How to Configure Security Group for AWS RDS Instances
To configure a
security group for an AWS RDS instance, create or modify a security group to allow inbound traffic on the database port (e.g., 3306 for MySQL) from trusted IP addresses or other AWS resources. Then, attach this security group to your RDS instance to control who can connect to your database securely.Syntax
A security group for RDS controls inbound and outbound traffic. Key parts include:
- Security Group Name: A unique name to identify the group.
- Inbound Rules: Define allowed incoming traffic by protocol, port, and source IP or security group.
- Outbound Rules: Define allowed outgoing traffic (usually open by default).
- Attach to RDS Instance: Assign the security group to your RDS instance to enforce rules.
terraform
resource "aws_security_group" "rds_sg" { name = "rds-security-group" description = "Allow database access" ingress { description = "Allow MySQL access" from_port = 3306 to_port = 3306 protocol = "tcp" cidr_blocks = ["203.0.113.0/24"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } resource "aws_db_instance" "example" { allocated_storage = 20 engine = "mysql" engine_version = "8.0" instance_class = "db.t3.micro" name = "exampledb" username = "admin" password = "password123" parameter_group_name = "default.mysql8.0" skip_final_snapshot = true vpc_security_group_ids = [aws_security_group.rds_sg.id] }
Example
This example creates a security group allowing MySQL traffic from a specific IP range and attaches it to an RDS MySQL instance.
terraform
resource "aws_security_group" "rds_sg" { name = "rds-security-group" description = "Allow MySQL access from office IP" ingress { description = "MySQL from office" from_port = 3306 to_port = 3306 protocol = "tcp" cidr_blocks = ["198.51.100.0/24"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } resource "aws_db_instance" "mydb" { allocated_storage = 20 engine = "mysql" engine_version = "8.0" instance_class = "db.t3.micro" name = "mydatabase" username = "admin" password = "securePass123" skip_final_snapshot = true vpc_security_group_ids = [aws_security_group.rds_sg.id] }
Output
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
Common Pitfalls
- Opening to 0.0.0.0/0: Allowing all IPs can expose your database to attacks. Always restrict to trusted IPs.
- Wrong Port: Using incorrect port numbers will block connections. Use the port your database engine listens on (e.g., 3306 for MySQL).
- Not Attaching Security Group: Creating a security group but not attaching it to the RDS instance means rules won't apply.
- Forgetting VPC: Security groups must be in the same VPC as your RDS instance.
terraform
/* Wrong: Open to all IPs */ resource "aws_security_group" "bad_sg" { name = "open-all" ingress { from_port = 3306 to_port = 3306 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } } /* Right: Restrict to office IP range */ resource "aws_security_group" "good_sg" { name = "restricted-access" ingress { from_port = 3306 to_port = 3306 protocol = "tcp" cidr_blocks = ["198.51.100.0/24"] } }
Quick Reference
Tips for configuring RDS security groups:
- Always specify the correct database port in inbound rules.
- Limit inbound access to trusted IP addresses or security groups.
- Attach the security group to your RDS instance in the same VPC.
- Use descriptive names and descriptions for clarity.
- Test connectivity after configuration to confirm access.
Key Takeaways
Configure inbound rules to allow traffic only on your database port from trusted sources.
Attach the security group to your RDS instance to enforce access control.
Avoid opening database ports to the entire internet (0.0.0.0/0).
Ensure the security group and RDS instance are in the same VPC.
Use clear names and descriptions for easier management.