AWS, Cloud Computing

3 Mins Read

A Guide to Securely Connect with Private Amazon RDS Instance using Jump Server

Voiced by Amazon Polly


In today’s cloud computing landscape, the security of resources within an AWS (Amazon Web Services) environment is paramount. One crucial element in achieving this security is utilizing a Jump Server, a Bastion Host. This intermediary server, positioned in a demilitarized zone (DMZ), acts as a safeguarded gateway between an organization’s internal network and the resources residing in private subnets. By enforcing an additional layer of security, the Jump Server mandates user authentication before granting access to critical systems, such as databases or instances within a Virtual Private Cloud (VPC).


A Jump Server, also known as a bastion host, is a server that acts as an intermediary between your local machine and a remote resource, such as an Amazon RDS database, that is not directly accessible from the internet. A jump server can help you securely connect to your Amazon RDS database in a private subnet without exposing it to the public network.

For more information on how to use Amazon EC2 and Amazon RDS, please refer to the following architecture:


Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Why Use a Jump Server with Amazon RDS?

Using a Jump Server with Amazon RDS offers several advantages:

  • Enhanced Security: By requiring users to connect to the Jump Server first, you add an extra layer of authentication and authorization before accessing your Amazon RDS instance. This reduces the risk of unauthorized access.
  • Reduced Attack Surface: The Jump Server can be configured to have a minimal attack surface, meaning it only exposes essential services and ports. This reduces the potential for vulnerabilities and attacks.
  • Auditability: You can log and monitor access to your Amazon RDS instance more effectively by routing all connections through the Jump Server. This is crucial for compliance and auditing purposes.
  • Access Control: With a Jump Server, you have fine-grained control over who can access your RDS instance. You can restrict access to specific users or groups.
  • Simplified Network Management: Managing security groups and network access for a single Jump Server is more straightforward than managing access to multiple RDS instances individually.


Before you begin, make sure you have the following:

  • A key pair for your Amazon EC2 instance. You can create one in the Amazon EC2 console or use an existing one.


  • A security group for your Amazon EC2 instance. You can create one in the Amazon EC2 console or use an existing one.
  • An Amazon RDS database in a private subnet. You can create one in the Amazon RDS console or use an existing one.
  • A security group for your Amazon RDS database. You can create one in the Amazon RDS console or use an existing one.
  • An SSH client on your local machine, such as PuTTY or OpenSSH.

Step-by-Step Guide

Step 1: Configure your Amazon EC2 instance in the public subnet and allow inbound SSH traffic from your local machine’s IP address or CIDR range on port 22.


Step 2: Configure the Amazon RDS database’s security group and add rules “MySQL/Aurora (3306)” and choose the Security Group of Amazon EC2, which is attached to the Jump Server (Bastion host).


Step 3: Connect to the Amazon RDS database from your local machine.



Securing access to Amazon RDS is critical to managing your relational databases in the cloud. Using a Jump Server is a robust security strategy that adds an extra layer of protection. Following the steps outlined in this guide and adhering to best practices, you can create a secure and auditable environment for accessing your Amazon RDS instances. Always stay informed about the latest security updates and best practices to keep your database infrastructure protected.

Drop a query if you have any questions regarding Amazon RDS or Jump Server and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, AWS EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.


1. Is a Jump Server the only way to secure Amazon RDS access?

ANS: – No, a Jump Server is one approach, but Amazon RDS offers multiple security features, including VPC (Virtual Private Cloud) peering, AWS IAM (Identity and Access Management) roles, and SSL/TLS encryption. The choice depends on your specific security requirements.

2. Can I use a Windows-based Jump Server?

ANS: – Yes, you can use a Windows-based EC2 instance as a Jump Server if your organization’s workflow relies on Windows-based tools and services. Setting up a Windows Jump Server is similar to a Linux-based one.

3. How can I manage user access on the Jump Server?

ANS: – You can manage user access on the Jump Server by creating user accounts and employing SSH key pairs or password authentication. Additionally, consider using AWS IAM roles and policies for fine-grained access control.

4. What are some best practices for securing the Jump Server?

ANS: – Some best practices include:

  • Regularly updating and patching the operating system and software.
  • Restricting SSH access to a specific IP range or using a VPN.
  • Disabling password authentication in favor of SSH key authentication.
  • Implementing multi-factor authentication (MFA) for administrators.

WRITTEN BY Mohd Monish

Monish is working as a Research Associate at CloudThat. He has a working knowledge of multiple different cloud platforms and is currently working on the AWS platform and working on WAR automation, and AWS Media Services. He is interested in research and publishing tech blogs and also exploring new technologies.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!