Do you want a secure and convenient way to access internal AWS resources - like RDS databases or EC2 instances - from your local machine? Me too!

Thanks to AWS Systems Manager (SSM), you can get shell access to EC2 instances without opening any inbound ports. Even better, since 2022, AWS also supports port forwarding over SSM, allowing access to nearly any internal AWS resource from your laptop - without requiring a bastion host with internet access.

Read the official AWS announcement here

Let’s walk through how to set this up.

Step 1: Create a Minimal Bastion Host

Provision the cheapest EC2 instance to act as your SSM bastion host:

  • Instance type: t4g.nano
  • Storage: 8 GB
  • Monthly cost: ~$4 USD

Configuration:

  • Use Amazon Linux, which comes with SSM Agent preinstalled.
  • Attach an IAM role with the AmazonSSMManagedInstanceCore policy.
  • Create a Security Group allowing:
    • Outbound traffic on port 443 (for SSM)
    • Any additional outbound ports you may need (e.g., 3306 for RDS)
Tip

Optional but recommended: Create an SSM Interface VPC Endpoint to route all SSM traffic privately, then remove internet access from the instance entirely.

Step 2: Install the Session Manager Plugin

To initiate SSM port forwarding, you’ll need the Session Manager Plugin.

Step 3: Start an SSM Port Forwarding Session

Here’s how to forward a local port (e.g. 3306) to a remote RDS instance via the bastion:

aws ssm start-session \
  --region us-east-1 \
  --target i-0123456789abcdef0 \
  --document-name AWS-StartPortForwardingSessionToRemoteHost \
  --parameters host="my-cluster.cluster-abcd0abcdef.us-east-1.rds.amazonaws.com",portNumber="3306",localPortNumber="3306"
  • target is bastion instance ID.
  • host is RDS cluster we want connect to.

Replace the target with instance ID and host parameter with your own values.

Step 4: Test the Connection

Once the port forwarding session is active, you can connect to your RDS database like it’s running locally:

$ mysql -h 127.0.0.1 -p -u root
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 22288666
Server version: 8.0.39 2f855dc7

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> quit;
Bye

Conclusion

SSM port forwarding is a game changer for working securely with internal AWS services. It reduces your attack surface, eliminates the need for public IPs, and simplifies connectivity from your laptop to private AWS resources.

No VPNs, no SSH keys, no public internet. Just simple, secure, AWS native access.