Connect To AWS RDS Instance Using SSM And SSH Tunneling

In this post, we’ll discuss how we can connect to a private RDS instance using SSM and SSH Tunneling.

Step 1: Create an EC2 instance with Ubuntu 20.04 AM. Use public subnet to launch this instance so that we can SSH into it. We’ll use this instance to connect to our RDS instance from our local machine.

AWS SSM agent and the ec2-instance-connect package will already be installed on this instance but we need to attach an IAM Role that has AmazonSSMManagedInstanceCore permission.

In the EC2 security group, allow SSH access from your IP only.

Step 2: Create a MySQL RDS Instance. Use private subnets to launch this instance and don’t allow public access.

In RDS Security Group, allow access on port 3306 from EC2 security group only.

Step 3: Create an IAM user with programmatic access, having following permission.Replace <aws_account_id> with your AWS account id.

"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": "*"
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": "*"

Download access_key and secret_access_key for this user and setup aws cli on your local machine.

Note: Step 4–8 will be executed on your local machine.

Step 4: Generate an SSH key with following command:

cd /tmp
ssh-keygen -f rds_rsa

Step 5: Now push the generated SSH public key to our EC2 instance using following command(specify instance id which we created in Step 1 and its availability zone of that instance).

aws ec2-instance-connect send-ssh-public-key \
--instance-id <instance_id>\
--availability-zone <availability_zone>\
--instance-os-user ubuntu \
--ssh-public-key file:///tmp/

As per the documentation provide by AWS(, the key remains for 60 seconds so you need to connect using SSH within this time window. We’ll do this in the next steps.

Step 6: Start SSM session using following command(specify instance id which we created in Step 1):

aws ssm start-session \
--target <instance_id> \
--document-name AWS-StartPortForwardingSession \
--parameters '{"portNumber":["22"], "localPortNumber":["9999"]}'

Step 7: Open another terminal on your local machine and execute following command. This command should be executed within 60 seconds of executing Step 5.

ssh -i /tmp/rds_rsa ubuntu@localhost \
-p 9999 \
-N \
-L 3388:<rds_endpoint>:3306

Step 8: Now connect to the RDS instance using following command:

mysql -u admin -p -h -P 3388

At this point, you should be able to connect to RDS instance and get MySQL prompt:

👋 Join us today !!

️Follow us on LinkedIn, Twitter, Facebook, and Instagram

If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vinayak Pandey

Vinayak Pandey

Experienced Cloud Consultant with a knack of automation. Linkedin profile: