All posts
September 15, 20252 min read

How to Secure Your AWS Database from Public Exposure with Nmap and Security Groups

Attackers don’t need much. They scan. They find open ports. They test defaults. Tools like Nmap make it trivial to map your infrastructure. If your AWS RDS or EC2-hosted database listens on the public network, it becomes a magnet for probes. You won’t see the knock until they’re already at the door. By then, it’s too late. Securing AWS database access starts with visibility. You must know exactly which ports are exposed, and to whom. AWS security groups and network ACLs control access, but they

Free White Paper

AWS Security Hub + Database Replication Security: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Attackers don’t need much. They scan. They find open ports. They test defaults. Tools like Nmap make it trivial to map your infrastructure. If your AWS RDS or EC2-hosted database listens on the public network, it becomes a magnet for probes. You won’t see the knock until they’re already at the door. By then, it’s too late.

Securing AWS database access starts with visibility. You must know exactly which ports are exposed, and to whom. AWS security groups and network ACLs control access, but they’re not bulletproof without strict rules. The first step: lock inbound database ports like 3306, 5432, or 1433 to specific source IPs only. Never use 0.0.0.0/0 unless there’s no alternative, and even then, question why.

Nmap matters here because it’s what your adversaries use. It's also what you should use. Schedule regular internal scans of your AWS environments. Start with:

nmap -p 3306,5432,1433 your-database-endpoint

Run it from outside your VPC and see what responds. If a database answers, it’s exposed to the open network. This is the simplest, fastest way to validate AWS firewall rules. Combine this with CloudTrail logs to trace connection attempts, and enable encryption in transit to block packet sniffing.

Continue reading? Get the full guide.

AWS Security Hub + Database Replication Security: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

AWS offers features to harden database access beyond port control. Use IAM database authentication for RDS instead of static passwords. Enable private subnets in VPCs so databases are invisible to the public internet. Pair that with VPC peering or AWS PrivateLink for secure and controlled connectivity from your application layer.

Continuous monitoring is critical. A configuration that is safe today can become vulnerable tomorrow after a single deploy. Automate security scans with CI/CD hooks. Trigger Nmap sweeps during build or staging. Alert on any unexpected port state changes. You can’t patch what you can’t see.

The strongest AWS database security setups are layered: tightly controlled network access, IAM-based authentication, TLS for every connection, and regular scanning from the outside-in. There’s no reason to guess if your database is safe when you can know in minutes.

You can see this in action now. hoop.dev makes it possible to create a secure testing environment, spin up a database, scan it with Nmap, and validate every AWS security rule—live, without touching production. It takes minutes to set up. Knowing your database is locked down isn’t optional. It’s the ground you stand on.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts