How To use the AWS-StartPortForwardingSessionToRemoteHost SSM document to access a private RDS instance from your local PC
Deploy on ECS
1. Ensure that your local PC is configured to use AWS SSM
2. Launch an Amazon EC2 instance in the same VPC as your RDS instance, and ensure that it has the SSM agent installed and is configured for SSM.
You can use any Amazon EC2 instance that supports SSM, such as an Amazon Linux instance.
3. Create an SSM session using the StartPortForwardingSessionToRemoteHost SSM document. This document allows you to create a port forwarding session from your local PC to the Amazon EC2 instance, which can then be used to access the RDS instance. To create the session, run the following command in a terminal window on your local PC:
aws ssm start-session --target <instance-id> --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters "portNumber=<local-port>,localPortNumber=<ec2-port>,remoteInstanceIpAddress=<rds-instance-private-ip>,remotePortNumber=<rds-port>"
Replace <instance-id> with the ID of the Amazon EC2 instance you launched in step 2, <local-port> with the local port number you want to use to access the RDS instance on your local PC, <ec2-port> with the port number used by the MySQL client on the Amazon EC2 instance (usually 3306), <rds-instance-private-ip> with the private IP address of your RDS instance, and <rds-port> with the port number used by the RDS instance (usually 3306).
4. Once the SSM session is established, you can use the MySQL command-line tool on your local PC to connect to the RDS instance by connecting to localhost:<local-port>. For example, to connect to the RDS instance using the MySQL command-line tool, run the following command in a new terminal window on your local PC:
mysql -h localhost -P <local-port> -u <db-user> -p
Replace <local-port> with the local port number you specified in the previous step, and <db-user> with the username for your database.
By following these steps, you can use the AWS-StartPortForwardingSessionToRemoteHost SSM document to create a secure, encrypted connection to your private RDS instance from your local PC, without needing to expose the RDS instance to the internet.
5. To create an Amazon EC2 instance and install the AWS Systems Manager (SSM) agent using Python and Boto3, you can use the following code:
# Set up a Boto3 EC2 client
ec2 = boto3.client('ec2')
# Specify the details of the instance you want to launch
instance_type = 't2.micro'
ami_id = 'ami-0c94855ba95c71c99'
key_name = 'my-key-pair'
security_group_ids = ['sg-0123456789abcdef']
subnet_id = 'subnet-0123456789abcdef'
tag_key = 'Name'
tag_value = 'MyInstance'
# Launch the instance
response = ec2.run_instances(
# Get the instance ID from the response
instance_id = response['Instances']['InstanceId']
# Wait for the instance to start running
waiter = ec2.get_waiter('instance_running')
# Set up a Boto3 SSM client
ssm = boto3.client('ssm')
# Install the SSM agent on the instance
response = ssm.send_command(
# Get the command ID from the response
command_id = response['Command']['CommandId']
# Wait for the command to complete
waiter = ssm.get_waiter('command_executed')
# Print a message when the SSM agent is installed
print('SSM agent installed on instance:', instance_id)