Using Session Manager to connect RDS without having EC2 instance


When I go through the documents, using session manager we can connect instance in private subnet without having bastion host itself [direct port forwarding from local to private ec2].

But in RDS case, even though we are making connection using session manager we need a EC2 instance in between local and private RDS.

Could you anyone explain me why it is like that? please share some document that explains that as well.

已提問 2 年前檢視次數 2267 次
1 個回答

Hi Vignesh, though we sometimes do document what is not possible, I'm not aware of a document that would explain why you cannot connect directly to RDS using SSM. So let me resort to a more generic answer:

SSM allows many more functions - and changes! - to an instance than just connecting to it. Having full SSM functionality on an RDS instance thus would undermine the Shared Responsibility Model we use for RDS (you could also say: it would violate the "Black Box" principle of RDS). Therefore, you need an intermediary instance that forwards the TCP Port exposed by RDS to your local machine.

Further reading:

If this helped you, kindly mark my answer as "accepted". Kind regards, Uwe

profile pictureAWS
Uwe K
已回答 2 年前
profile picture
已審閱 2 個月前
  • Thank you for your response. Could you please briefly tell me about the "Black Box" principle of RDS? @Uwe

  • Though "Black Box" is not official AWS wording, I used it to describe the fact that RDS as a managed system isn't as open to connect to or apply changes (e.g. OS Kernel settings) as a custom install on EC2 would be. It's because of the responsibility AWS takes for RDS's availability and security that some functionality you'd have on a self-managed database server isn't available to you on RDS. Or, in other words: you get a certain service, but the way this service is configured and managed isn't published in detail (and may be changing over time). HTH, Uwe

  • Thanks, @Uwe. That's a great explanation. Much appreciated

  • @Uwe I have another question related to this connecting from the docker container. Please share if you have any docs any ideas

您尚未登入。 登入 去張貼答案。