Skip to content

Ensure Default User Not Used on AWS RDS Cluster


Ensures that \"awsuser\" is not used as a username.

It is strongly recommended for the users to set a different username than the default "awsuser", and don’t use this directly in your applications. This practice will help you to avoid security breaches, misuse of cloud resources, and contributes to a secure cloud infrastructure.


Using the default username makes it more likely that scraping software guesses the master username.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type cluster

Default Rule

const { isAwsRdsCluster } = aws

 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if database instance is not using 'awsuser' as master username
function validate(databaseSettings) {
    const defaultUser = "awsuser"
    const success = isAwsRdsCluster(databaseSettings) &&
                    databaseSettings.awsDatabaseInstance.rdsCluster.masterUsername !== defaultUser

    return {

// invoke