RDS Port
What is an RDS Port?
Open ports:
They are the TCP/IP port that your database listens on.
Certain companies have a firewall which may directly block connections to the default port for your chosen database engine.
In case you have a company with a firewall which is blocking the default port, you will need to select a different port for your newly specified DB instance.
Upon creating a DB instance which tends to listen on a port that you have specified, you are capable of altering the port through modifying your DB instance.
How does an RDS Port help in Security?
If you run your database instances on default ports you will be paving the way for a possible security alert. When the RDS instances ports where your database accepts the connections are moved to non-default ports, additional security will result. Consequently, your publicly accessible AWS RDS databases will be protected from attacks and outer forces.
How to Audit your RDS Port?
The below table shows a list of the endpoint default port that every available RDS database engine has:
Database Engine Name | Default Port Number |
---|---|
Aurora/MySQL/MariaDB | 3306 |
PostgreSQL | 5432 |
Oracle | 1521 |
SQL Server | 1433 |
To determine if your existing RDS database instances are using their default ports, perform the following:
– Using AWS Console –
1 – Sign into the Management Console.
2 – Go straight to the RDS dashboard through the following link https://console.aws.amazon.com/rds/.
3 – Using left navigation panel, from under RDS Dashboard, choose Instances.
4 – Choose which RDS instance you’d like to check.
5 – Select Instance Actions button from the top menu of the dashboard then click on See Details.
6 – From Details tab, under Security and Network section, review the Port number:
In case the number turns out to be the default port number for this database engine which is being utilized, then this means that the chosen RDS instance is not operating on a non-default port for connections and this makes it easily capable of being attacked by dictionary and brute force. For the sake of changing the RDS database endpoint port, you will need to go over the following steps that are going to be listed in the section named: “How to Change your default RDS Port?”.
7 – Go over steps numbered 4 and 6 for the sake of verifying the database port for different RDS database instances that are provisioned in the selected region.
8 – Choose a different AWS region using the navigation bar then go over the steps for different regions.
– Using AWS CLI –
1 – Start by running the describe-db-instances command for either UNIX, OSX or Linux through custom query filters for the sake of listing the names of every single RDS database instance that is available in this chosen Region:
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849
aws rds describe-db-instances
--region us-east-1
--output table
--query 'DBInstances[*].DBInstanceIdentifier'
2 – A table needs to be returned using the command output having the database identifiers that were requested:
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849
-------------------------
| DescribeDBInstances |
+-----------------------+
| mysql-prod-db |
| postgresql-prod-db |
| aurora-prod-db |
+-----------------------+
3 – Once more, run the describe-db-instances command for either UNIX, OSX or Linux through your RDS database instance identifier as well as your custom query filters for the sake of finding the utilized port number which is being used by the chosen resource:
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849
aws rds describe-db-instances
--region us-east-1
--db-instance-identifier mysql-prod-db
--query 'DBInstances[*].Endpoint.Port'
4 – The port number utilized by your selected RDS instance which is MySQL default port for the example we took, shall be shown through the command output:
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849
[
3306
]
In case the number turns out to be the default port number for this database engine which is being utilized, then this means that the chosen RDS instance is not operating on a non-default port for connections and this makes it easily capable of being attacked by dictionary and brute force.
For example:
– MySQL/Aurora/MariaDB: port 3306
– SQL Server: port 1433
– PostgreSQL: port 5432
– Oracle: port 1521
5 – Go over the step number 3 and that of number 4 in order to review the database port number for different RDS database instances that are being provisioned in this selected region.
6 – Choose a different Region through going ahead and updating the “—region” command parameter value and then going over the step number 1 and step number 5 in order to apply the audit procedure for different AWS Regions.
How to Change your default RDS Port?
To change the default port number for your existing RDS database instances
For the sake of modifying a DB instance and change port settings, follow the steps below:
- Login to the Management Console then go straight to the Amazon RDS console using the following link https://console.aws.amazon.com/rds/.
- From navigation pane, select section Databases, then click on which DB instance you’d like to modify.
- Click on Modify, and the Modify DB Instance page will show up.
- Make changes to whichever settings you’d like to alter.
- If you are satisfied with all the changes, click on Continue then review the modifications summary.
- You can optionally click on Apply immediately for the sake of directly applying those changes that you’ve made. Sometimes if you select this an outage may possibly occur.
- From the confirmation page, go over the changes that you’ve made. In case you accept them and they are perfectly as you need them to be, then select Modify DB Instance for saving the changes.
Otherwise, you can click on Back for the sake of editing the changes or click on Cancel for canceling them.
Console Setting + its Description | CLI Option + RDS API Parameter | When the Change Takes Place | Downtime Notes | DB Engines that are Supported |
---|---|---|---|---|
Console Setting: Database port Description: Which port you’d like to utilize for accessing your DB instance. Its value shouldn’t be the same as that of any one of the port values set for options in the option group which is associated with the DB instance. | CLI option: --db-port-number RDS API parameter: DBPortNumbe | Immediate change. The following setting does not take the apply immediately setting into consideration. | The DB instance gets rebooted right away. | Every single DB engine. |
aws sql server pricing