How do I link a security group to my AWS RDS instance

Question

I have a postgres db setup on RDS. It is running great. However, I want to link this to a set of autoscaled EC2 instances sitting behind an ELB that all reside in a single EC2 security group.

I've been told that it is possible to add a rule to the security group for the RDS instance that uses my EC2 security group as the source. When I go to the console and edit the RDS security group I only see the following options under the source column: Anywhere, Custom IP, and My IP.

In the information pop-up at the top of the column it says: To specify a security group in another AWS account (EC2-Classic only), prefix it with the account ID and a forward slash, for example: 111122223333/OtherSecurityGroup. (looks like it may only be applicable to EC2-Classic)

It does not let me type in the source dropdown box.

Under the RDS section I notices they have option groups. However the default option group associated with my postgres instance is not editable.

Therefore, I tried to create a new group. At this point I discovered that postgres is not listed as an available engine. I selected mysql instead just to see whether I could add options. It looks like I can add a security group to a mysql instance, but NOT a postgres instance.

Do postgres instances not support this expected option?

Is your RDS instance inside a VPC? – Matt Houser Dec 28 '14 at 17:36 — Matt Houser, Dec 28 '14 at 17:36
Yes my RDS instance is inside a VPC. – nu everest Dec 30 '14 at 03:56 — nu everest, Dec 30 '14 at 03:56

score 25 · Accepted Answer · answered Dec 28 '14 at 17:50

When your RDS instance is not in a VPC, then your RDS instance is associated with an RDS security group. Those security groups are controlled by the "Security Groups" section in the RDS console. From there, you can add EC2-Classic security groups for access:

Select your RDS security group
Select "EC2 Security Group" for the "Connection Type"
Select this or another AWS account and fill in the other AWS account number if necessary
Select or fill in the correct security group.
Click "Authorize"

When your RDS instance is inside a VPC, then your RDS instance is associated with a VPC security group. Those security groups are controlled by the "Security Groups" section in the VPC console. From there, you can add other VPC security groups for access:

Select your VPC security group
Select the "Inbound Rules" tab
Click "Edit"
Add a new rule, select your protocol and port range. For "Source", type or select your security group. Only VPC security groups within the same VPC can be used for this purpose.
Click "Save"

Note, when selecting the security group, depending on the browser you're using, the list may only appear once focus is in the "Source" edit box. It may also only appear if you start typing. Also, it may not appear at all. If this is the case, type in the source VPC security group's identifier (eg. sg-12345678).

what about the inverse when the ec2 is in a vpc and the rds isn't? — brauliobo, Mar 16 '17 at 12:32
so... you mean add the Security Group that the EC2 instance is a part of to the RDS Security Group? — dangel, Jan 25 '20 at 04:27

How do I link a security group to my AWS RDS instance

1 Answers1

Linked