Setting up your Amazon RDS environment
This page provides a comprehensive guide for setting up Amazon Relational Database Service, including accountconfiguration, security, and resource management. It walks you through the essential stepsto create, manage, and secure your database environments efficiently. Whether you're new toAmazon RDS or setting up for specific requirements, these sections help ensure your setup isoptimized and compliant with best practices.
Topics
If you already have an AWS account, know your Amazon RDS requirements, and prefer to use the defaults for IAMand VPC security groups, skip ahead toGetting started with Amazon RDS.
Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
To sign up for an AWS account
Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, anAWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to performtasks that require root user access.
AWS sends you a confirmation email after the sign-up process iscomplete. At any time, you can view your current account activity and manage your account bygoing tohttps://aws.amazon.com/ and choosingMy Account.
Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
Secure your AWS account root user
Sign in to theAWS Management Console as the account owner by choosingRoot user and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, seeSigning in as the root user in theAWS Sign-In User Guide.
Turn on multi-factor authentication (MFA) for your root user.
For instructions, seeEnable a virtual MFA device for your AWS account root user (console) in theIAM User Guide.
Create a user with administrative access
Enable IAM Identity Center.
For instructions, seeEnabling AWS IAM Identity Center in theAWS IAM Identity Center User Guide.
In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in theAWS IAM Identity Center User Guide.
Sign in as the user with administrative access
To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, seeSigning in to the AWS access portal in theAWS Sign-In User Guide.
Assign access to additional users
In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see Create a permission set in theAWS IAM Identity Center User Guide.
Assign users to a group, and then assign single sign-on access to the group.
For instructions, see Add groups in theAWS IAM Identity Center User Guide.
Grant programmatic access
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
| Which user needs programmatic access? | To | By |
|---|---|---|
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use.
|
Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use.
|
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions inUsing temporary credentials with AWS resources in theIAM User Guide. |
| IAM | (Not recommended) Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use.
|
Determine requirements
The basic building block of Amazon RDS is the DB instance. In a DB instance, you create yourdatabases. A DB instance provides a network address called anendpoint. Your applications use this endpoint to connect to your DBinstance. When you create a DB instance, you specify details like storage, memory,database engine and version, network configuration, security, and maintenance periods.You control network access to a DB instance through a security group.
Before you create a DB instance and a security group, you must know your DB instance andnetwork needs. Here are some important things to consider:
Resource requirements– What are the memory andprocessor requirements for your application or service? You use these settingsto help you determine what DB instance class to use. For specifications about DBinstance classes, seeDB instance classes.
VPC, subnet, and security group –Your DB instancewill most likely be in a virtual private cloud (VPC). To connect to your DBinstance, you need to set up security group rules. These rules are set updifferently depending on what kind of VPC you use and how you use it. Forexample, you can use: a default VPC or a user-defined VPC.
The following list describes the rules for each VPC option:
Default VPC – If your AWS account has adefault VPC in the current AWS Region, that VPC is configured to supportDB instances. If you specify the default VPC when you create the DBinstance, do the following:
Make sure to create aVPC security group that authorizesconnections from the application or service to the Amazon RDS DBinstance. Use theSecurity Group option on the VPCconsole or the AWS CLI to create VPC security groups. Forinformation, seeStep 3: Create a VPC securitygroup.
Specify the default DB subnet group. If this is the first DB instance you have createdin this AWS Region, Amazon RDS creates the default DB subnet groupwhen it creates the DB instance.
User-defined VPC –If you want to specify auser-defined VPC when you create a DB instance, be aware of thefollowing:
Make sure to create aVPC security group that authorizesconnections from the application or service to the Amazon RDS DBinstance. Use theSecurity Group option on the VPCconsole or the AWS CLI to create VPC security groups. For information, seeStep 3: Create a VPC securitygroup.
The VPC must meet certain requirements in order to host DB instances, suchas having at least two subnets, each in a separate AvailabilityZone. For information, seeAmazon VPC and Amazon RDS.
Make sure to specify a DB subnet group that defines which subnets in that VPC can beused by the DB instance. For information, see the DB subnetgroup section inWorking with a DB instance in a VPC.
High availability –Do you need failoversupport? On Amazon RDS, a Multi-AZ deployment creates a primary DB instance and asecondary standby DB instance in another Availability Zone for failover support.We recommend Multi-AZ deployments for production workloads to maintain highavailability. For development and test purposes, you can use a deployment thatisn't Multi-AZ. For more information, seeConfiguring and managing a Multi-AZ deployment for Amazon RDS.
IAM policies– Does your AWS account havepolicies that grant the permissions needed to perform Amazon RDS operations? If youare connecting to AWS using IAM credentials, your IAM account must haveIAM policies that grant the permissions required to perform Amazon RDS operations.For more information, seeIdentity and access management for Amazon RDS.
Open ports– What TCP/IP port does your databaselisten on? The firewalls at some companies might block connections to thedefault port for your database engine. If your company firewall blocks thedefault port, choose another port for the new DB instance. When you create a DBinstance that listens on a port you specify, you can change the port bymodifying the DB instance.
AWS Region– What AWS Region do you want yourdatabase in? Having your database in close proximity to your application or webservice can reduce network latency. For more information, seeRegions, Availability Zones, and Local Zones.
DB disk subsystem– What are your storagerequirements? Amazon RDS provides three storage types:
General Purpose (SSD)
Provisioned IOPS (PIOPS)
Magnetic (also known as standard storage)
For more information on Amazon RDS storage, seeAmazon RDS DB instance storage.
When you have the information you need to create the security group and the DB instance,continue to the next step.
Provide access to your DB instance in your VPC bycreating a security group
VPC security groups provide access to DB instances in a VPC. They act as a firewall for the associated DB instance,controlling both inbound and outbound traffic at the DB instance level. DB instances arecreated by default with a firewall and a default security group that protect the DB instance.
Before you can connect to your DB instance, you must add rules to a security group that enable you toconnect. Use your network and configuration information to create rules to allow access to your DBinstance.
For example, suppose that you have an application that accesses a database on your DBinstance in a VPC. In this case, you must add a custom TCP rule that specifies the portrange and IP addresses that your application uses to access the database. If you have anapplication on an Amazon EC2 instance, you can use the security group that you setup for the Amazon EC2 instance.
You can configure connectivity between an Amazon EC2 instance a DB instance when you create the DB instance. For more information, seeConfigureautomatic network connectivity with an EC2 instance.
You can set up network connectivity between an Amazon EC2 instance and a DB instance automatically when you create the DB instance. For more information, seeConfigureautomatic network connectivity with an EC2 instance.
For information about how to connect resources in Amazon Lightsail to your DB instances, seeConnect Lightsail resources to AWS services using VPC peering.
For information about common scenarios for accessing a DB instance, seeScenarios for accessing a DB instance in a VPC.
To create a VPC security group
Sign in to the AWS Management Console and open the Amazon VPC console athttps://console.aws.amazon.com/vpc.
Make sure you are in the VPC console, not the RDS console.
In the upper-right corner of the AWS Management Console, choose the AWS Region where you want to createyour VPC security group and DB instance. In the list of Amazon VPC resources for thatAWS Region, you should see at least one VPC and several subnets. If youdon't, you don't have a default VPC in that AWS Region.
In the navigation pane, chooseSecurity Groups.
ChooseCreate security group.
TheCreate security group page appears.
InBasic details, enter theSecurity group name andDescription. ForVPC, choose the VPC that youwant to create your DB instance in.
InInbound rules, chooseAdd rule.
ForType, chooseCustom TCP.
ForPort range, enter the port value to use for your DBinstance.
ForSource, choose a security group name or type the IP addressrange (CIDR value) from where you access the DB instance. If you chooseMy IP, this allows access to the DB instancefrom the IP address detected in your browser.
If you need to add more IP addresses or different port ranges, chooseAdd rule and enter the information for the rule.
(Optional) InOutbound rules, add rules for outbound traffic.By default, all outbound traffic is allowed.
ChooseCreate security group.
You can use the VPC security group that you just created as the security group for your DBinstance when you create it.
If you use a default VPC, a default subnet group spanning all of the VPC's subnets is createdfor you. When you create a DB instance, you can select the default VPC and usedefault forDB Subnet Group.
After you have completed the setup requirements, you can create a DB instance using yourrequirements and security group. To do so, follow the instructions inCreating an Amazon RDS DB instance. Forinformation about getting started by creating a DB instance that uses a specific DBengine, see the relevant documentation in the following table.
| Database engine | Documentation |
|---|---|
MariaDB | |
Microsoft SQL Server | Creating and connecting to a Microsoft SQL Server DB instance |
MySQL | |
Oracle | |
PostgreSQL |
If you can't connect to a DB instance after you create it, see the troubleshooting information inCan't connect to Amazon RDS DB instance.
