One solution (but not the only solution!) is to use what's called a Bastion Host. A Bastion Host is an ultra-low-powered server that sits in your public subnet and is the only server that allows inbound SSH connections.
This server should be thoroughly hardened, and depending on your level of paranoia, there are a few techniques you can use to hide the fact that this server is listening for SSH connections at all. See, for example, http://www.portknocking.org/view/details. Of course, you don't need to harden it just to connect to your RDS instance.
Anyway, you can setup your EC2 Security Group rules as follows:
- Bastion Host Security Group allows port 22 from your local IP only (so you can SSH into it, but no one else can)
- RDS Security Group allows your incoming database connections on Port X (depends on your database) only from the Bastion Host
By the way, you can achieve "only from the Bastion Host" either by specifying the private IP address of your Bastion Host, or listing the security group name the Bastion Host uses.
Now you have two options from here:
OPTION #1: Set up local port forwarding as part of your SSH connection
For example, if you're on OS X or Linux, SSH into the bastion host and setup local port forwarding with:
ssh -l <bastion-host-username> -L <local-port-you-connect-to>:<rds-private-ip>:<rds:listening-port> <bastion-host-public-ip>
And let's say you're connecting to Postgres from an Ubuntu-based Bastion Host. It might look like this:
ssh -l ubuntu -L 5432:<rds-private-ip>:5432 <bastion-host-public-ip>
Your local machine is now listening on port 5432
and will forward any of those connections to <bastion-host-public-ip>
which in turn will forward it to port 5432
on <rds-private-ip>
OPTION #2: Look for this feature in your Database Client
I know DBVisualizer supports this. I'm not sure about Squirrel. Basically, instead of setting up the local port forwarding manually using SSH, your SQL client handles this for you.
When your RDS instance is not in a VPC, then your RDS instance is associated with an RDS security group. Those security groups are controlled by the "Security Groups" section in the RDS console. From there, you can add EC2-Classic security groups for access:
- Select your RDS security group
- Select "EC2 Security Group" for the "Connection Type"
- Select this or another AWS account and fill in the other AWS account number if necessary
- Select or fill in the correct security group.
- Click "Authorize"
When your RDS instance is inside a VPC, then your RDS instance is associated with a VPC security group. Those security groups are controlled by the "Security Groups" section in the VPC console. From there, you can add other VPC security groups for access:
- Select your VPC security group
- Select the "Inbound Rules" tab
- Click "Edit"
- Add a new rule, select your protocol and port range. For "Source", type or select your security group. Only VPC security groups within the same VPC can be used for this purpose.
- Click "Save"
Note, when selecting the security group, depending on the browser you're using, the list may only appear once focus is in the "Source" edit box. It may also only appear if you start typing. Also, it may not appear at all. If this is the case, type in the source VPC security group's identifier (eg. sg-12345678).
Best Answer
It depends on the RDS database you use. The bad news is if you're using Aurora with MySQL compatibility it doesn't have a swap metric. For the other RDS Linux types, you can find
Swap Usage
in theMonitoring
->CloudWatch
section.According to the Troubleshooting guide linked below:
References
Aurora Monitoring
RDS Monitoring
Troubleshoot RDS Swap Memory