profile

AWS for the Real World

I connected Claude Code to RDS. 7 lines.

Published 20 days agoΒ β€’Β 2 min read
AWS FOR THE REAL WORLD
⏱️
Reading time: 8 minutes
🎯
Main Learning: How to securely connect Claude Code to a private RDS database using MCP, SSM tunnels, and VPC endpoints
πŸ“
🎬

Hey Reader πŸ‘‹πŸ½

AI coding assistants are great. If you give them the right context.

Your database schema is one of the most valuable pieces of context you can provide. But there's a problem: your RDS is in a private subnet. As it should be.

So how do you connect Claude Code to a database it can't reach?

In this issue, we set up a secure tunnel using SSM and VPC endpoints, hook it up via MCP, and let Claude Code query your private RDS directly.

Rather watch a video? We've recorded one for you!

video preview​

First, let's see some AWS news of the week:

πŸ“° This Week in AWS

😢CloudWatch Mute Rules

Tired of noisy alarms you can't turn off during maintenance? CloudWatch now supports mute rules. Suppress specific alarms during planned windows without deleting or disabling them. Read More β†’

πŸ—„οΈRDS Gets a Better Console

The RDS console now shows ready-made connection code snippets for Java, Python, Node.js, and more. It adapts based on your auth method and includes built-in psql and CloudShell access. Less digging through docs to get connected. Read More β†’

Now, onto this week's deep dive:

Connect Claude Code to Private RDS with MCP

πŸ“š This Week's Deep Dive

The Problem

More context doesn't mean better AI performance. The right context does.

You start a feature. You write a spec, point it to the right files. Performance goes up. But if you keep going without clearing context, it goes downhill.

What you want is focused context at the right time. Database schema, example data, relevant source code. That's what makes AI assistants useful.

But your RDS sits in a private subnet. No public IP. No direct connection. And that's correct.

The Solution

We introduce a few components:

  1. Your local machine runs Claude Code with MCP config
  2. AWS Session Manager (SSM) uses your local AWS credentials
  3. Three VPC endpoints let SSM reach into your VPC without internet
  4. A jumphost (EC2) sits in the same subnet as RDS
  5. The jumphost connects to RDS on your behalf

Full path: local machine β†’ SSM β†’ VPC endpoints β†’ jumphost β†’ RDS.

This creates a local tunnel. All requests to localhost on a specific port get forwarded to your RDS instance.

Deploy & Connect

Deploy the CDK stack with pnpm cdk deploy. It creates the VPC endpoints, jumphost, and RDS instance.

Start the tunnel with ./scripts/tunnel.sh. When you see "Waiting for Connections…", you're good.

The MCP config is seven lines. It handles everything: checks requirements, fetches stack outputs, grabs credentials, starts its own SSM tunnel, and launches the MCP server.

Restart Claude Code, run /mcp, and you'll see "RDS Postgres" connecting. Say "show me some data" and it queries your database.

Why This Matters

Debugging incidents: Claude Code sees the same data you see. No switching between SQL client and editor.

Feature development: Let the AI build a feature, click through the UI with a headless browser, and check the database to verify. The database is the feedback loop you're missing.

No more copy-pasting: No exporting schemas. No pasting table definitions into every conversation. MCP gives live access.

Security

  • Only connect to dev and staging. Never production.
  • Use a read-only database user.
  • SSM uses your local CLI credentials. No long-term secrets.
  • CloudTrail logs every session. Full audit trail.
  • Your database stays in its private subnet.

That's it for this week!

The full CDK stack and scripts are open source. Grab the repo, deploy it, and don't forget to destroy the stack when you're done.

See you soon!

Sandro & Tobi

AWS for the Real World

by Tobi & Sandro

We teach AWS for the real world - not for certifications. Join more than 10,500 developers learning how to build real-world applications on AWS.

Read more from AWS for the Real World

AWS FOR THE REAL WORLD ⏱️ Reading time: 12 minutes 🎯 Main Learning: Run an always-on AI agent on a $5 Lightsail instance with zero open ports, SSM access, and GitHub as a time machine for your agent's brain πŸ“ Blog Post 🎬 Watch on YouTube Hey Reader πŸ‘‹πŸ½ the past weeks there is obviously one driving topic: OpenClaw 🦞 We love seeing that a developer from our neighbor country πŸ‡¦πŸ‡Ή built a tool that got so MUCH hype. That is why we needed to try it out as well! While I (Sandro) added OpenClaw to my...

6 days agoΒ β€’Β 2 min read

AWS FOR THE REAL WORLD ⏱️ Reading time: 8 minutes 🎯 Main Learning: How to pause Step Function workflows for human approval using the callback pattern πŸ“ Blog Post πŸ’» GitHub Repository 🎬 Watch on YouTube Hey Reader πŸ‘‹πŸ½ I've used this pattern in almost every project I've built. Whenever you need a human in the loop - approvals, reviews, manual checks - and you still want to see what's happening, Step Functions are perfect. Lambda is my go-to for almost everything. APIs S3 triggers event consumers...

about 1 month agoΒ β€’Β 2 min read

AWS FOR THE REAL WORLD ⏱️ Reading time: 5 minutes 🎯 Main Learning: How to make Claude write production-ready Terraform instead of technical debt 🎬 Watch on YouTube πŸ“ Blog Post πŸ’» GitHub Repository Hey Reader πŸ‘‹πŸ½ We've been heads-down the past weeks. Preparing the live AMA workshops from Black Friday (sorry for the delay!) and recording new YouTube videos. It's been a lot of fun. Speaking of videos - this week Tobi recorded one you'll want to watch. Here's the problem: LLMs want to close the...

about 1 month agoΒ β€’Β 1 min read