By default you got a username and password for your RDS database. Would it be dangerous to use the credentials on your production website, say in php files?
Or is it necessary to create a user with less control of the db (e.g. only read)? However I can't find the place to add user on amazon's console.
Every production site needs to have credentials for the corresponding database they use. These files however shouldn't be served directly by the web-server.
This means, that for example a .php file shouldn't be just delivered as plain text BUT it should be interpreted. This you can set in your appache config for the corresponding server and you probably already did if you can see the results of echo phpinfo(); when putting into a php file, and loading it in your browser.
That means, when you give these credentials into the php file, lets say like:
$db_user = <user>
$db_pass = <pass>
It won't be avaible for the "outside" world. However your application will be able to use these for joining to the appropiate database server.
It sounds like you're asking whether it's a best practice to put your primary RDS credentials in your PHP app. I would say yes it's OK if your PHP app needs full control over the database anyway. However, if you want to follow the "principle of least privilege", and if your PHP app only needs limited rights such as read-only, it would improve your security posture to create an additional MySQL user for this purpose.
