Posted on Oct 21 Until now, we used SSH tunnels through a bastion EC2 to connect to our database (RDS), facilitating connections from DB client tools (like MySQL Workbench) and managing migrations from our local environments.We maintained secure external connections by restricting IP addresses in the inbound rules of the bastion EC2's security group. However, the hassle of IP address changes due to new team members and changing work locations, coupled with a preference to keep resources within a private subnet, led us to transition to a database Connection method using AWS Systems Manager Session Manager.By adopting Session Manager, we've reaped several benefits:The DB connection process using Session Manager consists mainly of the following steps:Ensure the AWS Systems Manager Agent (SSM Agent) is operating on the targeted EC2 instance and is up-to-date. The SSM Agent facilitates secure communication between the instance and Systems Manager.Create a custom IAM policy named AssumeSSMRolePermissionPolicy and attach it to specific Iam Users (or IAM groups they belong to). This enables the IAM users to assume certain SSM-related IAM roles, granting them necessary permissions.AmazonSSMRoleForInstancesQuickSetup is an IAM role that you will attach to your EC2 instances (you will create this shortly). This role is used to grant the necessary permissions to the SSM agent on the EC2 instances to function correctly.By assuming this role, IAM users can obtain temporary credentials (access keys, secret access keys, session tokens) for managing EC2 instances through the Session Manager. Consequently, there is no need to issue access keys and secret access keys to the IAM users themselves.You need to install the AWS CLI in advance to initiate port-forwarding sessions.https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.htmlUnlike when using the EC2 as a bastion server, inbound rules for the SG are no longer necessary. On the other hand, outbound rules should be set to allow connections to RDS and the SSM agent.Below is the Terraform code for this setup.Create the IAM role AmazonSSMRoleForInstancesQuickSetup to be applied to your EC2 instances. Apply the following managed policies to this role for the creation and management of SSM sessions:Additionally, under the "Trust relationships" tab, specify the following as the "Trusted entities." This action enables both EC2 and IAM users to assume this IAM role.By utilizing the IAM role and AWS Security Token Service (STS), you can manipulate AWS CLI resources without the need to use access keys.First, acquire temporary credentials by running the following command:Copy the outputted AccessKeyId, SecretAccessKey, and SessionToken.Next, set the credentials (AccessKeyId, SecretAccessKey, SessionToken) as environment variables. This can be done using the following commands in your command-line interface:Execute the following command:For the arbitrary port, choose an unused port (such as 8888).Success is indicated by a message similar to the following:Additionally, upon a successful connection, the session will be displayed on the Session Manager console screen. This allows you to monitor and manage active sessions, enhancing your oversight and security measures for database connections through AWS.Proceed with the following settings:Click on ‘Test Connection,’ and if prompted, enter the password for your DB user. A successful connection is confirmed if the following dialog appears.Transitioning to a more secure method of database connection by utilizing AWS Session Manager marks a significant step in bolstering the security and efficiency of managing your resources. This approach not only streamlines the process by removing the need for bastion hosts and the management of SSH keys but also enhances security through fine-grained access control and auditing capabilities provided by AWS.With the setup detailed in this guide, you've eliminated several layers of potential vulnerability and ensured a robust connection method. You can now connect to your database securely from your local environment, leveraging AWS's infrastructure without the overhead of managing intermediate servers. Furthermore, this method provides peace of mind with AWS CloudTrail, keeping a vigilant eye on your sessions' activities.Always remember to review and follow best practices for security, ensuring that all software is up-to-date, and adhere to the principle of least privilege when assigning permissions. The landscape of technology and threats evolves continuously, and thus, staying informed and prepared is crucial for maintaining a secure and efficient environment.Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well Confirm For further actions, you may consider blocking this person and/or reporting abuse DIWAKARKASHYAP - Oct 19 V Sai Harsha - Oct 19 James Oluwaleye - Oct 6 Jeeanny - Oct 18 Once suspended, suzuki0430 will not be able to comment or publish posts until their suspension is removed. Once unsuspended, suzuki0430 will be able to comment and publish posts again. Once unpublished, all posts by suzuki0430 will become hidden and only accessible to themselves. If suzuki0430 is not suspended, they can still re-publish their posts from their dashboard. Note: Once unpublished, this post will become invisible to the public and only accessible to Atsushi Suzuki. They can still re-publish the post if they are not suspended. Thanks for keeping DEV Community safe. Here is what you can do to flag suzuki0430: suzuki0430 consistently posts content that violates DEV Community's code of conduct because it is harassing, offensive or spammy. Unflagging suzuki0430 will restore default visibility to their posts. DEV Community — A constructive and inclusive social network for software developers. With you every step of your journey. Built on Forem — the open source software that powers DEV and other inclusive communities.Made with love and Ruby on Rails. DEV Community © 2016 - 2023. We're a place where coders share, stay up-to-date and grow their careers.