Using Session Manager to connect RDS without having EC2 instance


When I go through the documents, using session manager we can connect instance in private subnet without having bastion host itself [direct port forwarding from local to private ec2].

But in RDS case, even though we are making connection using session manager we need a EC2 instance in between local and private RDS.

Could you anyone explain me why it is like that? please share some document that explains that as well.

gefragt vor 2 Jahren2267 Aufrufe
1 Antwort
Akzeptierte Antwort

Hi Vignesh, though we sometimes do document what is not possible, I'm not aware of a document that would explain why you cannot connect directly to RDS using SSM. So let me resort to a more generic answer:

SSM allows many more functions - and changes! - to an instance than just connecting to it. Having full SSM functionality on an RDS instance thus would undermine the Shared Responsibility Model we use for RDS (you could also say: it would violate the "Black Box" principle of RDS). Therefore, you need an intermediary instance that forwards the TCP Port exposed by RDS to your local machine.

Further reading:

If this helped you, kindly mark my answer as "accepted". Kind regards, Uwe

profile pictureAWS
Uwe K
beantwortet vor 2 Jahren
profile picture
überprüft vor 2 Monaten
  • Thank you for your response. Could you please briefly tell me about the "Black Box" principle of RDS? @Uwe

  • Though "Black Box" is not official AWS wording, I used it to describe the fact that RDS as a managed system isn't as open to connect to or apply changes (e.g. OS Kernel settings) as a custom install on EC2 would be. It's because of the responsibility AWS takes for RDS's availability and security that some functionality you'd have on a self-managed database server isn't available to you on RDS. Or, in other words: you get a certain service, but the way this service is configured and managed isn't published in detail (and may be changing over time). HTH, Uwe

  • Thanks, @Uwe. That's a great explanation. Much appreciated

  • @Uwe I have another question related to this connecting from the docker container. Please share if you have any docs any ideas

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen