Securely connect to a private RDS instance using AWS SSM session forwarding(Systems Manager)

Hola!

Managing of pem keys or public keys can be tedious and we can’t compromise to open SSH for the bastion host nor change IPs in the security group. AWS SSM comes in handy in this scenario and lets us connect to RDS privately and securely.

Benefits

1. no pem key is required for the bastion host.
2. no adding/removing of public keys in the bastion host.
3. SSH port can be completely closed.
4. Offloads the operation overhead of whitelisting for every client IP change.
5. Secure connection through SSM tunnel (AWS Private network).
6. High data throughputs.

Session port forwarding

Prerequisites:

1. The AWS CLI installed
2. The Session Manager plugin is installed locally on your machine.
3. A GUI database toolset is installed locally on your machine.
4. An AWS Identity and Access Management (IAM) user with programmatic access to your AWS account.

Instructions

1. You can install the AWS CLI from here
2. Install or update the latest version of the AWS CLI — AWS Command Line Interface
3. Please follow the instructions to install the SSM plugin
4. Install the Session Manager plugin for the AWS CLI — AWS Systems Manager
5. Post installation configure the AWS CLI by running the following commands.
6. Profile name can be anything based on preference if you want to manage multiple keys then a profile comes in handy.

NOTE — The keys should have limited access to only the jump box and SSM.

5. To start a session

aws ssm start-session --region <your-region> --target <instance-id>   --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host="<rds-hostname>",portNumber="5432",localPortNumber="1433" --profile <aws-profile>

This command starts a session on port 1433 locally which means the db host to use in GUI tools is “127.0.0.1:1433“ now.

6. To run the command quickly without copy-pasting every time it’s needed you can configure it as an alias in your terminal.

alias rds-db='aws ssm start-session --region <your-region> --target <instance-id>   --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host="<rds-hostname>",portNumber="5432",localPortNumber="1433" --profile <aws-profile>'

7. Run the “rds-db” command to start the session.

rds-db

Please follow the instructions to configure permanent alias -

Linux alias Command: How to Use It With Examples

NOTE — Make sure localPortNumber is distinct while starting two sessions simultaneously to avoid port conflicts.

8. Session inactivity timeout can be increased in AWS SSM settings but only up to 60mins.

8. Here is a simple shell script which restarts the session after every timeout.

#!/bin/bash
# Define the command you want to run
COMMAND="aws ssm start-session --region <your-region> --target <instance-id>   --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host="<rds-hostname>",portNumber="5432",localPortNumber="1433" --profile <aws-profile>"

# Define the inactivity timeout in seconds
INACTIVITY_TIMEOUT=10  # 5 minutes

# Define the function to run the command
run_command() {
    # Execute the command
    $COMMAND
}

# Run the command initially
run_command

# Loop indefinitely
while true; do
    # Wait for inactivity
    sleep $INACTIVITY_TIMEOUT

    # Run the command again
    run_command
done

Reference: AWS-Doc

Happy querying!!