profile

AWS for the Real World

I connected Claude Code to RDS. 7 lines.

Published 3 months agoΒ β€’Β 2 min read
AWS FOR THE REAL WORLD
⏱️
Reading time: 8 minutes
🎯
Main Learning: How to securely connect Claude Code to a private RDS database using MCP, SSM tunnels, and VPC endpoints
πŸ“
🎬

Hey Reader πŸ‘‹πŸ½

AI coding assistants are great. If you give them the right context.

Your database schema is one of the most valuable pieces of context you can provide. But there's a problem: your RDS is in a private subnet. As it should be.

So how do you connect Claude Code to a database it can't reach?

In this issue, we set up a secure tunnel using SSM and VPC endpoints, hook it up via MCP, and let Claude Code query your private RDS directly.

Rather watch a video? We've recorded one for you!

video preview​

First, let's see some AWS news of the week:

πŸ“° This Week in AWS

😢CloudWatch Mute Rules

Tired of noisy alarms you can't turn off during maintenance? CloudWatch now supports mute rules. Suppress specific alarms during planned windows without deleting or disabling them. Read More β†’

πŸ—„οΈRDS Gets a Better Console

The RDS console now shows ready-made connection code snippets for Java, Python, Node.js, and more. It adapts based on your auth method and includes built-in psql and CloudShell access. Less digging through docs to get connected. Read More β†’

Now, onto this week's deep dive:

Connect Claude Code to Private RDS with MCP

πŸ“š This Week's Deep Dive

The Problem

More context doesn't mean better AI performance. The right context does.

You start a feature. You write a spec, point it to the right files. Performance goes up. But if you keep going without clearing context, it goes downhill.

What you want is focused context at the right time. Database schema, example data, relevant source code. That's what makes AI assistants useful.

But your RDS sits in a private subnet. No public IP. No direct connection. And that's correct.

The Solution

We introduce a few components:

  1. Your local machine runs Claude Code with MCP config
  2. AWS Session Manager (SSM) uses your local AWS credentials
  3. Three VPC endpoints let SSM reach into your VPC without internet
  4. A jumphost (EC2) sits in the same subnet as RDS
  5. The jumphost connects to RDS on your behalf

Full path: local machine β†’ SSM β†’ VPC endpoints β†’ jumphost β†’ RDS.

This creates a local tunnel. All requests to localhost on a specific port get forwarded to your RDS instance.

Deploy & Connect

Deploy the CDK stack with pnpm cdk deploy. It creates the VPC endpoints, jumphost, and RDS instance.

Start the tunnel with ./scripts/tunnel.sh. When you see "Waiting for Connections…", you're good.

The MCP config is seven lines. It handles everything: checks requirements, fetches stack outputs, grabs credentials, starts its own SSM tunnel, and launches the MCP server.

Restart Claude Code, run /mcp, and you'll see "RDS Postgres" connecting. Say "show me some data" and it queries your database.

Why This Matters

Debugging incidents: Claude Code sees the same data you see. No switching between SQL client and editor.

Feature development: Let the AI build a feature, click through the UI with a headless browser, and check the database to verify. The database is the feedback loop you're missing.

No more copy-pasting: No exporting schemas. No pasting table definitions into every conversation. MCP gives live access.

Security

  • Only connect to dev and staging. Never production.
  • Use a read-only database user.
  • SSM uses your local CLI credentials. No long-term secrets.
  • CloudTrail logs every session. Full audit trail.
  • Your database stays in its private subnet.

That's it for this week!

The full CDK stack and scripts are open source. Grab the repo, deploy it, and don't forget to destroy the stack when you're done.

See you soon!

Sandro & Tobi

AWS for the Real World

by Tobi & Sandro

We teach AWS for the real world - not for certifications. Join more than 10,500 developers learning how to build real-world applications on AWS.

Read more from AWS for the Real World

AWS FOR THE REAL WORLD ⏱️ Reading time: 6 minutes 🎯 Main Learning: Three levels of AWS observability β€” from raw console.log to a Claude Code agent that queries CloudWatch for you. πŸ“ Blog Post πŸ“‚ Claude Code agent (free gist) 🎬 Watch on YouTube Hey Reader πŸ‘‹πŸ½Quick check β€” when did you last close the CloudWatch console and feel like that was time well spent?Yeah, me too. And I'm done with it. In this week's video, I will show you how to never open the CloudWatch console again. As a good...

6 days agoΒ β€’Β 2 min read
AWS DevOps Agent β€” your AI SRE is now on call

AWS FOR THE REAL WORLD ⏱️ Reading time: 12 minutes 🎯 Main Learning: AWS DevOps Agent investigates incidents autonomously across CloudWatch, CloudTrail, and your code. It surfaces evidence brilliantly β€” but can confidently point at the wrong root cause, so don't apply its fixes blindly. πŸ“ Blog Post Hey Reader πŸ‘‹πŸ½ I was in Portugal for the past week. 10 days of tennis, padel, sun and waves 🎾 Highly recommended place! Our daily lives as software developers really changed since we started using...

8 days agoΒ β€’Β 3 min read

AWS FOR THE REAL WORLD ⏱️ Reading time: 10 minutes 🎯 Main Learning: S3 Files gives POSIX access at S3 prices: 13x cheaper than EFS for large files, but the 60-second write-back delay silently breaks coordination patterns! πŸ“ Blog Post πŸ’» GitHub Repository 🎬 Watch on YouTube Hey Reader πŸ‘‹πŸ½ Sandro is currently traveling through Portugal - work and fun combined! If you happen to be around, reach out. Would be great to meet up! 🀝 This week we're digging into S3 Files: a POSIX file system backed by...

19 days agoΒ β€’Β 3 min read