Adopt a non-default master username convention and enforce it in IaC templates so new clusters never fail this control. For existing clusters, plan a migration — snapshot, restore (or stand up a new cluster) with a custom MasterUsername, and cut traffic over in a maintenance window. Inventory the backlog of clusters on default usernames and schedule the migrations rather than deferring them.

Compliance Low severity

AWS Security Hub · RDS

RDS.24: RDS uses a default admin username

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub RDS.24 check?

RDS.24 checks the master administrator username on an RDS DB cluster. It reports FAILED when the MasterUsername matches a documented default such as admin, postgres, root, sa, mysql, or master.

Why does RDS.24 matter?

The master user is the highest-privilege account on the database, and its name is fixed at creation — there is no in-place rename. Accepting a default username hands an attacker half the credential pair for free: a brute-force or credential-stuffing campaign now only has to guess the password, not the username. A non-obvious admin name shrinks the attack surface from two unknowns to one for the entire lifetime of the cluster.

How do I fix RDS.24?

Adopt a non-default master username convention and enforce it in IaC templates so new clusters never fail this control.
For existing clusters, plan a migration — snapshot, restore (or stand up a new cluster) with a custom MasterUsername, and cut traffic over in a maintenance window.
Inventory the backlog of clusters on default usernames and schedule the migrations rather than deferring them.

Remediation script · bash

# Move the highest-impact databases onto IAM authentication first (free, no reboot).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?IAMDatabaseAuthenticationEnabled==`false`].DBInstanceIdentifier' \
    --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --enable-iam-database-authentication --apply-immediately
  echo "$db: IAM database authentication enabled"
done

# Find every instance still using a default admin username (immutable; needs migration).
aws rds describe-db-instances \
  --query "DBInstances[?contains(['admin','postgres','root','sa','master','mysql','dbadmin'], MasterUsername)].[DBInstanceIdentifier,MasterUsername]" \
  --output table

# Recreate one of those with a non-default master username set explicitly at creation.
aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier prod-orders-db-v2 \
  --snapshot-identifier prod-orders-db-pre-rename \
  --engine aurora-postgresql

Full walkthrough (console steps, edge cases and verification) in the lesson Harden database auth, ports and access.

Is RDS.24 a false positive?

The username cannot be changed in place on a running cluster, so an existing default-named cluster always requires a snapshot-and-rebuild migration rather than a quick modify call.

Full lesson Harden database auth, ports and access Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for RDS controls ↗ Check your own account for RDS.24 →

Part of the learning path Tighten your databases

RDS.1 An RDS snapshot is shared publicly
RDS.2 An RDS instance is publicly accessible from the internet
RDS.3 RDS DB instances should be encrypted at rest
RDS.4 RDS snapshots should be encrypted at rest
RDS.5 RDS DB instances should use multiple AZs
RDS.6 RDS lacks enhanced monitoring
RDS.7 RDS clusters should have deletion protection
RDS.8 RDS DB instances should have deletion protection
RDS.9 RDS engine logs are not shipped to CloudWatch
RDS.10 RDS relies on long-lived database passwords
RDS.11 RDS instances should have automatic backups
RDS.12 IAM auth should be configured for RDS clusters