Danger Gauge: Low
Your AWS RDS instance is at risk if you haven’t changed its default master username. It is an alphanumeric name that is used to acquire access to the database instance.
When a Relational Database Service instance is first created, there is a need to provide a username, which is the master username. To simplify, Amazon gives an example and sets the default master username as “awsuser.” Moreover, users do not generally change the username and leaves it as it is, and many AWS customers tend to use this username for their database instance to escape the effort of creating a new one.
If you are unlucky, this information can be used by unauthorized users. Through a brute-force attack, they can easily breach the account, compromising the entire security infrastructure.
Why does AWS RDS database master username need to be changed?
While creating a DB instance, the default master user that you use gets certain privileges for that DB instance. The following table shows the privileges and database roles that the master user gets for each of the database engines.
|Database Engine||System Privilege||Database Role|
|MySQL and MariaDB||SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* WITH GRANT OPTION, REPLICATION SLAVE (only for Amazon RDS MySQL versions 5.6, 5.7 and 8.0, Amazon RDS MariaDB)||—|
|PostgreSQL||CREATE ROLE, CREATE DB, PASSWORD VALID UNTIL INFINITY, CREATE EXTENSION, ALTER EXTENSION, DROP EXTENSION, CREATE TABLESPACE, ALTER < OBJECT> OWNER, CHECKPOINT, PG_CANCEL_BACKEND(), PG_TERMINATE_BACKEND(), SELECT PG_STAT_REPLICATION, EXECUTE PG_STAT_STATEMENTS_RESET(), OWN POSTGRES_FDW_HANDLER(), OWN POSTGRES_FDW_VALIDATOR(), OWN POSTGRES_FDW, EXECUTE PG_BUFFERCACHE_PAGES(), SELECT PG_BUFFERCACHE||RDS_SUPERUSER|
|Oracle||ALTER DATABASE LINK, ALTER PUBLIC DATABASE LINK, DROP ANY DIRECTORY, EXEMPT ACCESS POLICY, EXEMPT IDENTITY POLICY, GRANT ANY OBJECT PRIVILEGE, RESTRICTED SESSION, EXEMPT REDACTION POLICY||AQ_ADMINISTRATOR_ROLE, AQ_USER_ROLE, CONNECT, CTXAPP, DBA, EXECUTE_CATALOG_ROLE, RECOVERY_CATALOG_OWNER, RESOURCE, SELECT_CATALOG_ROLE|
|Microsoft SQL Server||ADMINISTER BULK OPERATIONS, ALTER ANY CONNECTION, ALTER ANY LINKED SERVER, ALTER ANY LOGIN, ALTER SERVER STATE, ALTER TRACE, CONNECT SQL, CREATE ANY DATABASE, VIEW ANY DATABASE, VIEW ANY DEFINITION, VIEW SERVER STATE, ALTER ANY SERVER ROLE, ALTER ANY USER, ALTER ON ROLE SQLAgentOperatorRole||DB_OWNER (Database Level Role) PROCESSADMIN (Server Level Role) SETUPADMIN(Server Level Role) SQLAgentUserRole(Server Level Role)|
AWS also recommends that you do not use the master user directly in your applications. Alternately, stick to the AWS best practices and create an IAM user with minimal privileges, only that is needed for your application.
If you accidentally delete master user’s permissions, they can be restored by modifying the DB instance and setting a new master user password.
Hence it is strongly recommended that the users set a different username and never use this directly in their applications. This practice will help you avoid security breaches, misuse of cloud resources, and overall contribute to a secure cloud infrastructure.