DEV Community

AWS Community Builders profile image Leonid Gimelshtein
Leonid Gimelshtein for AWS Community Builders

Posted on • Updated on

Utilizing SSM Documents for Seamless Tunneling to RDS

#aws #devops #database #security

When deploying application servers or databases within private subnets following best security practices, it is essential to establish a robust system for resource management and access. This ensures efficient resource management and facilitates effective troubleshooting when necessary. How can you securely access it by creating tunnelling using an SSM document?

Why go with this approach and tunnel through a bastion host? The key advantage is that SSM records all connections in CloudWatch for audit and security; plus, it's an additional way to connect to private resources.

This solution enables the creation of a tunnel to access other private resources, such as EC2 instances and RDS.
In this blog post, I will show how to create tunnelling to RDS or any EC2 resources within that private subnet while maintaining security using the SSM document.
This is a short step-by-step guide to help you establish a secure connection to your RDS instance.
By the end of this article, you'll clearly understand how to access your RDS instance using SSM documents, keeping your network safe. All the connections established via SSM are recorded in CloudWatch for audit and security purposes.

Pre-Requirements:

  • I assume you've already set up a Bastion host in your public subnet so that the host can establish communication with the RDS instance, and your public IP is whitelisted and has access to the Bastion host. We'll rely on the AWS-StartPortForwardingSessionToRemoteHost SSM document for tunnelling purposes.

  • To perform this task, you should have the AWS CLI installed and configured on your machine and the necessary permissions granted to your IAM user.
    ** We are ready to go ... **

  • Step 1: in your host file /etc/hosts, add the record for the RDS endpoint we will use later to access using the database client to connect to the RDS instance

localhost <rds-endpoint>
Enter fullscreen mode Exit fullscreen mode
  • Step2: Run the following command to create a tunnel 
aws --profile <aws_profile> ssm start-session --target <bastion-host-ec2-id> --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host=<rds-endpoint-name>,portNumber=5432,localPortNumber=5433
Enter fullscreen mode Exit fullscreen mode

Wait until the connection is established; you can connect to the database using the below command or use your favourite DB management tool, PGAdmin or MySQLWorkbench if it is MySQL Database.
Here is the screenshot from Session Manager:

Image description

  • Step3: Connect using psql cli 
psql -h 127.0.0.1 -p 5433 -U postgres
Enter fullscreen mode Exit fullscreen mode

Session

Top comments (0)

Read next

psantus profile image

Your S3 objects could be public (even though the AWS Console doesn't say so)

Paul SANTUS -

atimin profile image

ReductStore CLI Client now in Rust

Alexey Timin -

vkazulkin profile image

How to set up Amazon RDS Proxy for Amazon Aurora (Serverless) database cluster and connect AWS Lambda function to it

Vadym Kazulkin -

asimmon profile image

Locally test and validate your Renovate configuration files

Anthony Simmon -