Create an RDS user on AWS EC2 within a VPC

Question

That's a whole lot of acronyms and I apologize.

I have a client who would like to access our RDS database. The RDS database is in a VPC and is not publicly accessibly. Right now, you have to SSH into an EC2 instance inside the VPC and then connect to the RDS instance.

I'd like to give the client SELECT privileges on the RDS instance, but nothing else. I don't necessarily want to give him a private key to access the RDS instance, since he will then be able to access the EC2 instance as well.

Is there a way to generate a private key for an EC2 instance that doesn't allow him to access the EC2 instance but will let him use it to tunnel to the RDS instance?

Answer 1

What I ended up doing was the following:

• Generated a new user on the EC2 instance via this tutorial: http://aws.amazon.com/articles/1233
• Didn't give the user sudo access
• Generated a new MySQL user on the RDS instance
• GRANT SELECT PRIVILEGES ON TABLE TO user
• Gave the client the private key, RDS connection details, SSH host

Boom. He's in and has a locked down user account on the EC2 instance, and can now use the SSH details to access the RDS instance with SELECT privileges.

Unfortunately, he also has access to his own home directory on the EC2 instance.