DEV Community: Abdulrasheed Abdulazeez The latest articles on DEV Community by Abdulrasheed Abdulazeez (@abdulrasheed_abdulazeez_7). https://dev.to/abdulrasheed_abdulazeez_7 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1753574%2Fa47a09e2-bd58-48a8-90af-46791bb94af7.jpg DEV Community: Abdulrasheed Abdulazeez https://dev.to/abdulrasheed_abdulazeez_7 en Serving SSE-KMS Encrypted Content from S3 Using CloudFront Abdulrasheed Abdulazeez Sat, 31 Jan 2026 00:18:26 +0000 https://dev.to/abdulrasheed_abdulazeez_7/serving-sse-kms-encrypted-content-from-s3-using-cloudfront-5c2b https://dev.to/abdulrasheed_abdulazeez_7/serving-sse-kms-encrypted-content-from-s3-using-cloudfront-5c2b <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ukav9metoxopg9qknv8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ukav9metoxopg9qknv8.png" alt=" " width="800" height="299"></a></p> <h2> Introduction </h2> <p>A best practice for your web applications is to use <a href="https://aws.amazon.com/s3/" rel="noopener noreferrer">Amazon S3</a> to store content and <a href="https://aws.amazon.com/cloudfront/" rel="noopener noreferrer">Amazon CloudFront</a> to deliver it to users and protecting your data at <a href="https://wa.aws.amazon.com/wat.question.SEC_9.en.html" rel="noopener noreferrer">rest</a> and in <a href="https://wa.aws.amazon.com/wat.question.SEC_10.en.html" rel="noopener noreferrer">transit</a>. Encryption is one of protection controls AWS provides you to reduce the risks of unauthorized access, loss, or exposure. In this blog post, you will learn how to implement one of these options (SSE-KMS) in S3 when using CloudFront for content delivery.</p> <p>Let’s say you’re building an application.</p> <p>Users upload:</p> <ul> <li>profile pictures</li> <li>invoices</li> <li>receipts</li> <li>documents</li> <li>private attachments</li> </ul> <p>Now you’re stuck with a very real engineering dilemma:</p> <blockquote> <p>“I want the files to be private, but I also want them to load fast anywhere in the world.”</p> </blockquote> <p>If you store the files in a public S3 bucket → fast, but <strong>not secure</strong>.</p> <p>If you store the files in a private S3 bucket → secure, but sometimes slower, and not CDN-friendly.</p> <p>And then you go one step further:</p> <blockquote> <p>“I also want encryption at rest using my own key… so even if someone gets access to the storage layer, they still can’t read anything.”</p> </blockquote> <p>That’s where <strong>SSE-KMS</strong> comes in.</p> <p>So the perfect setup becomes:</p> <p>✅ Private S3 bucket</p> <p>✅ Encrypted at rest using KMS (SSE-KMS)</p> <p>✅ Served globally using CloudFront</p> <p>✅ Bucket never becomes public</p> <h2> What We’re Building (High-Level) </h2> <p>We’re building a secure content delivery pipeline:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsxvim0ryilmefn3i2tym.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsxvim0ryilmefn3i2tym.png" alt=" " width="800" height="533"></a></p> <h2> Why This Setup Matters </h2> <p>This architecture gives you:</p> <h3> 🔐 Security </h3> <ul> <li>bucket stays private forever</li> <li>no public ACLs</li> <li>no “anyone with the link can access it”</li> </ul> <h3> 🔑 Encryption at rest </h3> <ul> <li>objects are encrypted using <strong>your KMS key</strong> </li> <li>full audit trail of decrypt operations (CloudTrail)</li> <li>better compliance posture</li> </ul> <h3> ⚡ Performance </h3> <ul> <li>CloudFront caches content at edge locations</li> <li>faster downloads worldwide</li> <li>reduces S3 request costs</li> </ul> <h2> Understanding the Key Services </h2> <p>Before clicking anything, let’s understand what each AWS service is doing in this story.</p> <h3> What is S3? </h3> <p>Think of S3 as a massive cloud hard drive.</p> <ul> <li> <strong>Bucket</strong> = container (like a folder)</li> <li> <strong>Object</strong> = file (image, pdf, zip, etc.)</li> </ul> <p>S3 can be public… but for user content, public buckets are dangerous.</p> <p>So we keep it private.</p> <h3> What is CloudFront? </h3> <p>CloudFront is AWS’s CDN.</p> <p>It has servers around the world called <strong>edge locations</strong>.</p> <p>When a user requests:</p> <p><code>https://d1234abcdef.cloudfront.net/images/photo.jpg</code></p> <p>CloudFront does this:</p> <ol> <li>checks if it already cached the file at the nearest edge</li> <li>if cached → returns immediately (super fast)</li> <li>if not cached → fetches from origin (S3), caches it, then returns it</li> </ol> <h3> What is KMS? </h3> <p>KMS (Key Management Service) manages encryption keys.</p> <p>When you use SSE-KMS:</p> <ul> <li>S3 stores objects encrypted</li> <li>when someone requests the object, S3 decrypts it (with KMS) before returning it</li> </ul> <p>This means encryption is:</p> <ul> <li>automatic</li> <li>controlled by IAM + key policies</li> <li>auditable</li> </ul> <h2> Encryption options in S3 and CloudFront </h2> <p>With S3, you can either encrypt data at the client side and then upload the encrypted data to your S3 bucket, or to let S3 encrypt your data before storing it. The second method is called <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html" rel="noopener noreferrer">server-side encryption (SSE)</a>, and it comes in multiple flavors:</p> <ul> <li>Server-Side Encryption with Amazon S3-Managed Keys <strong>(SSE-S3)</strong>, where each object is encrypted with a unique key managed by S3</li> <li>Server-Side Encryption with Customer Master Keys (CMKs) stored in AWS Key Management Service <strong>(SSE-KMS)</strong>. This gives you more control and visibility into how your encryption keys are being used</li> <li>Server-Side Encryption with customer-provided keys <strong>(SSE-C)</strong>, where you manage the encryption keys and S3 only manages the encryption of objects</li> </ul> <p>With CloudFront, you can encrypt data in transit using HTTPS, and enforce encryption policy by:</p> <ul> <li>Redirecting <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html" rel="noopener noreferrer">HTTP to HTTPS</a> </li> <li>Choosing minimal <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers" rel="noopener noreferrer">TLS version and ciphers</a> </li> <li>Selecting a domain name and its associated <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html" rel="noopener noreferrer">TLS certificate</a> </li> </ul> <p>So for serious production setups, <strong>SSE-KMS is the sweet spot</strong>.</p> <h2> How CloudFront Accesses Private S3 (OAI vs OAC) </h2> <p>This is where many people get confused.</p> <p>Your bucket is private.</p> <p>So how does CloudFront fetch the objects?</p> <p>There are 2 approaches:</p> <h3> The Old Way: OAI (Origin Access Identity) </h3> <p>OAI is a special CloudFront user that is associated with an S3 origin and given the necessary permissions to access to objects within the bucket. Currently, OAI only supports SSE-S3, which means customers cannot use SSE-KMS with OAI. It worked fine for SSE-S3, but it does not play well with SSE-KMS.</p> <p>AWS has basically moved on from this.</p> <h3> The Modern Way: OAC (Origin Access Control) ✅ </h3> <p>OAC is the newer, recommended approach.</p> <p>It uses:</p> <ul> <li><strong>SigV4 signing</strong></li> <li>IAM-style access controls</li> <li>better security model</li> </ul> <p>📌 If you’re doing <strong>SSE-KMS + CloudFront</strong>, use <strong>OAC</strong>.</p> <h2> Step-by-Step Setup (AWS Console) </h2> <p>By the end of this guide, you’ll have a private S3 bucket with objects encrypted using <strong>SSE-KMS</strong>, served securely through a CloudFront distribution.</p> <h3> <strong>Step 1: Create Your First KMS Key</strong> </h3> <p>Think of this as the “master key” for your S3 files. Every object we store will be encrypted with it, and CloudFront will need this key to decrypt content for your users.</p> <ul> <li><p>Open the AWS Console and search for <strong>KMS</strong>.</p></li> <li><p>Click <strong>Customer managed keys</strong>, then <strong>Create key</strong>.</p></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzh1ccry3isjqj7fwoqd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzh1ccry3isjqj7fwoqd.png" alt=" " width="800" height="384"></a></p> <ul> <li>Choose: <ul> <li> <strong>Key type:</strong> Symmetric</li> <li> <strong>Key usage:</strong> Encrypt and decrypt</li> </ul> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwkdrbxhx06azwiyt14e2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwkdrbxhx06azwiyt14e2.png" alt=" " width="800" height="384"></a></p> <ul> <li>Give your key a friendly label: <ul> <li> <strong>Alias:</strong> <code>myapp-dev-s3-key</code> </li> <li> <strong>Description:</strong> “SSE-KMS key for S3 content served via CloudFront”</li> </ul> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1tdwn9vhnkhnoyq897u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1tdwn9vhnkhnoyq897u.png" alt=" " width="800" height="384"></a></p> <ul> <li>Select administrators (your IAM user or deployment role), and edit the key policy.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fljyu1jei5jop619efjoa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fljyu1jei5jop619efjoa.png" alt=" " width="800" height="384"></a></p> <ul> <li>Finish creating the key.</li> </ul> <h3> <strong>Step 2: Create a Private S3 Bucket</strong> </h3> <p>Now we’ll create the bucket where your files will live. This bucket will be fully private, no accidental public access allowed.</p> <ul> <li>Go to <strong>S3 → Create bucket</strong>.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa2p78fzz51w2sxfqin6c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa2p78fzz51w2sxfqin6c.png" alt=" " width="800" height="167"></a></p> <ul> <li> <p>Give it a unique name, e.g., <code>myapp-dev-private-assets-123456</code>.</p> <p><em>(Bucket names must be globally unique.)</em></p> </li> <li><p>Choose the <strong>same region</strong> as your KMS key.</p></li> </ul> <p><strong>Block all public access:</strong></p> <p>Turn on <strong>Block all public access</strong> to prevent accidental exposure.</p> <p><strong>Enable versioning (optional but recommended):</strong></p> <p>Turn on versioning to protect your files from accidental deletion.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fth86s2d0c1pvamy99g32.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fth86s2d0c1pvamy99g32.png" alt=" " width="800" height="406"></a></p> <p><strong>Enable SSE-KMS encryption:</strong></p> <p>Under <strong>Default encryption</strong>:</p> <ul> <li>Select <strong>SSE-KMS</strong> </li> <li>Input the arn of the KMS key you created (<code>myapp-dev-s3-key</code>)</li> <li>Enable <strong>Bucket Key</strong> to reduce costs for large buckets</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fql078jd6tg81kacqa54v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fql078jd6tg81kacqa54v.png" alt=" " width="800" height="406"></a><br> Now your private, encrypted bucket is ready.</p> <blockquote> <p>⚠️ Note: Bucket encryption only applies to files uploaded after it’s enabled. Files uploaded beforehand won’t be KMS-encrypted.</p> </blockquote> <h3> <strong>Step 3: Give CloudFront a Key to Your Bucket (OAC)</strong> </h3> <p>CloudFront needs a way to prove it’s allowed to fetch your private S3 objects. That’s what <strong>Origin Access Control (OAC)</strong> does — think of it as giving CloudFront a secure ID card.</p> <ul> <li>Open <strong>CloudFront → Origin access → Create control setting</strong> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw4aow85swu00ihvvw2ki.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw4aow85swu00ihvvw2ki.png" alt=" " width="800" height="238"></a></p> <ul> <li>Fill in: <ul> <li>Name: <code>myapp-dev-oac</code> </li> <li>Origin type: <strong>S3</strong> </li> <li>Signing behavior: <strong>Always sign requests</strong> </li> </ul> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpp67fc8tp3itg8775sbd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpp67fc8tp3itg8775sbd.png" alt=" " width="800" height="671"></a></p> <ul> <li>Click <strong>Create</strong>.</li> </ul> <p>CloudFront can now authenticate itself when fetching objects from your private bucket.</p> <h3> <strong>Step 4: Create a CloudFront Distribution</strong> </h3> <p>Now we bring it all together.</p> <ul> <li>Go to <strong>CloudFront → Distributions → Create distribution</strong> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffnwek72sr90lhedfm2b7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffnwek72sr90lhedfm2b7.png" alt=" " width="800" height="211"></a></p> <ul> <li> <p>Configure the origin:</p> <ul> <li> <p><strong>Origin domain:</strong> select your S3 bucket</p> <blockquote> <p>⚠️ Critical: Choose the bucket endpoint, e.g., myapp-dev-private-assets-123456.s3.eu-west-2.amazonaws.com</p> <p>Do <strong>not</strong> use the website endpoint (e.g., <code>s3-website.eu-west-2.amazonaws.com</code>)</p> </blockquote> </li> <li><p><strong>Origin access:</strong> Use the OAC you just created (<code>myapp-dev</code>)</p></li> </ul> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fanwvkn2wgo0m0kkl4s96.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fanwvkn2wgo0m0kkl4s96.png" alt=" " width="800" height="422"></a></p> <ul> <li>Configure cache behavior: <ul> <li> <strong>Viewer protocol policy:</strong> Redirect HTTP → HTTPS</li> <li> <strong>Allowed methods:</strong> GET, HEAD, OPTIONS</li> <li> <strong>Cache policy:</strong> CachingOptimized</li> </ul> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4006hc9kva17mhoryuno.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4006hc9kva17mhoryuno.png" alt=" " width="800" height="479"></a></p> <ul> <li>Click <strong>Create</strong>.</li> </ul> <h3> <strong>Step 5: Update S3 Bucket Policy</strong> </h3> <p>This step is crucial. You must update your bucket policy so CloudFront can access objects using the OAC.</p> <ul> <li><p>On the CloudFront distribution page, look for the <strong>blue banner</strong>: “The S3 bucket policy needs to be updated”</p></li> <li><p>Click <strong>Copy policy</strong></p></li> <li><p>Go to <strong>S3 → your bucket → Permissions → Bucket policy → Edit</strong></p></li> <li><p>Paste the copied policy and save.</p></li> </ul> <p><strong>Example bucket policy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2008-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowCloudFrontServicePrincipalReadOnly"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cloudfront.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::myapp-dev-private-assets-123456/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS:SourceArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:cloudfront::123456785012:distribution/E2ABCDEFG12345"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p>Note: AWS:SourceArn will automatically include your distribution’s actual ARN.</p> </blockquote> <h3> <strong>Step 6: Update KMS Key Policy for CloudFront</strong> </h3> <p>Since your files are <strong>SSE-KMS encrypted</strong>, CloudFront needs permission to decrypt them. If it doesn’t, you’ll get <strong>403 AccessDenied</strong> errors.</p> <ul> <li><p>Go to <strong>KMS → Customer managed keys → your key → Key policy → Edit</strong></p></li> <li><p>Add the following statement:<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"key-consolepolicy-3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Enable IAM User Permissions"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;account_id&gt;:root"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kms:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowCloudFrontDecryptThroughS3Only"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cloudfront.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"kms:Decrypt"</span><span class="p">,</span><span class="w"> </span><span class="s2">"kms:Encrypt"</span><span class="p">,</span><span class="w"> </span><span class="s2">"kms:DescribeKey"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS:SourceArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:cloudfront::921950937336:distribution/d303chch2n9rqs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"kms:ViaService"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3.eu-north-1.amazonaws.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p>⚠️ Replace:</p> <ul> <li> <code>AWS:SourceArn</code> → your <strong>distribution ARN</strong> (not the domain)</li> <li> <code>kms:ViaService</code> → the region of your S3 bucket</li> </ul> </blockquote> <h3> <strong>Step 7: Wait for Deployment</strong> </h3> <p>CloudFront needs time to propagate changes globally (5–15 minutes).</p> <ul> <li>Distribution status: <strong>Deploying → Enabled</strong> </li> <li>After policy updates, wait 2–3 minutes for propagation</li> <li>Optional: Create a cache invalidation (<code>/*</code>) to test immediately</li> </ul> <h3> <strong>Step 8: Test Everything</strong> </h3> <p><strong>1. Upload a test file</strong> (<code>test.jpg</code>) to S3</p> <ul> <li>Verify SSE-KMS encryption under <strong>Properties → Server-side encryption settings</strong> </li> </ul> <p><strong>2. Test CloudFront URL</strong> (should succeed):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-I</span> https://d1234abcdef.cloudfront.net/test.jpg </code></pre> </div> <p>Expected: <code>HTTP/2 200 OK</code></p> <p><strong>3. Test direct S3 URL or hit the endpoint on a browser</strong> (should fail):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-I</span> https://myapp-dev-private-assets-123456.s3.eu-west-2.amazonaws.com/test.jpg </code></pre> </div> <p>Expected: <code>HTTP/1.1 403 Forbidden</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7qii9ljoxuqfx1sqe98b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7qii9ljoxuqfx1sqe98b.png" alt=" " width="800" height="129"></a></p> <p>✅ Perfect! CloudFront is the only public access point.</p> <h3> <strong>Common Pitfalls</strong> </h3> <ol> <li> <strong>403 AccessDenied from CloudFront</strong> <ul> <li>Wrong <code>AWS:SourceArn</code> in KMS key policy</li> <li>Bucket policy doesn’t match OAC</li> <li>KMS key policy missing CloudFront permissions</li> <li>Policy propagation delay</li> </ul> </li> <li> <strong>Files uploaded before encryption enabled</strong> <ul> <li>Old files won’t be KMS-encrypted</li> <li>Fix: Re-upload or copy files to the same bucket with SSE-KMS</li> </ul> </li> <li> <strong>Wrong S3 Origin Endpoint</strong> <ul> <li>Use the bucket endpoint, not the website endpoint</li> </ul> </li> <li> <strong>CloudFront caching old errors</strong> <ul> <li>Invalidate cache: <code>/*</code> </li> </ul> </li> </ol> aws cloud security tutorial Deploying Adminer on ECS to Access a Private RDS Database (Terraform) Abdulrasheed Abdulazeez Wed, 28 Jan 2026 11:27:41 +0000 https://dev.to/abdulrasheed_abdulazeez_7/deploying-adminer-on-ecs-to-access-a-private-rds-database-terraform-262p https://dev.to/abdulrasheed_abdulazeez_7/deploying-adminer-on-ecs-to-access-a-private-rds-database-terraform-262p <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fypf036swvzo14s3tzco4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fypf036swvzo14s3tzco4.png" alt=" " width="800" height="533"></a></p> <p>Recently, I worked on a project where we set up <strong>Elastic Container Service (ECS)</strong> and an <strong>RDS PostgreSQL database</strong> on AWS. For security reasons, both were deployed in a <strong>private subnet</strong>, making them inaccessible from the public internet.</p> <p>The challenge was:</p> <ul> <li>How can administrators access the database to view tables, inspect data, and perform troubleshooting when it’s not publicly accessible?</li> <li>If developers cannot directly connect using desktop database clients, or connect to the database endpoint locally when they run the service, how do we make it convenient for them to run quick fix and debugging?</li> </ul> <p>This is where <strong>Adminer</strong> becomes very useful.</p> <h1> Why Traditional Approaches Fall Short </h1> <p>When i first thought about how to let administrators access a database in a private subnet, i explored the usual options and quickly realized each one had serious drawbacks.</p> <h3> Bastion Host (Jump Server) </h3> <p>One common approach is to spin up a <strong>bastion host</strong>, or jump server, in a public subnet. The idea is simple, admins SSH into the bastion, then connect to the private database.</p> <p>But in practice, it’s a hassle:</p> <ul> <li>You need to manage EC2 instances and keep them secure.</li> <li>SSH keys must be distributed and rotated.</li> <li>Every extra server adds cost and increases the attack surface.</li> </ul> <p>For a small team or occasional access, this felt like overkill.</p> <h3> VPN (Client or Site-to-Site) </h3> <p>Next, i considered a <strong>VPN</strong>. It can give admins direct access to the private network, which sounds ideal.</p> <p>The problem? Setting up and maintaining a VPN is complicated. There’s software to install, configurations to manage, and costs to consider, especially if it’s just for occasional database access. For our needs, it was more effort than it was worth.</p> <h3> Public RDS Access </h3> <p>Some teams might be tempted to just open up the RDS instance to the internet. It’s quick, and you can connect from anywhere. I knew immediately that this was not what the team wanted, exposing a production database publicly is a serious security risk. Not an option.</p> <h3> Port Forwarding via SSM </h3> <p>AWS offers <strong>Session Manager port forwarding</strong> via SSM as another way to reach private resources. While technically feasible, it’s not exactly user-friendly:</p> <ul> <li>Sessions are temporary and can drop unexpectedly.</li> <li>Extra tooling and scripts are often required.</li> <li>Collaboration among team members becomes awkward.</li> </ul> <p>By the time i weighed all these options, it became clear i needed a solution that was <strong>simple, secure, and easy for anyone on the team to use</strong>. That’s when <strong>Adminer</strong> entered the picture. By containerizing Adminer, we could keep it <strong>inside the same VPC and private subnet</strong> as our RDS database, giving our admins secure access without opening the database to the public internet.</p> <h1> What is Adminer </h1> <p>Adminer is a full-featured database management tool built with PHP. It’s similar to phpMyAdmin, but much lighter and faster, making it ideal for modern cloud environments where you want something quick to deploy and easy to scale down or remove when you’re done.</p> <p>It supports multiple database engines such as <strong>PostgreSQL, MySQL, MS SQL, Oracle</strong>, and more, and it comes with a clean, straightforward interface for running queries, browsing tables, and inspecting data.</p> <p>Adminer is especially useful when your database lives in a <strong>private subnet</strong> and you still need controlled access for troubleshooting. Instead of exposing the database publicly or forcing every developer to configure local database clients, Adminer provides a secure, browser-based way to inspect and debug.</p> <p>Think of it as a web alternative to tools like <strong>pgAdmin, DBeaver, or TablePlus</strong>.</p> <h1> <strong>Architecture</strong> </h1> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk00pgpmgurdbacbl5v7n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk00pgpmgurdbacbl5v7n.png" alt=" " width="800" height="533"></a></p> <h2> Here’s a simplified view of how it works: </h2> <ul> <li>Adminer lives in the same ECS cluster and subnet as our app</li> <li>It reuses the existing ALB, so we don’t need extra servers.</li> <li>We can turn it off, scale it down, or remove it whenever we want.</li> <li>And admins just need a browser, no local tools required.</li> </ul> <h1> Implementation: </h1> <p>For this setup, I used the official Adminer Docker image (<code>adminer:latest</code>). It’s lightweight (~90MB), ships with PHP + Apache, exposes port 8080, and supports PostgreSQL out of the box.</p> <p>Adminer runs as an ECS service inside the same private network as the application, while access is provided securely through the existing public ALB.</p> <h2> Adminer ECS Task Definition </h2> <p>Adminer is deployed as an ECS task running on <strong>EC2 launch type</strong>, using minimal resources:</p> <p><strong>CPU:</strong> 128 units</p> <p><strong>Memory:</strong> 256MB</p> <p><strong>Container port:</strong> 8080</p> <p>Adminer is configured using environment variables so it knows which database to connect to:</p> <ul> <li> <code>ADMINER_DEFAULT_SERVER</code> → RDS endpoint</li> <li> <code>ADMINER_DEFAULT_DB_DRIVER</code> → <code>pgsql</code> </li> <li> <code>ADMINER_DEFAULT_DB_NAME</code> → database name</li> <li> <code>ADMINER_DESIGN</code> → optional UI theme </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="err">#</span> <span class="nx">Adminer</span> <span class="nx">Task</span> <span class="nx">Definition</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_ecs_task_definition</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">adminer</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">count</span> <span class="o">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">enable_adminer</span> <span class="p">?</span> <span class="mi">1</span> <span class="p">:</span> <span class="mi">0</span> <span class="nx">family</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">myapp-adminer-${var.environment}</span><span class="dl">"</span> <span class="nx">network_mode</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">bridge</span><span class="dl">"</span> <span class="nx">execution_role_arn</span> <span class="o">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_task_execution</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">task_role_arn</span> <span class="o">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_task</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">container_definitions</span> <span class="o">=</span> <span class="nf">jsonencode</span><span class="p">([</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">adminer</span><span class="dl">"</span> <span class="nx">image</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">adminer:latest</span><span class="dl">"</span> <span class="nx">essential</span> <span class="o">=</span> <span class="kc">true</span> <span class="nx">memory</span> <span class="o">=</span> <span class="mi">256</span> <span class="nx">cpu</span> <span class="o">=</span> <span class="mi">128</span> <span class="nx">portMappings</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">containerPort</span> <span class="o">=</span> <span class="mi">8080</span> <span class="nx">hostPort</span> <span class="o">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">tcp</span><span class="dl">"</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">environment</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">ADMINER_DEFAULT_SERVER</span><span class="dl">"</span> <span class="nx">value</span> <span class="o">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">db_host</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">ADMINER_DEFAULT_DB_DRIVER</span><span class="dl">"</span> <span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">pgsql</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">ADMINER_DEFAULT_DB_NAME</span><span class="dl">"</span> <span class="nx">value</span> <span class="o">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">db_name</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">ADMINER_DESIGN</span><span class="dl">"</span> <span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">pepa-linha-dark</span><span class="dl">"</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">logConfiguration</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">logDriver</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">awslogs</span><span class="dl">"</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">awslogs</span><span class="o">-</span><span class="nx">group</span> <span class="o">=</span> <span class="nx">aws_cloudwatch_log_group</span><span class="p">.</span><span class="nx">ecs</span><span class="p">.</span><span class="nx">name</span> <span class="nx">awslogs</span><span class="o">-</span><span class="nx">region</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">name</span> <span class="nx">awslogs</span><span class="o">-</span><span class="nx">stream</span><span class="o">-</span><span class="nx">prefix</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">adminer</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">healthCheck</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">command</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">CMD-SHELL</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">wget --no-verbose --tries=1 --spider &lt;http://localhost:8080/&gt; || exit 1</span><span class="dl">"</span><span class="p">]</span> <span class="nx">interval</span> <span class="o">=</span> <span class="mi">30</span> <span class="nx">timeout</span> <span class="o">=</span> <span class="mi">5</span> <span class="nx">retries</span> <span class="o">=</span> <span class="mi">3</span> <span class="nx">startPeriod</span> <span class="o">=</span> <span class="mi">60</span> <span class="p">}</span> <span class="p">}</span> <span class="p">])</span> <span class="nx">tags</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">myapp-adminer-${var.environment}</span><span class="dl">"</span> <span class="nx">Environment</span> <span class="o">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Adminer ECS Service (Behind the ALB) </h2> <p>The ECS service ensures Adminer stays running and is reachable through the ALB.</p> <ul> <li> <strong>Service name:</strong> <code>myapp-adminer-dev</code> </li> <li> <strong>Desired count:</strong> 1</li> <li>Registered into the existing ALB target group</li> <li>Health checks handled by the ALB </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="err">#</span> <span class="nx">Adminer</span> <span class="nx">ECS</span> <span class="nx">Service</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_ecs_service</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">adminer</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">count</span> <span class="o">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">enable_adminer</span> <span class="p">?</span> <span class="mi">1</span> <span class="p">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">myapp-adminer-${var.environment}</span><span class="dl">"</span> <span class="nx">cluster</span> <span class="o">=</span> <span class="nx">aws_ecs_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">task_definition</span> <span class="o">=</span> <span class="nx">aws_ecs_task_definition</span><span class="p">.</span><span class="nx">adminer</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">desired_count</span> <span class="o">=</span> <span class="mi">1</span> <span class="nx">launch_type</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">EC2</span><span class="dl">"</span> <span class="nx">deployment_maximum_percent</span> <span class="o">=</span> <span class="mi">200</span> <span class="nx">deployment_minimum_healthy_percent</span> <span class="o">=</span> <span class="mi">100</span> <span class="nx">load_balancer</span> <span class="p">{</span> <span class="nx">target_group_arn</span> <span class="o">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">adminer_target_group_arn</span> <span class="nx">container_name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">adminer</span><span class="dl">"</span> <span class="nx">container_port</span> <span class="o">=</span> <span class="mi">8080</span> <span class="p">}</span> <span class="nx">deployment_circuit_breaker</span> <span class="p">{</span> <span class="nx">enable</span> <span class="o">=</span> <span class="kc">true</span> <span class="nx">rollback</span> <span class="o">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">ordered_placement_strategy</span> <span class="p">{</span> <span class="nx">type</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">spread</span><span class="dl">"</span> <span class="nx">field</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">instanceId</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">ordered_placement_strategy</span> <span class="p">{</span> <span class="nx">type</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">spread</span><span class="dl">"</span> <span class="nx">field</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">attribute:ecs.availability-zone</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">myapp-adminer-${var.environment}</span><span class="dl">"</span> <span class="nx">Environment</span> <span class="o">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="o">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">adminer_target_group_arn</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Routing With ALB </h2> <p>Adminer is routed using a <strong>path-based rule</strong>, so only requests matching:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/adminer* </code></pre> </div> <p>are forwarded to the Adminer target group.</p> <p>This keeps the application routing unchanged and prevents interference with normal app traffic.</p> <h2> Security </h2> <p>No extra security groups were required beyond what already existed:</p> <ul> <li> <strong>ALB handles HTTP ingress</strong> to Adminer</li> <li> <strong>ECS can reach RDS</strong> on port <strong>5432</strong> </li> <li> <strong>Database authentication is still required</strong>, meaning Adminer does not bypass credentials</li> </ul> <h2> Secrets Manager (Created Using AWS CLI) </h2> <p>In my setup, database credentials are stored in <strong>AWS Secrets Manager</strong>, and the same secret is reused by both the application and Adminer.</p> <h2> Create secret </h2> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">aws</span> <span class="nx">secretsmanager</span> <span class="nx">create</span><span class="o">-</span><span class="nx">secret</span> <span class="err">\</span><span class="o">\</span> <span class="o">--</span><span class="nx">name</span> <span class="nx">myapp</span><span class="o">/</span><span class="nx">$</span><span class="p">{</span><span class="nx">ENV</span><span class="p">}</span><span class="sr">/db_credentials </span><span class="se">\\</span><span class="err"> </span> <span class="o">--</span><span class="nx">description</span><span class="dl">"</span><span class="s2">PostgreSQL credentials for Adminer + app</span><span class="dl">"</span> <span class="err">\</span><span class="o">\</span> <span class="o">--</span><span class="nx">secret</span><span class="o">-</span><span class="nx">string</span> <span class="dl">'</span><span class="s1">{ "username": "db_user", "password": "db_password" }</span><span class="dl">'</span> </code></pre> </div> <h2> <strong>Update secret value</strong> </h2> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">aws</span> <span class="nx">secretsmanager</span> <span class="nx">put</span><span class="o">-</span><span class="nx">secret</span><span class="o">-</span><span class="nx">value</span> <span class="err">\</span><span class="o">\</span> <span class="o">--</span><span class="nx">secret</span><span class="o">-</span><span class="nx">id</span> <span class="nx">myapp</span><span class="o">/</span><span class="nx">$</span><span class="p">{</span><span class="nx">ENV</span><span class="p">}</span><span class="sr">/db_credentials </span><span class="se">\\</span><span class="err"> </span> <span class="o">--</span><span class="nx">secret</span><span class="o">-</span><span class="nx">string</span> <span class="dl">'</span><span class="s1">{ "username": "db_user", "password": "new_password" }</span><span class="dl">'</span> </code></pre> </div> <h1> Using Adminer </h1> <p>Once deployed, access is simple:</p> <ol> <li>Open: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://&lt;alb-dns-name&gt;/adminer </code></pre> </div> <ol> <li>The login screen appears with prefilled values:</li> <li>System: PostgreSQL</li> <li>Server: RDS endpoint</li> <li>Database: your DB name</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fajw7wwcdbcyzifz13dev.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fajw7wwcdbcyzifz13dev.png" alt=" " width="800" height="367"></a></p> <ol> <li>Enter credentials and log in.</li> </ol> <h1> Deployment Flow </h1> <p>Everything is managed as <strong>Infrastructure as Code (IaC)</strong> using Terraform:</p> <ol> <li><strong>Infrastructure</strong></li> <li>Create task definition</li> <li>Create ECS service</li> <li>Create ALB target group + listener rule</li> </ol> <p><strong>2. Deploy</strong></p> <ul> <li>Run <code>terraform plan</code> </li> <li>Run <code>terraform apply</code> </li> </ul> <p><strong>3. Verify</strong></p> <ul> <li>ECS task is running</li> <li>target group is healthy</li> <li>Adminer UI loads successfully</li> </ul> <h1> Conclusion </h1> <p>By running Adminer inside ECS, it gave our admins <strong>secure, browser-based access to a private RDS database</strong> without compromising our VPC or infrastructure.</p> <p>It’s fast, safe, and easy to scale or remove, a perfect solution for teams that need occasional database access without the headaches of VPNs or bastion hosts.</p> <p><strong>Adminer may be small, but in our setup, it became a powerful tool that makes life easier for developers.</strong></p> aws database devops terraform