How can I use the AWSSupport-TroubleshootConnectivityToRDS Systems Manager automation runbook to configure TroubleshootConnectivityToRDS between a source Amazon RDS database and an Amazon EC2 target?

4 minute read

I want to test connectivity between my Amazon Relational Database Service (Amazon RDS) database and a target Amazon Elastic Compute Cloud (Amazon EC2) client. I want to do this with a source and target that are in my AWS account, across accounts, or across AWS Regions.

Short description

AWSSupport-TroubleshootConnectivityToRDS uses the Systems Manager automation workflow to diagnose connectivity issues between a client EC2 machine and Amazon RDS. The runbook diagnoses network access control lists (network ACLs) based on the primary IP address of the EC2 instance. The workflow checks the instance status and properties, subnet CIDRs, network ACLs, security groups, and route tables. It completes these checks for both Amazon RDS and your EC2 instance, and then compares the configurations. You can also use this runbook for source Amazon Aurora and Amazon DocumentDB (with MongoDB compatibility) databases.

Note: The workflow doesn't verify ephemeral ports. The automation checks security groups based on the primary IP address of the EC2 instance, but doesn't check specific ports.

You can choose from the following workflow settings:

  • Simple execution (Default): Runs the automation workflow on targets.
  • Rate control: Runs on multiple targets and defines concurrency and error thresholds.
  • Multi-account and Region: Runs in multiple accounts and Regions.
  • Manual execution: Runs a step-by-step runbook mode.



  • (Optional) An Amazon CloudWatch alarm that alerts you when a failure occurs during a workflow.
  • An RDS, Aurora or Amazon DocumentDB instance.
  • A minimum of one EC2 instance to test the connection. Note the instance ID from the Amazon EC2 console.
  • An AWS Identity and Access Management (IAM) role with the following trusted entities and policy attached. Note the ARN and name of the IAM role for later use.

IAM role trusted entities:

    "Version": "2012-10-17",  
    "Statement": [  
            "Sid": "",  
            "Effect": "Allow",  
            "Principal": {  
                "Service": [  
            "Action": "sts:AssumeRole"  

IAM policy for the role:

 "Version": "2012-10-17",  
 "Statement": [  
 "Sid": "VisualEditor0",  
 "Effect": "Allow",  
 "Action": [  
 "Resource": "*"  

Run the automation workflow

  1. Open the Systems Manager console, and then choose your Region.
  2. Open the AWSSupport-TroubleshootConnectivityToRDS automation workflow.
  3. Choose Simple execution, Rate control, Multi-account and Region, or Manual execution based on your use case. This example uses Simple execution.
  4. Enter the details of your IAM role, RDS Instance identifier, and the EC2 instance ID.
  5. Choose Execute to start the workflow.

After the workflow starts, you can review the status of the workflow. Check if the workflow established a connection from the RDS DB instance to the EC2 instance. Then, review the list of steps that the workflow runs to check if the workflow failed or timed out at a specific step. You can also review the workflow to see if permissions issues occurred.

After the workflow is complete, the output shows the steps that the workflow ran and a Success or Failed status.

Run the workflow with the Rate control option

If you choose to use the Rate control option, then you can run the workflow on multiple targets and define concurrency and error thresholds. To do this, choose the DBinstance Identifier and Source Instance parameters of the corresponding targets. Then, test all the target EC2 instances that can access the RDS DB instance.

For each client and error threshold, use the concurrency to configure the number of workflows that you want to run at the same time.


  • Concurrency - one target
  • Error threshold - one error

Run the workflow with the cross-account and cross-Region option

When you choose the cross-account and cross-Region option, provide the AWS account details or organizational unit (OU). Also, to correctly run the automation workflow, make sure to provide the IAM role name that's in the cross-Region account.