1 個回答
- 最新
- 最多得票
- 最多評論
1
Hi Vignesh, though we sometimes do document what is not possible, I'm not aware of a document that would explain why you cannot connect directly to RDS using SSM. So let me resort to a more generic answer:
SSM allows many more functions - and changes! - to an instance than just connecting to it. Having full SSM functionality on an RDS instance thus would undermine the Shared Responsibility Model we use for RDS (you could also say: it would violate the "Black Box" principle of RDS). Therefore, you need an intermediary instance that forwards the TCP Port exposed by RDS to your local machine.
Further reading:
- The RDS-specific Shared Responsibility Model is explaine in "Security in Amazon RDS"
- Our general overview of the Shared Responsibility Model
- In case you don't know already, the EC2 instance can be in a private subnet, too, as explained here: Securely connect to an Amazon RDS or Amazon EC2 database instance remotely with your preferred GUI
If this helped you, kindly mark my answer as "accepted". Kind regards, Uwe
已回答 2 年前
相關內容
- AWS 官方已更新 3 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 10 個月前
- AWS 官方已更新 1 年前
Thank you for your response. Could you please briefly tell me about the "Black Box" principle of RDS? @Uwe
Though "Black Box" is not official AWS wording, I used it to describe the fact that RDS as a managed system isn't as open to connect to or apply changes (e.g. OS Kernel settings) as a custom install on EC2 would be. It's because of the responsibility AWS takes for RDS's availability and security that some functionality you'd have on a self-managed database server isn't available to you on RDS. Or, in other words: you get a certain service, but the way this service is configured and managed isn't published in detail (and may be changing over time). HTH, Uwe
Thanks, @Uwe. That's a great explanation. Much appreciated
@Uwe I have another question related to this connecting from the docker container. Please share if you have any docs any ideas https://repost.aws/questions/QUGuUewImyTiabU7R946zD9w/from-docker-container-need-to-connect-rds-using-session-manager