How to limited access to RDS instance even RDS public address is assigned

1
votes

I have one RDS instance which is mysql (default in VPC and public IP address is assigned). The public address of RDS is used for my lambda function and also direct access via mysql workbench.

I know use of security group to block and white-list for my custom ip address on direct access via mysql workbench. However, this disallow my lambda to access RDS due to limited ip address.

I tried before for putting lambda in one security group and allow inbound of the RDS security group for lambda security group. This works well for allows both RDS for lambda function and direct access. The problem is my lambda function loss the internet connectivity for using aws-sdk to call other's aws resources. Maybe require to use NAT gateway?

Any recommendation on: How to protect my RDS resource by only allow custom ip address and my lambda function? and my lambda function allows to call other's aws resource via API.

Thank you.

2
amazon-web-servicesaws-lambdaamazon-rdsamazon-vpc

2 Answers

1
votes

AWS recently introduced IAM policies for RDS connect. This could be used to grant access from Lambda.

Note: You will need to enable IAM authentication for the database.

1
votes

Your optimal configuration would be:

  • RDS instance in VPC
  • Lambda function in private subnet of same VPC
  • NAT Gateway in public subnet of VPC
  • Security Group on the Lambda function (Lambda-SG)
  • Security Group on the RDS instance that permits inbound connections from Lambda-SG (by name, not IP address)

A Lambda function can only access the Internet if it is not configured to use a VPC, or if the VPC has a NAT Gateway that can forward the requests to the Internet.

For best security, it is normally recommended that you put your database in a private subnet. If you wish to connect to it from the Internet, you could use SSH port forwarding via a Bastion server in the public subnet. However, I suspect you are happy enough keeping your RDS instance in the public subnet.