This guide provides instructions for granting Aampe access to your AWS RDS database for data synchronization. Grant Aampe direct read access to your RDS instance for real-time data synchronization.

Prerequisites

  • AWS account with an existing RDS instance
  • Admin access to your AWS account
  • RDS instance endpoint and database name
  • Network access configured (Security Groups/VPC)

Setup Steps

1. Create Database User for Aampe

Connect to your RDS instance and create a read-only user: 
-- For MySQL/MariaDB
CREATE USER 'aampe_reader'@'%' IDENTIFIED BY 'STRONG_PASSWORD_HERE';

-- For PostgreSQL
CREATE USER aampe_reader WITH PASSWORD 'STRONG_PASSWORD_HERE';

-- For SQL Server
CREATE LOGIN aampe_reader WITH PASSWORD = 'STRONG_PASSWORD_HERE';
CREATE USER aampe_reader FOR LOGIN aampe_reader;

2. Grant Read Permissions

-- For MySQL/MariaDB
GRANT SELECT ON your_database.* TO 'aampe_reader'@'%';
FLUSH PRIVILEGES;

-- For PostgreSQL
GRANT CONNECT ON DATABASE your_database TO aampe_reader;
GRANT USAGE ON SCHEMA public TO aampe_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO aampe_reader;
-- For future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO aampe_reader;

-- For SQL Server
USE your_database;
ALTER ROLE db_datareader ADD MEMBER aampe_reader;

3. Configure Network Access

Update your RDS Security Group to allow Aampe’s IP addresses: 
# Add ingress rule to your RDS security group
aws ec2 authorize-security-group-ingress \
  --group-id sg-YOUR_SECURITY_GROUP_ID \
  --protocol tcp \
  --port YOUR_DB_PORT \
  --cidr AAMPE_IP_RANGE/32 \
  --group-rule-description "Aampe data sync access"
Note: Your Aampe representative will provide the specific IP addresses or ranges to allowlist. 
# Download RDS CA certificate
wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem

# For MySQL, enforce SSL for the Aampe user
mysql> ALTER USER 'aampe_reader'@'%' REQUIRE SSL;

5. Provide Information to Aampe

Share the following with your Aampe representative:
  • Endpoint: your-instance.region.rds.amazonaws.com
  • Port: (default: MySQL 3306, PostgreSQL 5432, SQL Server 1433)
  • Database name
  • Username: aampe_reader
  • Password: (share securely)
  • SSL certificate: (if using SSL)
  • List of tables to sync

Option 2: Read Replica Access (For Production Isolation)

Create a dedicated read replica to isolate Aampe’s queries from your production workload.

Setup Steps

1. Create Read Replica

aws rds create-db-instance-read-replica \
  --db-instance-identifier aampe-read-replica \
  --source-db-instance-identifier your-primary-instance \
  --publicly-accessible \
  --db-instance-class db.t3.medium

2. Wait for Replica to be Available

aws rds wait db-instance-available \
  --db-instance-identifier aampe-read-replica

3. Configure Replica-Specific Settings

# Modify replica for optimized read performance
aws rds modify-db-instance \
  --db-instance-identifier aampe-read-replica \
  --backup-retention-period 0 \
  --apply-immediately

4. Create Aampe User on Replica

Follow the same user creation steps from Option 1, but connect to the read replica endpoint instead.

5. Update Security Group

Create a dedicated security group for the read replica: 
# Create new security group
aws ec2 create-security-group \
  --group-name aampe-rds-access \
  --description "Security group for Aampe RDS access"

# Add Aampe IP access
aws ec2 authorize-security-group-ingress \
  --group-name aampe-rds-access \
  --protocol tcp \
  --port YOUR_DB_PORT \
  --cidr AAMPE_IP_RANGE/32