Using Session Manager to connect RDS without having EC2 instance

0

When I go through the documents, using session manager we can connect instance in private subnet without having bastion host itself [direct port forwarding from local to private ec2].

But in RDS case, even though we are making connection using session manager we need a EC2 instance in between local and private RDS.

Could you anyone explain me why it is like that? please share some document that explains that as well.

vignesh
質問済み 2年前2231ビュー
1回答
1
承認された回答

Hi Vignesh, though we sometimes do document what is not possible, I'm not aware of a document that would explain why you cannot connect directly to RDS using SSM. So let me resort to a more generic answer:

SSM allows many more functions - and changes! - to an instance than just connecting to it. Having full SSM functionality on an RDS instance thus would undermine the Shared Responsibility Model we use for RDS (you could also say: it would violate the "Black Box" principle of RDS). Therefore, you need an intermediary instance that forwards the TCP Port exposed by RDS to your local machine.

Further reading:

If this helped you, kindly mark my answer as "accepted". Kind regards, Uwe

profile pictureAWS
Uwe K
回答済み 2年前
profile picture
エキスパート
レビュー済み 2ヶ月前
  • Thank you for your response. Could you please briefly tell me about the "Black Box" principle of RDS? @Uwe

  • Though "Black Box" is not official AWS wording, I used it to describe the fact that RDS as a managed system isn't as open to connect to or apply changes (e.g. OS Kernel settings) as a custom install on EC2 would be. It's because of the responsibility AWS takes for RDS's availability and security that some functionality you'd have on a self-managed database server isn't available to you on RDS. Or, in other words: you get a certain service, but the way this service is configured and managed isn't published in detail (and may be changing over time). HTH, Uwe

  • Thanks, @Uwe. That's a great explanation. Much appreciated

  • @Uwe I have another question related to this connecting from the docker container. Please share if you have any docs any ideas https://repost.aws/questions/QUGuUewImyTiabU7R946zD9w/from-docker-container-need-to-connect-rds-using-session-manager

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ