Adopt a non-default master username convention and enforce it in IaC templates so new instances never fail this control. For existing instances, plan a migration — snapshot, restore (or create a new instance) with a custom MasterUsername, then cut traffic over in a maintenance window. Inventory the backlog of instances on default usernames and schedule the migrations.

Compliance Low severity

AWS Security Hub · RDS

RDS.25: RDS instances should use a custom admin username

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub RDS.25 check?

RDS.25 checks the master administrator username on an RDS DB instance. It reports FAILED when the MasterUsername matches a documented default such as admin, postgres, root, sa, mysql, or master.

Why does RDS.25 matter?

The master user is the highest-privilege account on the instance, and its name is fixed at creation — there is no in-place rename. Accepting a default username hands an attacker half the credential pair for free: a brute-force or credential-stuffing campaign now only has to guess the password. A non-obvious admin name shrinks the attack surface from two unknowns to one for the entire lifetime of the instance.

How do I fix RDS.25?

Adopt a non-default master username convention and enforce it in IaC templates so new instances never fail this control.
For existing instances, plan a migration — snapshot, restore (or create a new instance) with a custom MasterUsername, then cut traffic over in a maintenance window.
Inventory the backlog of instances on default usernames and schedule the migrations.

Remediation script · bash

# Move the highest-impact databases onto IAM authentication first (free, no reboot).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?IAMDatabaseAuthenticationEnabled==`false`].DBInstanceIdentifier' \
    --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --enable-iam-database-authentication --apply-immediately
  echo "$db: IAM database authentication enabled"
done

# Find every instance still using a default admin username (immutable; needs migration).
aws rds describe-db-instances \
  --query "DBInstances[?contains(['admin','postgres','root','sa','master','mysql','dbadmin'], MasterUsername)].[DBInstanceIdentifier,MasterUsername]" \
  --output table

# Recreate one of those with a non-default master username set explicitly at creation.
aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier prod-orders-db-v2 \
  --snapshot-identifier prod-orders-db-pre-rename \
  --engine aurora-postgresql

Full walkthrough (console steps, edge cases and verification) in the lesson Harden database auth, ports and access.

Is RDS.25 a false positive?

The username cannot be changed in place, so an existing default-named instance always needs a snapshot-and-rebuild migration rather than a modify call. RDS.25 is the instance-level companion to RDS.24, which covers clusters.

Full lesson Harden database auth, ports and access Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for RDS controls ↗ Check your own account for RDS.25 →

Part of the learning path Tighten your databases

RDS.1 An RDS snapshot is shared publicly
RDS.2 An RDS instance is publicly accessible from the internet
RDS.3 RDS DB instances should be encrypted at rest
RDS.4 RDS snapshots should be encrypted at rest
RDS.5 RDS DB instances should use multiple AZs
RDS.6 RDS lacks enhanced monitoring
RDS.7 RDS clusters should have deletion protection
RDS.8 RDS DB instances should have deletion protection
RDS.9 RDS engine logs are not shipped to CloudWatch
RDS.10 RDS relies on long-lived database passwords
RDS.11 RDS instances should have automatic backups
RDS.12 IAM auth should be configured for RDS clusters