4

I am trying to configure my RDS Security Group configurations to be able to allow my EC2 instance to read and write to the database, but only admin access the DB via login credentials. Will my setup below achieve this? Should the admin access only happen via SSH?

EC2 setup:

security group

RDS setup (Connected to the EC2 security group name):

security group rds

cphill
  • 5,596
  • 16
  • 89
  • 182

1 Answers1

4

Security groups restrict network connections only, and are not related to authentication methods like username/password. Also, since RDS is a managed service you do not get SSH access to the RDS servers.

You've configured the security groups correctly to allow your EC2 server to connect to your RDS server. You just need to remove the SSH rule from the RDS security group since it is of no use.

To configure authentication methods for your MySQL database you need to start by reading the documentation here. In general, you will be using a username/password for all connections to the database.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • thanks for the answer. I have typically connected with username/password to my DB using Sequel Pro before when I had a security group for `MySQL` set to `Any IP`, but since I changed `MySQL` to using my EC2 security group, I am able to login through my application and make queries/post to the database, but I'm not able to login with Sequel Pro. Shouldn't this still be possible since I'm giving `MySQL`, HTTP/HTTPS access to any IP and I'm connecting to an endpoint with a user and password? – cphill Dec 30 '16 at 03:02
  • Mysql only uses port 3306. Opening http ports does nothing and it doesnt look like you opened those ports for the DB server anyway. Open port 3306 for your IP. – Mark B Dec 30 '16 at 04:48
  • Ahh, okay, this part has confused me the most. By connecting my EC2 security group (HTTP/HTTPS open to any ip) as the value for the MySQL Port 3306 in my RDS security group, what am I actually doing? Should I really be using a different security type for this security group connection and have a separate line item for MySQL Port 3306 using my ip? – cphill Dec 30 '16 at 15:03
  • You aren't "connecting your EC2 security group" to the database server. You are specifying that any resource that belongs to the EC2 security group is allowed to connect to any resource that belongs to the database security group, on port 3306. The ports that are open in the EC2 security group are irrelevant at that point. – Mark B Dec 30 '16 at 15:16
  • Sorry for the additional question, but I want to make sure I get it hammered into my memory and then accept the answer. Correct me if I am wrong, but you are saying that by referencing the EC2 security group on port 3306 it is allowed to connect to any "type" listed (is that what you meant by resource?) in that security group. As a result, it can connect via HTTP and HTTPS with this reference. In order to access MySQL with a login I should add an additional MySQL Port 3306 and open it to my IP. – cphill Dec 30 '16 at 16:10
  • I don't understand your question at all. Looking at your screenshots you have two security groups. One is assigned to your EC2 instance and allows connections on ports 22, 80 and 443. One is assigned to your RDS database server and allows connections on port 3306. Anybody can connect to your EC2 instance on ports 80 and 443. Only a specific (blurred out) IP address can connect to your EC2 instance on port 22. Only AWS resources (EC2 servers, Lambda functions, etc.) that belong to the EC2 security group are allowed to connect to your RDS server. – Mark B Dec 30 '16 at 16:39
  • Sorry for the confusion. I was able to answer my question between your answer and comments. I kept the configuration in the screenshot, but excluded the SSH from the RDS security group and also added an additional MySQL/Aurora resource to the RDS and set the source to my IP address. This has allowed me to use my RDS db with my EC2, as well as allowed me to login with a username/password. Thanks for all of the help! – cphill Dec 30 '16 at 18:31