Skip to content

Ensure Default User Not Used on AWS RDS Cluster

Description

Ensures that \"awsuser\" is not used as a username.

It is strongly recommended for the users to set a different username than the default "awsuser", and don’t use this directly in your applications. This practice will help you to avoid security breaches, misuse of cloud resources, and contributes to a secure cloud infrastructure.

Rationale

Using the default username makes it more likely that scraping software guesses the master username.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type cluster

Default Rule

const { isAwsRdsCluster } = aws

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if database instance is not using 'awsuser' as master username
 */
function validate(databaseSettings) {
    const defaultUser = "awsuser"
    const success = isAwsRdsCluster(databaseSettings) &&
                    databaseSettings.awsDatabaseInstance.rdsCluster.masterUsername !== defaultUser

    return {
        success,
    }
}

// invoke
validate(databaseSettings);