Danger Gauge: Low
Your AWS RDS instance would be at risk if you didn’t change its default master username. It’s an alphanumeric name that you can use to acquire access to the database instance.
When you first create your Relational Database Service instance, then you need to provide a username, and, i.e., is your master username. To simplify, Amazon gives an example and sets the default master username – “awsuser.” Moreover, users do not consider to change the username and leaves it as it is, and many AWS customers tend to use this username for their database instance to escape the effort of creating a new one.
If you are unlucky, then this information can be used by unauthorized users. Through the brute-force attack, they can easily pierce into your account, and your entire security infrastructure will be compromised.
Why does AWS RDS database master username need to be changed?
While creating a DB instance, the default master user that you use gets certain privileges for that DB instance. The following table shows the privileges and database roles that the master user gets for each of the database engines.
|Database Engine||System Privilege||Database Role|
|MySQL and MariaDB||SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* WITH GRANT OPTION, REPLICATION SLAVE (only for Amazon RDS MySQL versions 5.6, 5.7 and 8.0, Amazon RDS MariaDB)||—|
|PostgreSQL||CREATE ROLE, CREATE DB, PASSWORD VALID UNTIL INFINITY, CREATE EXTENSION, ALTER EXTENSION, DROP EXTENSION, CREATE TABLESPACE, ALTER < OBJECT> OWNER, CHECKPOINT, PG_CANCEL_BACKEND(), PG_TERMINATE_BACKEND(), SELECT PG_STAT_REPLICATION, EXECUTE PG_STAT_STATEMENTS_RESET(), OWN POSTGRES_FDW_HANDLER(), OWN POSTGRES_FDW_VALIDATOR(), OWN POSTGRES_FDW, EXECUTE PG_BUFFERCACHE_PAGES(), SELECT PG_BUFFERCACHE||RDS_SUPERUSER|
|Oracle||ALTER DATABASE LINK, ALTER PUBLIC DATABASE LINK, DROP ANY DIRECTORY, EXEMPT ACCESS POLICY, EXEMPT IDENTITY POLICY, GRANT ANY OBJECT PRIVILEGE, RESTRICTED SESSION, EXEMPT REDACTION POLICY||AQ_ADMINISTRATOR_ROLE, AQ_USER_ROLE, CONNECT, CTXAPP, DBA, EXECUTE_CATALOG_ROLE, RECOVERY_CATALOG_OWNER, RESOURCE, SELECT_CATALOG_ROLE|
|Microsoft SQL Server||ADMINISTER BULK OPERATIONS, ALTER ANY CONNECTION, ALTER ANY LINKED SERVER, ALTER ANY LOGIN, ALTER SERVER STATE, ALTER TRACE, CONNECT SQL, CREATE ANY DATABASE, VIEW ANY DATABASE, VIEW ANY DEFINITION, VIEW SERVER STATE, ALTER ANY SERVER ROLE, ALTER ANY USER, ALTER ON ROLE SQLAgentOperatorRole||DB_OWNER (Database Level Role) PROCESSADMIN (Server Level Role) SETUPADMIN(Server Level Role) SQLAgentUserRole(Server Level Role)|
AWS also recommends that you do not use the master user directly in your applications. Alternately, stick to the AWS best practices and create an IAM user with minimal privileges, only that is required for your application.
Accidentally if you delete the master user’s permissions, then you can restore them by modifying the DB instance and setting a new master user password.
Hence it strongly recommended for the users to set a different username and don’t use this directly in your applications. This practice will help you to avoid security breaches misuse of cloud resources and contributes to a secure cloud infrastructure.