Access private RDS instance through Jumpbox

reading time: 3min, implementation time: 13min

Accessing a private RDS instance securely is a common challenge when working with cloud-based infrastructure. Direct database exposure to the internet is risky, which is why using a jumpbox (bastion host) to access a database in a private subnet is a standard practice. This guide explains how to set up and use an SSH tunnel through a jumpbox to connect to a private Amazon RDS instance. By following these steps, you can securely manage your database while keeping it protected within a private VPC.

Why a jumbpox ?

Cost-Effective: Requires minimal infrastructure, reducing operational costs.
Easy to Set Up and Maintain: Straightforward configuration with minimal maintenance.
Access Control via IP Whitelisting: Allows precise control by restricting access to only specific IPs.

1. Create EC2 instance

Log into the AWS Console:

Navigate to EC2 Dashboard
Create a new instance.

Configuration Details:

Region: Same region as your RDS instance.
Availability Zone: Preferably in the same AZ as your RDS for reduced latency.
Instance Type: Use t2.micro (1 vCPU, 1 GiB memory), which costs approximately $10.8/month. This is most certainly enough since the jumpbox will be used to transfer data only.

In the network settings section, make sure to select the security group that you just created.

2. Grant ssh access to your client service

Now we are going to create a non root user on the jumbpox for your client to connect to.

Connect to your instance through ssh <os>@<jumpbox_ip> where os is the os running on that jumpbox such as ubuntu.

#!/bin/bash
cd .ssh
echo "<your_ssh_key" >> .ssh/authorized_keys

# remove sudo access to that user if not needed
sudo deluser <your_user> sudo

Now you can exit and try to ssh into the jumpbox using the newly created user with ssh <your_user>@<jumbpox_ip>

3. Whitelist your client service

The best security safeguard you can have is to whitelist the ips allowed to connect to your jumbpx. We recommend allowing access only to the ips you need to grant access to.

You can whitelist your services by creating a dedicated security group in the section Network & Security.

Now you can attach this security group to your jumpbox ec2 instance.

You can confirm that only your client can now access the jumpbox by using telnet <jumpbox_ip> <ssh_port> , the command should timeout.

4. Grant the jumpbox access to your DB

Create a security group dedicated for the Jumpbox to access the database. Then modify your database and the newly created security group.

You can test your setup by running the following commands from the service you whitelisted:

ssh -L 5432:<db_ip>:5432 -N -f <jumbpox_user>@<jumpbox_ip>
psql -h localhost -p 5432 -U <DB_USER> -d <DB_NAME>

Congrats you can now access your private database through an SSH tunnel passing by a jumbpox

(optional) Additional security measures

Here are some additional suggestions to increase security beyond the above tutorial:

SSL certificate
use a firewall to control traffic going in and out the jumpbox
create a dedicated user other than default users such as ubuntu
disable sudo access for the user you connect with, and grant most limited access
use custom SSH port, most attacks target port 22 since it is the default SSH port
install fail2ban on the jumpbox to block ips with repeated failed attempts
install auditd to monitor and log all system events

If you have any questions, feel free to ping us at hello@stacksync.com we'll be happy to help!

PreviousAmazon RDS NextEnsuring Secure RDS Connections with SSL Certificate

Last updated 11 days ago