Connecting through an EC2 instance means that (instead of providing direct access to your database instance from the outside world) you will provide SSH access to an EC2 server instance, that itself has access to the database instance.

This involves 4 steps:

  1. Create an EC2 instance in the same VPC as your database instance.

  2. Permit SSH access to your EC2 instance.

  3. Create a new EC2 SSH user

  4. Give your EC2 instance access to your RDS database.

We’ll go through each of these steps below.

1. Create an EC2 instance in the same VPC as your database instance

Go to EC2 on your AWS console and launch a new instance (making sure it is in the same VPC as your RDS database instance).

Just as you launch it, it will prompt you to choose (or create a new) key pair for connecting to your instance (see image below).

Download the key pair to your local machine, and set its permissions to read-only:

$ chmod 400 my-ec2-keypair.pem

2. Permit SSH access to your EC2 instance

You will need to update the Security Group for your new EC2 instance to allow SSH connections from your IP address:

In the image above I have added an Inbound rule that permits SSH access from my current IP address ( This will allow me to connect using tools running on my own computer.

I could also have specified, which would allow access from any IP address.

Or if I’m using a cloud service (like I could whitelist their specific static IP addresses (’s are and, so I would add rules like those shown below).

Test that you are now able to connect to your EC2 instance via SSH:

$ ssh -i my-ec2-keypair.pem [email protected]–

Here we have used:

  • The built-in ssh client for Linux/Mac.

  • The keypair you downloaded in step 1 (my-ec2-keypair).

  • The default user assigned to EC2 instances (ec2-user).

  • And the Public DNS URL for the new EC2 instance that you created in Step 1.

3. Create a new EC2 SSH user

We’re going to create an EC2 user called “trevor”.

Let’s start by generating a new key pair specifically for this user:

  • In the AWS console, go to EC2, and go to “Key Pairs”

  • Click “Create key pair” and name the key pair something like “trevors-key-pair”

Once you create it, it will download the private key to your local machine.

Now we need to extract the public key from it.

To do this, we need to change the file’s permissions to be read-only:

$ chmod 400 trevors-key-pair.pem

and then we can use the ssh-keygen tool to extract the public key:

$ ssh-keygen -y -f trevors-key-pair.pem

The public key content will be output to the Terminal. Hold onto this output. We will need it in a second.

Now let’s create the new “trevor” user.

Start by connecting to your EC2 instance again (like you did in Step 2):

$ ssh -i my-ec2-keypair.pem [email protected]–

Then let’s create a new user, called “trevor”:

$ sudo adduser trevor

Once created, we then login as this user:

$ sudo su — trevor

Create a hidden folder called “ssh” and update its permissions so that only “trevor” can access it:

$ mkdir .ssh
$ chmod 700 .ssh

Now create a file inside this folder called “authorized_keys” and set its permissions:

$ cd .ssh
$ touch authorized_keys
$ chmod 600 authorized_keys

At this point we need the public key content from earlier.

Copy that content and paste it into the authorized_keys file, and save it.

That’s it. Now open a new Terminal on your local machine and confirm that you can login as the new user:

$ ssh -i trevors-key-pair.pem [email protected]–

4. Give your EC2 instance access to your RDS database.

You now have a user called “trevor” that can SSH into your EC2 instance.

That EC2 instance is in the same VPC as your RDS database instance, which is a great first step, but the final thing that is needed is to explicitly allow TCP/IP access to the database port of your RDS database instance from your EC2 instance.

We achieve this by going to the Security Group for our RDS database instance (sg-0425d2ffa12dec41a in the image below), in the AWS console, and adding an Inbound Rule that says that our EC2 instance’s security group (sg-0b24f82792e885a2b in the image below) has TCP access to the database port (e.g. Postgres port 5432):


And that is it. You have now set up SSH access to your RDS database instance.

Did this answer your question?