Accessing an AWS RDS instance in a private subnet can be challenging, especially when you need to ensure the highest levels of security. This guide walks you through setting up SSH tunneling to access your RDS instance securely, covering everything from preparing your AWS infrastructure to establishing and verifying the connection.
Understanding the Challenge: Why Private Subnets and SSH Tunneling Are Needed for Secure AWS RDS Access
Placing your RDS instance in a private subnet helps protect it from external threats by ensuring it is not directly accessible from the internet. However, this setup also requires a secure method to access the RDS instance. SSH tunneling offers a solution by creating a secure channel through an EC2 instance in a public subnet, allowing you to connect to your RDS instance safely.
Preparing Your AWS Infrastructure
Launching an EC2 Instance in a Public Subnet
- Log into the AWS Management Console.
- Navigate to the EC2 dashboard and click Launch Instance.
- Select an Amazon Machine Image (AMI) and choose an instance type.
- Configure the instance details and ensure they are placed in a public subnet of your VPC.
- Assign a public IP address to the instance.
Configuring Security Groups for Controlled Access
- Create a security group for your EC2 instance with the following rules:
- Allow SSH access (port 22) from your IP address.
- Create another security group for your RDS instance:
- Allow traffic on the RDS port (default is 3306 for MySQL) from the EC2 instance security group.
Creating an IAM User with the Required Permissions
- Go to the IAM dashboard and create a new user.
- Assign the user programmatic access and attach the policies needed for EC2 and SSM (AWS Systems Manager) access.
Equipping Your Local Machine
Installing AWS CLI, SSM Agent, and Session Manager Plugin
- Install AWS CLI by following the instructions on the official AWS documentation.
- Install the SSM Agent on your EC2 instance:
sudo yum install -y amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
- Install the Session Manager Plugin on your local machine:
curl “https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/sessionmanager-bundle.zip” -o “sessionmanager-bundle.zip”
unzip sessionmanager-bundle.zip
sudo ./sessionmanager-bundle/install
Generating an SSH Key Pair for Secure Authentication
- Generate an SSH key pair on your local machine:
ssh-keygen -t rsa -b 4096 -C “your_email@example.com”
- Upload the public key to your EC2 instance:
ssh-copy-id ec2-user@<ec2-public-ip>
Initiating the SSH Tunnel
Pushing Your SSH Key to the EC2 Instance
Use the AWS Systems Manager to push your SSH key to the EC2 instance:
aws ssm send-command \
–instance-ids “your-instance-id” \
–document-name “AWS-RunShellScript” \
–comment “Pushing SSH Key” \
–parameters commands=”echo ‘your-ssh-public-key’ >> /home/ec2-user/.ssh/authorized_keys”
Starting an AWS System Manager Session with Port Forwarding
Start a port forwarding session using the Session Manager plugin:
aws ssm start-session –target instance-id –document-name AWS-StartPortForwardingSession –parameters ‘{“portNumber”:[“3306”], “localPortNumber”:[“5432”]}’
Establishing the RDS Connection
Opening the Tunnel to RDS on a Local Port
Use the following SSH command to create the tunnel:
ssh -i “your-key-pair.pem” -L 5432:rds-endpoint:3306 ec2-user@ec2-public-ip
Verifying the Tunnel Connection with ssh Command
Confirm the SSH tunnel is working by checking the connection:
ssh -i “your-key-pair.pem” ec2-user@ec2-public-ip
Accessing Your RDS Instance
Connecting to the RDS Endpoint Using Database Clients
Use your preferred database client (e.g., MySQL Workbench, pgAdmin) to connect to localhost on port 5432.
Troubleshooting Connection Issues and Ensuring Data Security
- Ensure security group rules are correct.
- Verify IAM permissions.
- Check the SSM agent status on the EC2 instance.
Best Practices for Maintaining Secure Access
Regularly Rotating SSH Keys and IAM Credentials
Rotate your SSH keys and IAM credentials regularly to enhance security.
Monitoring EC2 Instance and RDS Security Logs
Enable logging and monitoring to detect any unauthorized access attempts.
Implementing Additional Security Measures Based on Compliance Requirements
Additional security measures such as multi-factor authentication (MFA) and encryption should be considered to meet compliance requirements.
References
Securely connect to an Amazon RDS or Amazon EC2 database instance remotely with your preferred GUI
Set up an SSH tunnel to the primary node using local port forwarding