Ensure master username does not use commonly predicted usernames for Amazon Relational Database Service (Amazon RDS) instances

MEDIUM

Description

Using usernames (example - admin) that can be easily predicted can lead to easy username spray and brute-force attack.

Remediation

In AWS Console -

Sign in to the AWS Console and go to the AWS RDS Console.
In the RDS Dashboard, click on Databases.
Select Modify to modify the instance of your choice.
Change the username if it is something common like 'awsuser'.

In Terraform -

In the aws_db_instance resource, set the username field; this field is required unless creating the database as a replica or building from a snapshot.
Use a valid string that is not a commonly used, or system generated, name such as awsuser, admin, pgadmin, mysqladmin, or sqladmin.

References:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#username

Policy Details

Rule Reference ID: AC_AWS_0059

CSP: AWS

Remediation Available: Yes

Domain: Identity and Access Management

Resource: aws_db_instance

Resource Category: Database

Resource Type: DB Instance

Frameworks

GDPR
NIST-800-171
NIST-800-53
NIST-CSF
HIPAA