AWS Security Group Secures RDS by Default


Turns out, AWS security groups secure your stuff, even if you don't know it.

At my employer, we finally got access to Amazon Web Services (AWS) and Vinyl Deals runs on Microsoft's Azure cloud. Despite the fact that I've written articles about AWS before, my familiarity with modern AWS is still in the beginning phase.

On day one playing with our shiny new AWS tools, I set up a development SQL Server using RDS. Once it was up and running, I connected to it using SQL Server Management Studio to confirm it worked and sent the connection info to my intern.

His reply:

I got an error when trying to connect. Is there anything special I have to do?

The error was familiar:

The network path was not found

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections.

We checked the usual suspects: made sure he picked SQL Authentication, looked for errant spaces in the host name, ensured there was no outgoing firewall block on port 1433 (it is a student's machine, after all). But nothing worked.

Digging around the RDS configuration, I saw that when I created the database, I also ended up with a VPC, some subnets, and a Security Group. "What's that?" I wondered.

Clicking on the security group, I discovered that it had a single inbound rule that allowed a single IP address to connect over port 1433. The IP address was the one for my machine. All other IP addresses, including the one for my intern's machine, were blocked. Once we added a rule that allowed his computer in the gates, his troubles were gone.

I went to create another RDS instance and saw something that would have been useful to know:

See those arrows? They're pointing to some text that says:

"A security group allowing your current IP address (MY IP ADDRESS) to connect to your instance will be created. This will make it easier for you to connect to the instance and configure it."

Yeah, I didn't read that when I created the instance. Newbie mistakes, but a good lesson learned.