Deny EC2 SSH to RDS


I have create a security group for the RDS Database Instance. The security group has a rule to allow TCP 3306 for MySQL/Aurora from a specific IP, which is a EC2. This EC2 is an app server and I only want it to connect to the RDS from the application.

However, I discover that I can also ssh into the RDS DBI from that app server EC2. I have configured a Bastion for developers to ssh into the RDS DBI so I do not want when someone logged into the app server then ssh to the RDS.

Can I please get advise how do I stop ssh access to the RDS from the app server?

asked 3 months ago68 views
1 Answer
Accepted Answer


You can't limit it on the networking layer. If you have CI/CD you don't need to have access to the app EC2 at all, so you can limit access only to bastion.

profile picture
answered 3 months ago
  • No, we don't have CI/CD. I think you mean to deny users to ssh access to EC2.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions