Skip to content

Connecting to AWS RDS Databases

Connect to private Amazon RDS databases (PostgreSQL, MySQL, MariaDB, and Aurora) through an SSM-managed EC2 instance. The database stays in a private subnet; your Mac connects to localhost.

How It Works

Your Mac -> AWS Session Manager -> EC2 connector instance -> Private RDS endpoint
   |              |                    |                         |
Local Port    IAM/SSO session      VPC network path          Database port
  1. StormTunnel opens a Session Manager tunnel to an EC2 instance managed by Systems Manager.
  2. The EC2 instance forwards traffic to the private RDS endpoint inside the VPC.
  3. You connect your database client to localhost as if the database were local.

This avoids public database exposure, inbound SSH rules, and shared bastion keys.

Prerequisites

  • SSM-managed EC2 instance in the same VPC as your RDS database
  • Network access from the EC2 instance to the RDS endpoint
  • AWS credentials configured with SSM permissions (see AWS Configuration)
  • RDS endpoint from the RDS console

Creating an RDS Tunnel

Step 1: Get Your RDS Endpoint

  1. Open AWS Console -> RDS
  2. Select your database
  3. Copy the Endpoint (e.g., mydb.abc123xyz.us-east-1.rds.amazonaws.com)
  4. Note the Port (MySQL: 3306, PostgreSQL: 5432)

Step 2: Create the Tunnel

  1. Click + in StormTunnel
  2. Select Tunnel Type: AWS Session Manager
  3. Configure:
Field Example
Name production-mysql
EC2 Instance ID i-0abc123def456
AWS Profile production
AWS Region us-east-1
Local Port 3306
Remote Host mydb.abc123xyz.us-east-1.rds.amazonaws.com
Target Port 3306
  1. Click Save

Step 3: Connect

Toggle the tunnel On, then connect with your database client:

MySQL:

mysql -h 127.0.0.1 -P 3306 -u admin -p

PostgreSQL:

psql -h localhost -p 5432 -U postgres -d mydb

Database-Specific Examples

MySQL / MariaDB

Remote Host: myapp-db.abc123.us-east-1.rds.amazonaws.com
Local Port: 3306
Target Port: 3306

Connect via CLI or MySQL Workbench (127.0.0.1:3306).

PostgreSQL

Remote Host: analytics-db.xyz789.eu-west-1.rds.amazonaws.com
Local Port: 5432
Target Port: 5432

Connect via CLI, TablePlus, DBeaver, or pgAdmin (localhost:5432).

Aurora MySQL

Remote Host: my-cluster.cluster-abc123.us-west-2.rds.amazonaws.com
Local Port: 3306
Target Port: 3306

Aurora Endpoints

Use the cluster endpoint for read-write or the reader endpoint for read-only queries.

Aurora PostgreSQL

Remote Host: aurora-pg.cluster-xyz789.us-east-1.rds.amazonaws.com
Local Port: 5432
Target Port: 5432

Multiple Database Connections

Use different local ports to tunnel to multiple databases at once:

Database Local Port Remote Port
Production MySQL 3306 3306
Staging MySQL 3307 3306
Analytics PostgreSQL 5432 5432
Reporting PostgreSQL 5433 5432

Security Best Practices

  1. Keep RDS in private subnets; do not make database endpoints public for developer access.
  2. Use Session Manager instead of inbound SSH wherever possible.
  3. Limit ssm:StartSession permissions to users who need database access.
  4. Use separate AWS profiles or SSO permission sets for production and non-production.
  5. Restrict the connector EC2 security group so it can reach only the required database ports.
  6. Use IAM database authentication for RDS when it fits your environment.
  7. Close tunnels when not in use.

Troubleshooting

See Troubleshooting for common errors including "Connection refused", "Access denied", "Host not found", and timeout issues.