Search code examples
amazon-web-servicesamazon-rdsamazon-ecsaws-fargate

Allow ECS Tasks to access RDS

I have a couple of ECS tasks (fargate, executed via Lambda function) that need to connect to an RDS. Each of the tasks has its own role defining policies to (for example) access S3 buckets.

Each of my tasks also has its own security group.

I can now whitelist each and every tasks security group on the RDS, but this is cumbersome since new tasks are added on a daily basis.

I thought it must be possible to add a policy that allows access to the RDS (as described in the docs):

- PolicyName: RDSAccess
  PolicyDocument:
    Statement:
      - Effect: Allow
        Action:
          - rds-db:connect
        Resource: 'arn:aws:rds-db:REGION:ID:dbuser:DB_ID/DB_USER'

Unfortunately this does not work - I can still not connect to the database.

As mentioned before: When explicitly adding each tasks security group to the RDS, I can connect to the DB without issues.

Two questions:

  1. Am misunderstanding the docs?
  2. Can I add a ECS task to a pre-defined security group, so that I only need to whitelist this one specific security group?
Solution

  • This policy enables you to use the CLI to generate temporary credentials as a specific IAM user/role, you will still need inbound access via the network to connect.

    If you want to simplify this process to connect there are 2 options for the security groups you can use:

    • Whitelist the subnet ranges that the tasks sit in, if this is a security issue can the tasks be moved into specific subnets to make whitelisting easier.
    • Create a blank security group you attach to any task that needs to connect to your RDS, then add this a source inbound. The security group could be reused across all tasks simply for identifying that it should have access.