I connected Claude Code to RDS. 7 lines.


AWS FOR THE REAL WORLD
⏱️
Reading time: 8 minutes
🎯
Main Learning: How to securely connect Claude Code to a private RDS database using MCP, SSM tunnels, and VPC endpoints
πŸ“
🎬

Hey Reader πŸ‘‹πŸ½

AI coding assistants are great. If you give them the right context.

Your database schema is one of the most valuable pieces of context you can provide. But there's a problem: your RDS is in a private subnet. As it should be.

So how do you connect Claude Code to a database it can't reach?

In this issue, we set up a secure tunnel using SSM and VPC endpoints, hook it up via MCP, and let Claude Code query your private RDS directly.

Rather watch a video? We've recorded one for you!

video preview​

First, let's see some AWS news of the week:

πŸ“° This Week in AWS

😢CloudWatch Mute Rules

Tired of noisy alarms you can't turn off during maintenance? CloudWatch now supports mute rules. Suppress specific alarms during planned windows without deleting or disabling them. Read More β†’

πŸ—„οΈRDS Gets a Better Console

The RDS console now shows ready-made connection code snippets for Java, Python, Node.js, and more. It adapts based on your auth method and includes built-in psql and CloudShell access. Less digging through docs to get connected. Read More β†’

Now, onto this week's deep dive:

Connect Claude Code to Private RDS with MCP

πŸ“š This Week's Deep Dive

The Problem

More context doesn't mean better AI performance. The right context does.

You start a feature. You write a spec, point it to the right files. Performance goes up. But if you keep going without clearing context, it goes downhill.

What you want is focused context at the right time. Database schema, example data, relevant source code. That's what makes AI assistants useful.

But your RDS sits in a private subnet. No public IP. No direct connection. And that's correct.

The Solution

We introduce a few components:

  1. Your local machine runs Claude Code with MCP config
  2. AWS Session Manager (SSM) uses your local AWS credentials
  3. Three VPC endpoints let SSM reach into your VPC without internet
  4. A jumphost (EC2) sits in the same subnet as RDS
  5. The jumphost connects to RDS on your behalf

Full path: local machine β†’ SSM β†’ VPC endpoints β†’ jumphost β†’ RDS.

This creates a local tunnel. All requests to localhost on a specific port get forwarded to your RDS instance.

Deploy & Connect

Deploy the CDK stack with pnpm cdk deploy. It creates the VPC endpoints, jumphost, and RDS instance.

Start the tunnel with ./scripts/tunnel.sh. When you see "Waiting for Connections…", you're good.

The MCP config is seven lines. It handles everything: checks requirements, fetches stack outputs, grabs credentials, starts its own SSM tunnel, and launches the MCP server.

Restart Claude Code, run /mcp, and you'll see "RDS Postgres" connecting. Say "show me some data" and it queries your database.

Why This Matters

Debugging incidents: Claude Code sees the same data you see. No switching between SQL client and editor.

Feature development: Let the AI build a feature, click through the UI with a headless browser, and check the database to verify. The database is the feedback loop you're missing.

No more copy-pasting: No exporting schemas. No pasting table definitions into every conversation. MCP gives live access.

Security

  • Only connect to dev and staging. Never production.
  • Use a read-only database user.
  • SSM uses your local CLI credentials. No long-term secrets.
  • CloudTrail logs every session. Full audit trail.
  • Your database stays in its private subnet.

That's it for this week!

The full CDK stack and scripts are open source. Grab the repo, deploy it, and don't forget to destroy the stack when you're done.

See you soon!

Sandro & Tobi

AWS for the Real World

We teach AWS for the real world - not for certifications. Join more than 10,500 developers learning how to build real-world applications on AWS.

Read more from AWS for the Real World

AWS FOR THE REAL WORLD ⏱️ Reading time: 6 minutes 🎯 Main Learning: 5 common AWS account mistakes and how to fix each one in under 10 minutes 🎬 Watch on YouTube Hey Reader πŸ‘‹πŸ½ New week, new AWS deep dive 🐠 In this one, we'll show you the 5 most common mistakes we've seen in almost every AWS account we've looked at. Yes, there are more out there. But these are the ones you'll see everywhere. And they're pretty simple to fix! The good news? Most of these fixes take under 10 minutes. Rather watch...

AWS FOR THE REAL WORLD ⏱️ Reading time: 9 minutes 🎯 Main Learning: Build a self-service portal that grants temporary AWS + Azure access and revokes it automatically β€” using Kestra and one YAML file. πŸ“ Blog Post πŸ’» GitHub Repository 🎬 Watch on YouTube Hey Reader πŸ‘‹πŸ½ Happy new week! Tobi and I met up last week and spent some time planning the videos ahead. We’re going more and more into YouTube β€” and a few things I’m hyped about: The biggest AWS mistakes we’ve made (so you don’t have to) How...

AWS FOR THE REAL WORLD ⏱️ Reading time: 4 minutes 🎯 Main Learning: Which AWS services are worth your time and which ones to skip 🎬 Watch on YouTube Hey Reader πŸ‘‹πŸ½ a new week, new AWS video coming out. I (Sandro) used all of my knowledge from the past six plus years building AWS solutions, ranking the services I actually use and the services I hate. For some I've changed my mind A LOT over the years (e.g. DynamoDB). Let me know what you think and check it out.Here you go AWS News But first of...