Query AWS RDS from Lambda Securely

Question

I am trying to connect my Lambda to RDS just as a learning exercise. Currently, all resources are created through CloudFormation and I would like to continue to do that if possible.

My issue is with the following statement from https://docs.aws.amazon.com/lambda/latest/dg/vpc-rds.html which details how connect.

A second file contains connection information for the function.

    Example rds_config.py

    #config file containing credentials for RDS MySQL instance
    db_username = "username"
    db_password = "password"
    db_name = "ExampleDB" 

The statement AWS is making makes it seem like I should hardcode these values into a file which does not seem secure. I could try to use environment variables but I think the same issue will arise.

If anyone has any advice for how to connect lambda to rds securely I would greatly appreciate it!!!

Answer 1

If you don't want to use environment variables for whatever reason, you can have your Lambda function query the AWS Systems Manager Parameter Store for you.

So let's say once your function has been triggered, you can just query SSM to get the desired parameters and then pass it into your RDS connection.

Just remember that if your Lambda also needs Internet Access (and in this case it does, because it will need to access SSM), you'll need to attach 2 subnets to it: a private and a public. The private will route traffic to RDS and the public will route traffic to other AWS Services / or to the internet.

Setting up Environment Variables would be the easiest to get you off ground, though.

EDIT: Check this answer where I walk the OP through creating a VPC with both public and private subnets if you need a quick start.

EDIT 2: Good news. AWS has released VPC endpoints for SSM some time ago. So your Lambda won't need to go through the Internet anymore, you can just hit that VPC endpoint. You can see it in the official docs