Ensure that RDS database instance doesn't use its default endpoint port

Avoid using RDS database instance's default port to add another layer of security to your database's endpoint. Default ports: 3306 (MySQL/MariaDB), 5432 (PostgreSQL), 1521 (Oracle), 1433 (Microsoft SQL Server).

Risk Level: Low
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.NET.92
Covered by Spectral: Yes
Category: Database


RDS should not have ( port=3306 and (dbType like '%mysql%' or dbType like '%mariadb%') ) or ( port=5432 and dbType like '%postgres%' ) or ( port=1521 and dbType like '%oracle%' ) or ( port=1433 and dbType like '%sqlserver%' )


From Portal

  1. Go to the AWS RDS console: https://console.aws.amazon.com/rds/
  2. In the left pane, choose 'Databases'
  3. Mark the incompliant 'DB identifier'
  4. Click 'Modify'
  5. Under 'Connectivity' expand 'Connectivity'
  6. Set 'Database port' to a non-default port
  7. Press 'Continue' and apply the modification

From Command Line
To modify the database instance's port, use:

aws rds modify-db-instance --db-instance-identifier DB-IDENTIFIER --db-port-number PORT --no-apply-immediately

From TF
Set the 'port' argument within the 'aws_db_instance' resource block to a non-default port:

resource "aws_db_instance" "db_instance_example" {
	port = PORT


  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/neptune/modify-db-instance.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#port

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset