Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Deny EC2 SSH to RDS
I have create a security group for the RDS Database Instance. The security group has a rule to allow TCP 3306 for MySQL/Aurora from a specific IP, which is a EC2. This EC2 is an app server and I only want it to connect to the RDS from the application.
However, I discover that I can also ssh into the RDS DBI from that app server EC2. I have configured a Bastion for developers to ssh into the RDS DBI so I do not want when someone logged into the app server then ssh to the RDS.
Can I please get advise how do I stop ssh access to the RDS from the app server?
- Tags
- Security Group
- Language
- English
- Newest
- Most votes
- Most comments
Hi,
You can't limit it on the networking layer. If you have CI/CD you don't need to have access to the app EC2 at all, so you can limit access only to bastion.
Relevant content
- asked 2 years ago
No, we don't have CI/CD. I think you mean to deny users to ssh access to EC2.