0

I have 2 AWS RDS MySQL instances that are not publicly accessible.

And I have a bastion server that is created using an EC2 instance.

This bastion server has several users in it. And they can use their own ssh key to login to the EC2 to run some commands.

For anyone who wants to connect to the RDS instances. He/She needs to create an SSH tunnel with the bastion server first. Then he/she can interact with the RDS instance.

Is it possible to make people in group 1 only able to connect to RDS 1 through the bastion server, and not able to connect to RDS 2 through bastion server, even if they know the username and password of RDS 2?

I think I can run a bash script to check the username when the ssh tunnel is established. Then if the user is not allowed to connect to RDS 2 and he/she runs the command to connect to RDS 2, destroy the ssh tunnel.

But I can't find an easy way to run a script when an ssh tunnel is established.

Brian
  • 12,145
  • 20
  • 90
  • 153

2 Answers2

2

I think IPTABLES is your answer.

You can restrict the unwanted users from connecting to remote database, by adding an iptables rule to deny them

sudo iptables -I OUTPUT -m owner --uid-owner <<unwanted_user>> -p tcp -m tcp -d <<your_second_rds>> --dport 3306 -j REJECT

You even can make it easier by adding them all to one group, and use the --gid-owner instead of --uid-owner in the above command.

Then you will have to save the iptables change.

Note: You might need to add same rule to FORWARD table, if you want to block forwarding access to RDS as well.

Abraam Magued
  • 618
  • 3
  • 14
0

IPTABLES could work, however, this adds unneeded complexity.

In this case, I would run two bastion hosts. One for group 1 and one for group 2, only allowing one bastion access to the MySQL instance using a security group.

You could use t3.nano machines for the bastions so running multiple is still cheap.

Rob Geraghty
  • 116
  • 9