I connected Claude Code to RDS. 7 lines.

AWS FOR THE REAL WORLD

⏱️

Reading time: 8 minutes

🎯

Main Learning: How to securely connect Claude Code to a private RDS database using MCP, SSM tunnels, and VPC endpoints

📝

Blog Post

💻

GitHub Repository

🎬

Watch on YouTube

Hey 👋🏽

AI coding assistants are great. If you give them the right context.

Your database schema is one of the most valuable pieces of context you can provide. But there's a problem: your RDS is in a private subnet. As it should be.

So how do you connect Claude Code to a database it can't reach?

In this issue, we set up a secure tunnel using SSM and VPC endpoints, hook it up via MCP, and let Claude Code query your private RDS directly.

Rather watch a video? We've recorded one for you!

First, let's see some AWS news of the week:

📰 This Week in AWS

😶CloudWatch Mute Rules

Tired of noisy alarms you can't turn off during maintenance? CloudWatch now supports mute rules. Suppress specific alarms during planned windows without deleting or disabling them.

🗄️RDS Gets a Better Console

The RDS console now shows ready-made connection code snippets for Java, Python, Node.js, and more. It adapts based on your auth method and includes built-in psql and CloudShell access. Less digging through docs to get connected.

Now, onto this week's deep dive:

Connect Claude Code to Private RDS with MCP

📚 This Week's Deep Dive

The Problem

More context doesn't mean better AI performance. The right context does.

You start a feature. You write a spec, point it to the right files. Performance goes up. But if you keep going without clearing context, it goes downhill.

What you want is focused context at the right time. Database schema, example data, relevant source code. That's what makes AI assistants useful.

But your RDS sits in a private subnet. No public IP. No direct connection. And that's correct.

The Solution

We introduce a few components:

Your local machine runs Claude Code with MCP config
AWS Session Manager (SSM) uses your local AWS credentials
Three VPC endpoints let SSM reach into your VPC without internet
A jumphost (EC2) sits in the same subnet as RDS
The jumphost connects to RDS on your behalf

Full path: local machine → SSM → VPC endpoints → jumphost → RDS.

This creates a local tunnel. All requests to localhost on a specific port get forwarded to your RDS instance.

Deploy & Connect

Deploy the CDK stack with pnpm cdk deploy. It creates the VPC endpoints, jumphost, and RDS instance.

Start the tunnel with ./scripts/tunnel.sh. When you see "Waiting for Connections…", you're good.

The MCP config is seven lines. It handles everything: checks requirements, fetches stack outputs, grabs credentials, starts its own SSM tunnel, and launches the MCP server.

Restart Claude Code, run /mcp, and you'll see "RDS Postgres" connecting. Say "show me some data" and it queries your database.

Why This Matters

Debugging incidents: Claude Code sees the same data you see. No switching between SQL client and editor.

Feature development: Let the AI build a feature, click through the UI with a headless browser, and check the database to verify. The database is the feedback loop you're missing.

No more copy-pasting: No exporting schemas. No pasting table definitions into every conversation. MCP gives live access.

Security

Only connect to dev and staging. Never production.
Use a read-only database user.
SSM uses your local CLI credentials. No long-term secrets.
CloudTrail logs every session. Full audit trail.
Your database stays in its private subnet.

🚀 Read the Full Tutorial →

That's it for this week!

The full CDK stack and scripts are open source. Grab the repo, deploy it, and don't forget to destroy the stack when you're done.

See you soon!

Sandro & Tobi