I have an ECS task executed from a Lambda function. This task will perform some basic SQL operations (e.g. SELECT, INSERT, UPDATE) on an RDS instance running MySQL. What is the proper way to manage access from the ECS task to RDS?
I am currently connecting to RDS using a security group rule where port 3306 allows a connection from a particular IP address (where an EC2 instance resides).
I am in the process of moving this functionality from EC2 to the ECS task. I looked into IAM policies, but the actions appear to manage AWS CLI RDS operations, and are likely not the solution here. Thanks!
IAM roles and Security Groups are two totally different things that serve different purposes. You have to open the Security Group to allow any network traffic to access the RDS server. Instead of whitelisting the IP address you should whitelist the inbound Security Group.
For example if the RDS server is in Security Group 1, and the ECS server is in Security Group 2, you can enter the ID of Security Group 2 in the inbound access rule of Security Group 1. Then you don't have to worry about servers changing IP addresses.