AWS-DocumentDB-clusters-listening-deafult-port

Severity: Low

Description: This control  checks the port for the database cluster and ensures that listening port is not default port. Configuring database clusters to listen to non-default port can prevent malicious traffic from reaching the targeted database. Additionally, when applications are configured to listen to non-default ports, attackers/malicious-users will require to initiate network scans which may delay actual attack attempt/payload and increase the probability of network anomaly detection an opportunity to administrators to take compensatory actions like blocking malicious-users/IPs.

Remediation Steps:

Perform following to update DocumentDB cluster listening port:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to DocumentDB console.

3. On left Navigation pane, click Clusters.

4. Select database Cluster to configure.

5. Click on Cluster Actions and choose Modify.

6. In section Database Options, set Database Port to a non-default port.

7. Click Continue.

8. Click Modify DB Cluster.

Important:

• Changing database port restarts the database instantly.

• Changing the database port will break communication between database and dependent applications. Connection strings configured will require modification. 

• Security Groups associated with Database instance will need an update to allow inbound traffic to the database. 

• Security groups/firewalls associated with applications communicating with the database may need an update to allow inbound traffic to the database.

Reference:

• https://aws.amazon.com/blogs/database/applying-best-practices-for-securing-sensitive-data-in-amazon-rds