Setup ec2 to allow ssh connections only with the public key and database connections from custom ip

Question

First of all, would the above be a good idea? Would this be overkill in which the security level will be same using another method?

How would you do this? The alternative would be ssh tunneling from one machine to the database server but I'm not sure if there will be a performance problem from the inbound machine that requires constant connection to query data from the database server.

I can right now ssh into the instance from any machine with the public key.

I can also connect to the Postgresql database on this instance using ssh tunneling.

Answer 1

Can you explain a little more about what you're trying to do? Based on the information you provided I have to make a lot of assumptions.

Some general advice when dealing with database servers is to restrict access by both ip and the user connecting to the database. This is only possible if you have a static ip on the client or a known range of ip's that you can use. I'm not sure if either of these cases apply to you. If you're using amazon EC2 VPC you can set your client to have a static private ip and only allow database access from that ip.

Keep in mind that SSH is not the same as access to the database. You will still need to keep port 22 open for you ( hopefully just you ) on both your database server and your client instance so that you can log in and manage those servers.

Like I said before, the more explanation you can give to what you're attempting to do the better someone can help you.