Amazon Relational Database Service
User Guide (API Version 2013-09-09)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Working with DB Security Groups

A DB security group controls network access to a DB instance that is not inside a VPC. By default, network access is turned off to a DB instance. You can specify rules in a security group that allows access from an IP address range, port, or EC2 security group. Once ingress rules are configured, the same rules apply to all DB instances that are associated with that security group. You can specify up to 20 rules in a security group.

If you are a new customer to Amazon RDS or if you are an existing customer who is using a new region, your DB instance is most likely in a default VPC. You cannot use a DB security group for a DB instance inside a VPC; you must create a VPC security group. For information on creating a VPC security group, see Security Groups for Your VPC. To determine if you have a default VPC, see step 2 in the following procedure.

Creating a DB Security Group

To create a DB security group, you need to provide a name and a description.

AWS Management Console

To create a DB security group

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. Determine what platforms are supported for your AWS account in your current region.

    If Supported Platforms indicates EC2,VPC, your AWS account in the current region does not use a default VPC. You can continue following the steps below to create a DB security group that will enable access to your DB instance.

    EC2, VPC platform

    If Supported Platforms indicates VPC, your AWS account in the current region uses a default VPC. This means that you must create a VPC security group to enable access to a DB instance instead of a DB security group. For information on creating a VPC security group, see Security Groups for Your VPC.

    VPC platform

  3. Click Security Groups in the navigation pane on the left side of the window.

  4. Click Create DB Security Group.

    create sec group

  5. Type the name and description of the new DB security group in the Name and Description text boxes. Note that the security group name cannot contain spaces and cannot start with a number.

    create sec group

  6. Click Yes, Create. The DB security group will be created. Note that a newly created DB security group does not provide access to a DB instance by default. You must specify a range of IP addresses or an Amazon EC2 security group that can have access to the DB instance. To specify IP addresses or an Amazon EC2 security group for a DB security group, see Authorizing Network Access to a DB Security Group from an IP Range.

CLI

To create a DB security group

  • Use the command rds-create-db-security-group with the following parameters:

    PROMPT>rds-create-db-security-group mydbsecuritygroup -d "My new security group"

Note that a newly created DB security group does not provide access to a DB instance by default. You must specify a range of IP addresses or an Amazon EC2 security group that can have access to the DB instance. To specify IP addresses or an Amazon EC2 security group for a DB security group, see Authorizing Network Access to a DB Security Group from an IP Range.

API

To create a DB security group

  • Call CreateDBSecurityGroup with the following parameters:

    • DBSecurityGroupName = mydbsecuritygroup

    • Description = "My new security group"

    Example

    https://rds.amazonaws.com/
    	?Action=CreateDBSecurityGroup
    	&DBParameterGroupName=mydbsecuritygroup
    	&Description=My%20new%20db%20security%20group
    	&Version=2012-01-15						
    	&SignatureVersion=2
    	&SignatureMethod=HmacSHA256
    	&Timestamp=2012-01-20T22%3A06%3A23.624Z
    	&AWSAccessKeyId=<AWS Access Key ID>
    	&Signature=<Signature>
    							

Note that a newly created DB security group does not provide access to a DB instance by default. You must specify a range of IP addresses or an Amazon EC2 security group that can have access to the DB instance. To specify IP addresses or an Amazon EC2 security group for a DB security group, see Authorizing Network Access to a DB Security Group from an IP Range.

Listing Available DB Security Groups

You can list which DB security groups have been created for your AWS account.

AWS Management Console

To list all available DB security groups for an AWS account

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. Click Security Groups in the navigation pane on the left side of the window.

    The available DB security groups appear in the DB Security Groups list.

CLI

To list all available DB security groups for an AWS account

  • Use the command rds-describe-db-security-groups to list all available DB security groups for your AWS account.

    PROMPT>rds-describe-db-security-groups

API

To list all available DB security groups for an AWS account

  • Call DescribeDBSecurityGroups with no parameters.

    Example

    https://rds.amazonaws.com/
    	?Action=DescribeDBSecurityGroups
    	&MaxRecords=100
    	&Version=2009-10-16
    	&SignatureVersion=2
    	&SignatureMethod=HmacSHA256
    	&AWSAccessKeyId=<AWS Access Key ID>
    	&Signature=<Signature>
    							

Viewing a DB security group

You can view detailed information about your DB security group to see what IP ranges have been authorized.

AWS Management Console

To view properties of a specific DB security group

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. Click Security Groups in the navigation pane on the left side of the window.

  3. Select the details icon for the DB security group you want to view.

    view sec group

  4. The detailed information for the DB security group is displayed.

    view sec group

CLI

To view properties of a specific DB security group

  • Use the rds-describe-db-security-groups to view a DB security group. Specify the DB security group you want to view.

    PROMPT>rds-describe-db-security-groups <mydbsecuritygroup>

API

To view properties of a specific DB security group

  • Call DescribeDBSecurityGroups with the following parameters:

    • DBSecurityGroupName = <mydbsecuritygroup>

    Example

    					
    https://rds.amazonaws.com/
    	?Action=DescribeDBSecurityGroups
    	&DBParameterGroupName=mydbsecuritygroup
    	&Version=2009-10-16
    	&SignatureVersion=2
    	&SignatureMethod=HmacSHA256
    	&Timestamp=2009-10-16T22%3A23%3A07.107Z
    	&AWSAccessKeyId=<AWS Access Key ID>
    	&Signature=<Signature>
    							

Authorizing Network Access to a DB Security Group from an IP Range

By default, network access is turned off to a DB instance. If you want to access a DB instance that is not in a VPC, you must set access rules for a DB security group to allow access from specific EC2 security groups or CIDR IP ranges. You then must associate that DB instance with that DB security group. This process is called ingress. Once ingress is configured for a DB security group, the same ingress rules apply to all DB instances associated with that DB security group.

Caution

Talk with your network administrator if you are intending to access a DB instance behind a firewall to determine the IP addresses you should use.

In following example, you configure a DB security group with an ingress rule for a CIDR IP range.

AWS Management Console

Configure a DB security group with an ingress rule for a CIDR IP range

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. Select Security Groups from the navigation pane on the left side of the console window.

  3. Select the details icon for the DB security group you want to authorize.

    view sec group

  4. In the Security Group Details section, select CIDR/IP from the Connection Type drop-down list, type the CIDR range for the ingress rule you would like to add to this DB security group into the CIDR text box, and click Add.

    Tip

    The AWS Management Console displays a CIDR IP based on your connection below the CIDR text field. If you are not accessing the DB instance from behind a firewall, this could be the CIDR IP you could use.

    add sec group

  5. The status of the ingress rule will be authorizing until the new ingress rule has been applied to all DB instances that are associated with the DB security group that you modified. After the ingress rule has been successfully applied, the status will change to authorized.

CLI

To configure a DB security group with an ingress rule for a CIDR IP range

  • Use the command rds-authorize-db-security-group-ingress to modify a DB security group.

    PROMPT>rds-authorize-db-security-group-ingress mydbsecuritygroup --cidr-ip 192.168.1.10/27 
    						

    The command should produce output similar to the following:

    SECGROUP  mydbsecuritygroup  My new DBSecurityGroup
    IP-RANGE  192.168.1.10/27  authorizing
    						

API

To configure a DB security group with an ingress rule for a CIDR IP range

  • Call AuthorizeDBSecurityGroupIngress with the following parameters:

    • DBSecurityGroupName = mydbsecuritygroup

    • CIDRIP = 192.168.1.10/27

    Example

    https://rds.amazonaws.com/
    	?CIDRIP=192.168.1.10%2F27
    	&DBSecurityGroupName=mydbsecuritygroup
    	&Version=2009-10-16
    	&Action=AuthorizeDBSecurityGroupIngress
    	&SignatureVersion=2
    	&SignatureMethod=HmacSHA256
    	&Timestamp=2009-10-22T17%3A10%3A50.274Z
    	&AWSAccessKeyId=<AWS Access Key ID>
    	&Signature=<Signature>
     

Authorizing Network Access to a DB Instance from an Amazon EC2 Instance

If you want to access your DB instance from an Amazon EC2 instance, you must first determine if your EC2 instance and DB instance are in a VPC. If you are using a default VPC, you can assign the same EC2 or VPC security group that you used for your EC2 instance when you create or modify the DB instance that the EC2 instance will access.

If your DB instance and EC2 instance are not in a VPC, you must configure the DB instance's security group with an ingress rule that allows traffic from the Amazon EC2 instance. You would do this by adding the Amazon EC2 security group for the EC2 instance to the DB security group for the DB instance. In this example, you add an ingress rule to a DB security group for an Amazon EC2 security group.

Important

  • Adding an ingress rule to a DB security group for an Amazon EC2 security group only grants access to your DB instances from Amazon EC2 instances associated with that Amazon EC2 security group.

  • You can't authorize an Amazon EC2 security group that is in a different AWS Region than your DB instance. You can authorize an IP range, or specify an Amazon EC2 security group in the same region that refers to IP address in another region. If you specify an IP range, we recommend that you use the private IP address of your Amazon EC2 instance, which provides a more direct network route from your Amazon EC2 instance to your Amazon RDS DB instance, and does not incur network charges for data sent outside of the Amazon network.

AWS Management Console

To add an EC2 security group to a DB security group

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. Select Security Groups from the navigation pane on the left side of the console window.

  3. Select the details icon for the DB security group you want to grant access.

    view sec group

  4. In the Security Group Details section, select EC2 Security Group from the Connection Type drop-down list, and then select the Amazon EC2 security group you want to use. Then click Add.

    add sec group

  5. The status of the ingress rule will be authorizing until the new ingress rule has been applied to all DB instances that are associated with the DB security group that you modified. After the ingress rule has been successfully applied, the status will change to authorized.

CLI

To grant access to an Amazon EC2 security group

  • Use the command rds-authorize-db-security-group-ingress to grant access to an Amazon EC2 security group

    PROMPT>rds-authorize-db-security-group-ingress default  --ec2-security-group-name myec2group --ec2-security-group-owner-id 987654321021 
    						

    The command should produce output similar to the following:

    SECGROUP  Name     Description 
    SECGROUP  default  default
          EC2-SECGROUP  myec2group  987654321021  authorizing      
    						

API

To authorize network access to an Amazon EC2 security group

  • Call AuthorizeDBSecurityGroupIngress with the following parameters:

    • EC2Security­GroupName = myec2group

    • EC2SecurityGroupOwnerId = 987654321021

    Example

    https://rds.amazonaws.com/
    	?Action=AuthorizeDBSecurityGroupIngress
    	&EC2SecurityGroupOwnerId=987654321021
    	&EC2Security­GroupName=myec2group
    	&Version=2009-10-16
    	&SignatureVersion=2
    	&SignatureMethod=HmacSHA256
    	&Timestamp=2009-10-22T17%3A10%3A50.274Z
    	&AWSAccessKeyId=<AWS Access Key ID>
    	&Signature=<Signature>
     

Revoking Network Access to a DB Instance from an IP Range

You can easily revoke network access from a CIDR IP range to DB Instances belonging to a DB security group by revoking the associated CIDR IP ingress rule.

In this example, you revoke an ingress rule for a CIDR IP on a DB Security Group.

AWS Management Console

To revoke an ingress rule for a CIDR IP range on a DB Security Group.

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. Select Security Groups from the navigation pane on the left side of the console window.

  3. Select the details icon for the DB security group that has the ingress rule you want to revoke.

    view sec group

  4. In the Security Group Details section, click Remove next to the ingress rule you would like to revoke.

    view sec group

  5. The status of the ingress rule will be revoking until the ingress rule has been removed from all DB instances that are associated with the DB security group that you modified. After the ingress rule has been successfully removed, the ingress rule will be removed from the DB security group.

CLI

To revoke an ingress rule for a CIDR IP range on a DB security group

  • Use the command rds-revoke-db-security-group-ingress to modify a DB security group.

    PROMPT>rds-revoke-db-security-group-ingress <mydbsecuritygroup> --cidr-ip 192.168.1.1/27 
    						

    The command should produce output similar to the following:

    SECGROUP  mydbsecuritygroup  My new DBSecurityGroup
      IP-RANGE  192.168.1.1/27  revoking
    						

API

To revoke an ingress rule for a CIDR IP range on a DB security group

  • Call RevokeDBSecurityGroupIngress with the following parameters:

    • DBSecurityGroupName = <mydbsecuritygroup>

    • CIDRIP = 192.168.1.10/27

    Example

    https://rds.amazonaws.com/
    	?Action=RevokeDBSecurityGroupIngress
    	&DBSecurityGroupName=mydbsecuritygroup
    	&CIDRIP=192.168.1.10%2F27
    	&Version=2009-10-16
    	&SignatureVersion=2&SignatureMethod=HmacSHA256
    	&Timestamp=2009-10-22T22%3A32%3A12.515Z
    	&AWSAccessKeyId=<AWS Access Key ID>
    	&Signature=<Signature>