24

I have an ECS task executed from a Lambda function. This task will perform some basic SQL operations (e.g. SELECT, INSERT, UPDATE) on an RDS instance running MySQL. What is the proper way to manage access from the ECS task to RDS?

I am currently connecting to RDS using a security group rule where port 3306 allows a connection from a particular IP address (where an EC2 instance resides).

I am in the process of moving this functionality from EC2 to the ECS task. I looked into IAM policies, but the actions appear to manage AWS CLI RDS operations, and are likely not the solution here. Thanks!

scagnetti
  • 1,435
  • 3
  • 20
  • 38
  • How do you manage RDS access from the EC2 instance currently? You have to be specifying the MySQL username/password somehow. You are correct in that IAM is not used for managing access to your MySQL server instance. – Mark B Sep 09 '16 at 18:56
  • I have a mysqlclient (python library) connection where I provide un/pw. This part of connecting will remain the same in my ECS task. I also, restrict access to this EC2 instance by its IP address, which is the part I am trying to solve in my ECS implementation. Though, if there is some way I can solve this with IAM roles that would be great. – scagnetti Sep 09 '16 at 19:08

1 Answers1

26

IAM roles and Security Groups are two totally different things that serve different purposes. You have to open the Security Group to allow any network traffic to access the RDS server. Instead of whitelisting the IP address you should whitelist the inbound Security Group.

For example if the RDS server is in Security Group 1, and the ECS server is in Security Group 2, you can enter the ID of Security Group 2 in the inbound access rule of Security Group 1. Then you don't have to worry about servers changing IP addresses.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • I'm having an issue where I would like to do the same thing, but the ECS clusters are in different regions, all connecting back to write to the master RDS Db Instance in ap-southeast-2. I have read that you can't assign Security Groups from another region as an inbound group. Do you have a suggestion how you might achieve this Mark? – Chris Mar 07 '18 at 01:36
  • 1
    @Chris If you are using cross-region VPC peering then you can white-list the private subnet IP range. – Mark B Mar 07 '18 at 13:55
  • Thanks Mark, I'll look into that. Appreciate it. – Chris Mar 07 '18 at 21:51