profile

AWS for the Real World

I connected Claude Code to RDS. 7 lines.

Published about 1 month agoΒ β€’Β 2 min read
AWS FOR THE REAL WORLD
⏱️
Reading time: 8 minutes
🎯
Main Learning: How to securely connect Claude Code to a private RDS database using MCP, SSM tunnels, and VPC endpoints
πŸ“
🎬

Hey Reader πŸ‘‹πŸ½

AI coding assistants are great. If you give them the right context.

Your database schema is one of the most valuable pieces of context you can provide. But there's a problem: your RDS is in a private subnet. As it should be.

So how do you connect Claude Code to a database it can't reach?

In this issue, we set up a secure tunnel using SSM and VPC endpoints, hook it up via MCP, and let Claude Code query your private RDS directly.

Rather watch a video? We've recorded one for you!

video preview​

First, let's see some AWS news of the week:

πŸ“° This Week in AWS

😢CloudWatch Mute Rules

Tired of noisy alarms you can't turn off during maintenance? CloudWatch now supports mute rules. Suppress specific alarms during planned windows without deleting or disabling them. Read More β†’

πŸ—„οΈRDS Gets a Better Console

The RDS console now shows ready-made connection code snippets for Java, Python, Node.js, and more. It adapts based on your auth method and includes built-in psql and CloudShell access. Less digging through docs to get connected. Read More β†’

Now, onto this week's deep dive:

Connect Claude Code to Private RDS with MCP

πŸ“š This Week's Deep Dive

The Problem

More context doesn't mean better AI performance. The right context does.

You start a feature. You write a spec, point it to the right files. Performance goes up. But if you keep going without clearing context, it goes downhill.

What you want is focused context at the right time. Database schema, example data, relevant source code. That's what makes AI assistants useful.

But your RDS sits in a private subnet. No public IP. No direct connection. And that's correct.

The Solution

We introduce a few components:

  1. Your local machine runs Claude Code with MCP config
  2. AWS Session Manager (SSM) uses your local AWS credentials
  3. Three VPC endpoints let SSM reach into your VPC without internet
  4. A jumphost (EC2) sits in the same subnet as RDS
  5. The jumphost connects to RDS on your behalf

Full path: local machine β†’ SSM β†’ VPC endpoints β†’ jumphost β†’ RDS.

This creates a local tunnel. All requests to localhost on a specific port get forwarded to your RDS instance.

Deploy & Connect

Deploy the CDK stack with pnpm cdk deploy. It creates the VPC endpoints, jumphost, and RDS instance.

Start the tunnel with ./scripts/tunnel.sh. When you see "Waiting for Connections…", you're good.

The MCP config is seven lines. It handles everything: checks requirements, fetches stack outputs, grabs credentials, starts its own SSM tunnel, and launches the MCP server.

Restart Claude Code, run /mcp, and you'll see "RDS Postgres" connecting. Say "show me some data" and it queries your database.

Why This Matters

Debugging incidents: Claude Code sees the same data you see. No switching between SQL client and editor.

Feature development: Let the AI build a feature, click through the UI with a headless browser, and check the database to verify. The database is the feedback loop you're missing.

No more copy-pasting: No exporting schemas. No pasting table definitions into every conversation. MCP gives live access.

Security

  • Only connect to dev and staging. Never production.
  • Use a read-only database user.
  • SSM uses your local CLI credentials. No long-term secrets.
  • CloudTrail logs every session. Full audit trail.
  • Your database stays in its private subnet.

That's it for this week!

The full CDK stack and scripts are open source. Grab the repo, deploy it, and don't forget to destroy the stack when you're done.

See you soon!

Sandro & Tobi

AWS for the Real World

by Tobi & Sandro

We teach AWS for the real world - not for certifications. Join more than 10,500 developers learning how to build real-world applications on AWS.

Read more from AWS for the Real World

AWS FOR THE REAL WORLD ⏱️ Reading time: 4 minutes 🎯 Main Learning: Which AWS services are worth your time and which ones to skip 🎬 Watch on YouTube Hey Reader πŸ‘‹πŸ½ a new week, new AWS video coming out. I (Sandro) used all of my knowledge from the past six plus years building AWS solutions, ranking the services I actually use and the services I hate. For some I've changed my mind A LOT over the years (e.g. DynamoDB). Let me know what you think and check it out.Here you go AWS News But first of...

7 days agoΒ β€’Β 3 min read

AWS FOR THE REAL WORLD ⏱️ Reading time: 12 minutes 🎯 Main Learning: The 11 most impactful AWS releases from the past 12 months that have nothing to do with AI. πŸ“ Blog Post Hey Reader πŸ‘‹ Every re:Invent recap, every AWS blog, every newsletter from the past year has been dominated by one topic. You know which one. But while everyone was writing about agents and foundation models, the core infrastructure layer kept moving. Quiet releases. No keynote fanfare. Things that actually affect your...

14 days agoΒ β€’Β 2 min read

AWS FOR THE REAL WORLD ⏱️ Reading time: 5 minutes 🎯 Main Learning: Deploy AWS's open-source TEAM solution for temporary admin access with approval workflows 🎬 Watch on YouTube Hey Reader πŸ‘‹πŸ½ I hope you had a great weekend and have a great week ahead. One thing I see over and over again in AWS setups: admin permissions are either handed out way too easily or way too hard. There is no middle ground. In other systems this was already solved. You shouldn’t have to DM somebody for admin access. We...

21 days agoΒ β€’Β 3 min read