AWS Session Manager is a powerful tool for securely accessing and managing instances within an Amazon Virtual Private Cloud (VPC). It eliminates the need for public IP addresses or bastion hosts, offering a more secure and efficient way to connect to your instances.

A major challenge when working with VPC resources is the limited access from outside the VPC. This is particularly problematic for developers needing direct access to databases or other services. AWS Session Manager addresses this issue by enabling secure SSH or RDP connections to instances without requiring a public IP.

This guide will show you how to connect to an RDS database from your local machine using your preferred database client.

Key Benefits of Using AWS Session Manager

• Enhanced security: Eliminates the need for public IP addresses, reducing the attack surface.
• Simplified management: No need to manage bastion hosts or public IP addresses.
• Scalability: Easily manage numerous instances.
• Integration: Seamlessly integrates with AWS Identity and Access Management (IAM) for granular access control.

By using AWS Session Manager, you can securely access and manage your VPC resources, boosting productivity and minimizing security risks.

Prerequisites

• An AWS account with AWS Single Sign-On (SSO) or IAM Identity Center enabled. Follow the instructions provided in the AWS documentation.
• AWS CLI installed on your local machine. For installation guidance, refer to the AWS documentation.
• Session Manager plugin for AWS CLI installed on your local machine. Check the AWS documentation for detailed installation instructions.
• An EC2 (Elastic Compute Cloud) instance with appropriate permissions to access the RDS database. Ensure the instance is in the same VPC as the RDS database.
• An RDS database with security groups configured to allow inbound traffic from the EC2 instance on the RDS port.

Start a Session for Remote Port Forwarding

To start a session using AWS Session Manager, you'll need an active Single Sign-On (SSO) session on your local machine. Follow the instructions on how to sign in here.

Ensure that your assumed role has the necessary permissions to start sessions within AWS Session Manager.

We'll use AWS Session Manager's port forwarding feature to create a secure SSH tunnel to our RDS database. This method allows us to connect to the database from our local machines without exposing it to the public internet—significantly enhancing both security and compliance.

An added benefit is the ability to use your preferred database client, which offers a more user-friendly interface.

To initiate an SSM session, run the following command, replacing the placeholders with your specific values:

aws ssm start-session \
    --target <ec2-instance-id> \
    --document-name AWS-StartPortForwardingSessionToRemoteHost \
    --parameters '{"host":["<rds-host>"],"portNumber":["<rds-port>"], "localPortNumber":["<local-port>"]}'

‍‍


• ec2-instance-id: The ID of the EC2 instance that will act as the SSH tunnel
• rds-host: The hostname of the RDS database instance
• rds-port: The port number of the RDS database instance
• local-port: The local port number on your machine that will be bound to the remote host and port. Choose this carefully to avoid conflicts with other applications on your machine.

Connect to the RDS Database

To connect to the RDS database using a database client from your local machine, use these connection parameters:

• Hostname: localhost
• Port: <local-port>
• Database: <rds-db-name>
• Username: <rds-username>
• Password: <rds-password>

Conclusion

By leveraging AWS Session Manager's secure port forwarding capabilities, you can seamlessly connect to your RDS database from your local machine using your preferred database client. This powerful tool eliminates the need for complex network configurations and significantly enhances security by shielding your database from direct public internet exposure.

AWS Session Manager streamlines your development workflow, boosts productivity, and upholds the highest security standards. By following the steps in this guide, you can swiftly establish a secure connection to your RDS database, unlocking its full potential with ease.

Resources

• https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#cli-configure-sso-configure
• https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
• https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
• https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#cli-configure-sso-login