | 45 | no data | |||
| 💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H) | 3 | 47 | no data | ||
| 💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks | 54 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration | 7 | 46 | no data | ||
| 💼 PCI DSS v3.2.1 → 💼 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. | 1 | 11 | no data | ||
| 💼 PCI DSS v4.0.1 → 💼 2.2.2 Vendor default accounts are managed. | 11 | no data | |||
| 💼 PCI DSS v4.0 → 💼 2.2.2 Vendor default accounts are managed. | 11 | no data |