Why do I get AWS RDS access denied even though my password is correct?

The most common cause when the password is definitely correct is that the database user does not have permission to connect from the application's IP or host. In MySQL, users are scoped to a host: 'app_user'@'localhost' and 'app_user'@'%' are different users. Connect as the master user and run SHOW GRANTS FOR 'app_user'@'%'; to verify. In PostgreSQL, check pg_hba.conf equivalent rules in the RDS parameter group, and ensure the user has CONNECT privilege on the target database. Also verify you are connecting to the correct database name — PostgreSQL returns 'access denied' rather than 'database not found' in some configurations.

My RDS connection works locally but times out in Lambda or ECS. What is wrong?

Lambda functions and ECS tasks run inside a VPC (or no VPC). If your RDS is in a private subnet, your Lambda must be in the same VPC and the Lambda's security group must be allowed as an inbound source on the RDS security group. If Lambda is not VPC-attached, it cannot reach a private RDS instance at all. For ECS, verify the task's security group (not just the service's load balancer SG) is whitelisted on RDS. Also check that the private subnets your Lambda or ECS task runs in have a route to the RDS subnet — they must share a VPC or have peering configured.

How do I fix 'FATAL: remaining connection slots are reserved for non-replication superuser connections'?

This PostgreSQL error means the max_connections limit has been reached. Your application is opening more connections than the RDS instance supports. Immediate fix: connect as the superuser and run SELECT count(*), state FROM pg_stat_activity GROUP BY state; to see active connections, then SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE state = 'idle' AND query_start < now() - interval '10 minutes'; to reclaim idle connections. Long-term fix: deploy PgBouncer or RDS Proxy in front of your RDS instance to pool connections. Also check for connection leaks in your application — missing connection.close() calls after queries.

Why does AWS RDS connection refused happen only after the instance restarts?

After an RDS reboot, the endpoint DNS record may temporarily resolve to a different IP, especially with Multi-AZ failover. Your application may be caching the old DNS resolution. Ensure your DB client is configured with a short DNS TTL or uses the RDS endpoint hostname directly rather than a resolved IP. With Multi-AZ failover, the CNAME record is updated to point to the standby — this takes 30-120 seconds. Configure your connection retry logic with exponential backoff for at least 2-3 minutes to handle planned and unplanned failovers gracefully.

I see 'SSL connection has been closed unexpectedly' after upgrading RDS. How do I fix it?

AWS periodically rotates the RDS CA certificate. After a CA rotation or an RDS engine upgrade, the SSL certificate presented by RDS may no longer match the certificate bundle your client has. Download the latest global bundle from https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem and configure your DB client to use it. If you are using Python with psycopg2, set sslrootcert to the bundle path. For Node.js with pg, pass ssl: { ca: fs.readFileSync('/path/to/global-bundle.pem') } in the connection config. As a temporary diagnostic-only workaround you can set sslmode=require (instead of verify-full) to bypass certificate verification, but never use this in production.

AWS RDS Access Denied: Fix Connection Refused and Timeout Errors (2024 Guide)

Q: Why does AWS RDS connection refused happen only after the instance restarts?

After an RDS reboot, the endpoint DNS record may temporarily resolve to a different IP, especially with Multi-AZ failover. Your application may be caching the old DNS resolution. Ensure your DB client is configured with a short DNS TTL or uses the RDS endpoint hostname directly rather than a resolved IP. With Multi-AZ failover, the CNAME record is updated to point to the standby — this takes 30-120 seconds. Configure your connection retry logic with exponential backoff for at least 2-3 minutes to handle planned and unplanned failovers gracefully.

Q: I see 'SSL connection has been closed unexpectedly' after upgrading RDS. How do I fix it?

AWS periodically rotates the RDS CA certificate. After a CA rotation or an RDS engine upgrade, the SSL certificate presented by RDS may no longer match the certificate bundle your client has. Download the latest global bundle from https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem and configure your DB client to use it. If you are using Python with psycopg2, set sslrootcert to the bundle path. For Node.js with pg, pass ssl: { ca: fs.readFileSync('/path/to/global-bundle.pem') } in the connection config. As a temporary diagnostic-only workaround you can set sslmode=require (instead of verify-full) to bypass certificate verification, but never use this in production.

Fix AWS RDS access denied, connection refused, and timeout errors in minutes. Step-by-step guide covering IAM, security groups, VPC, and DB credentials.

Last updated: February 23, 2026

Last verified: February 23, 2026

2,512 words

Key Takeaways

Access denied on RDS is caused by one of four root causes: wrong DB credentials, IAM authentication misconfiguration, security group rules blocking the port, or SSL/TLS certificate mismatch
Connection refused (ECONNREFUSED) almost always means the security group inbound rule for port 3306 (MySQL) or 5432 (PostgreSQL) is missing, or the RDS instance is not set to Publicly Accessible when connecting from outside a VPC
RDS timeout errors are most commonly caused by a missing VPC route, network ACL blocking return traffic, or the RDS instance being in a private subnet without a NAT gateway or VPC endpoint
Quick fix checklist: (1) verify the endpoint and port with nmap or nc, (2) check security group inbound rules, (3) confirm IAM policy allows rds-db:connect if using IAM auth, (4) test with the native DB client using the master password before blaming application config

Fix Approaches Compared
Method	When to Use	Time to Apply	Risk Level
Add security group inbound rule	Port unreachable from your IP or application subnet	2 minutes	Low — additive change only
Enable Publicly Accessible flag	Connecting from outside the VPC (local dev, CI/CD)	5 minutes + reboot	Low — does not expose DB without security group allowing it
Attach correct IAM policy (rds-db:connect)	Using IAM database authentication instead of password	5 minutes	Low — IAM change, no DB restart needed
Rotate / reset master password	Access denied with correct endpoint but wrong credentials	3 minutes via console	Low — only affects password, not schema
Fix network ACL stateful rules	Timeout from specific subnet even with SG rule open	10 minutes	Medium — ACL rules are stateful-less; wrong order blocks all traffic
Move RDS to correct subnet / VPC	Application and DB in different VPCs with no peering	30-60 minutes	High — requires snapshot + restore or blue/green deployment
Download updated SSL bundle (rds-ca-2019)	SSL handshake failure / certificate verify failed	5 minutes	Low — client-side only change

Understanding AWS RDS Access Denied, Connection Refused, and Timeout Errors

AWS RDS connection failures surface as three distinct error classes, each pointing to a different layer of the stack. Mixing them up wastes hours of debugging time. Before touching any config, identify which exact error you have.

Error class 1 — Access Denied (authentication layer)

Access denied for user 'app_user'@'10.0.2.45' (using password: YES)
PSQLEXCEPTOR: password authentication failed for user "app_user"
com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Access denied

This error means the TCP connection reached RDS successfully. The problem is at the database authentication layer: wrong password, wrong username, the DB user doesn't exist, or IAM database authentication token expired.

Error class 2 — Connection Refused (network layer, hard block)

Error: connect ECONNREFUSED 10.0.1.23:5432
Can't connect to MySQL server on 'mydb.xxxx.us-east-1.rds.amazonaws.com' (111)
Connection refused (port 5432)

A hard refusal means something is actively rejecting the TCP SYN packet. This is almost always the security group having no inbound rule for the DB port, or the RDS instance stopped.

Error class 3 — Timeout (network layer, silent drop)

Error: connect ETIMEDOUT
Operational Error: could not connect to server: Connection timed out
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

A timeout means packets are being dropped silently — the SYN goes out but no SYN-ACK returns. This points to a network ACL, route table, or the instance being in a private subnet with no return path.

Step 1: Confirm the Endpoint and Port Are Reachable

Before changing any AWS configuration, verify the network path from the machine that is failing.

# Replace with your actual RDS endpoint
RDS_HOST="mydb.xxxx.us-east-1.rds.amazonaws.com"
RDS_PORT=5432  # 3306 for MySQL, 5432 for PostgreSQL, 1433 for MSSQL

# Quick TCP check (available everywhere)
nc -zv $RDS_HOST $RDS_PORT

# Or with nmap for more detail
nmap -p $RDS_PORT $RDS_HOST

# Traceroute to see where packets die
traceroute -T -p $RDS_PORT $RDS_HOST

If nc returns Connection refused immediately → security group or ACL is blocking (go to Step 3)
If nc hangs for 30+ seconds then times out → route or ACL drop (go to Step 4)
If nc returns Connection to ... succeeded → credentials or SSL problem (go to Step 5)

Step 2: Check RDS Instance State

An RDS instance that is stopped, rebooting, or in a failed state will not accept connections regardless of network config.

# Using AWS CLI
aws rds describe-db-instances \
  --db-instance-identifier YOUR_DB_ID \
  --query 'DBInstances[0].{Status:DBInstanceStatus,Endpoint:Endpoint,MultiAZ:MultiAZ}'

# Expected output for a healthy instance:
# {
#   "Status": "available",
#   "Endpoint": { "Address": "...", "Port": 5432 },
#   "MultiAZ": false
# }

If status is modifying, rebooting, storage-full, or incompatible-parameters, fix that first. A storage-full instance will refuse all writes and many connections.

Step 3: Fix Security Group Inbound Rules (Most Common Fix)

This resolves ~60% of RDS connection failures. Every RDS instance needs an inbound rule on its security group allowing traffic on the DB port from your source IP, security group, or CIDR.

# Find the security group attached to your RDS instance
SG_ID=$(aws rds describe-db-instances \
  --db-instance-identifier YOUR_DB_ID \
  --query 'DBInstances[0].VpcSecurityGroups[0].VpcSecurityGroupId' \
  --output text)

# Check current inbound rules
aws ec2 describe-security-groups \
  --group-ids $SG_ID \
  --query 'SecurityGroups[0].IpPermissions'

# Add a rule allowing your application security group (preferred over CIDR)
aws ec2 authorize-security-group-ingress \
  --group-id $SG_ID \
  --protocol tcp \
  --port 5432 \
  --source-group sg-0123456789abcdef0  # your app server's SG ID

# OR allow a specific CIDR (less preferred, use for dev/debugging)
aws ec2 authorize-security-group-ingress \
  --group-id $SG_ID \
  --protocol tcp \
  --port 5432 \
  --cidr 10.0.0.0/16

Key principle: Never add 0.0.0.0/0 as an inbound rule for a database port. Reference security groups by ID, not CIDR blocks, for application-to-database rules.

Step 4: Debug Network ACLs and Route Tables for Timeout Errors

Network ACLs are stateless — you need both an inbound rule AND an outbound rule for ephemeral ports (1024-65535) for return traffic to flow. This is the most commonly missed configuration.

# Get the subnet your RDS instance is in
SUBNET_ID=$(aws rds describe-db-instances \
  --db-instance-identifier YOUR_DB_ID \
  --query 'DBInstances[0].DBSubnetGroup.Subnets[0].SubnetIdentifier' \
  --output text)

# Find the NACL associated with that subnet
aws ec2 describe-network-acls \
  --filters "Name=association.subnet-id,Values=$SUBNET_ID" \
  --query 'NetworkAcls[0].{Inbound:Entries[?Egress==`false`],Outbound:Entries[?Egress==`true`]}'

For a private RDS subnet, you need:

Inbound: Allow TCP port 5432 (or 3306) from application subnet CIDR
Outbound: Allow TCP ports 1024-65535 to application subnet CIDR (ephemeral/return traffic)

If your RDS is in a private subnet without internet access, also verify the route table has a route to a NAT Gateway or VPC endpoint for AWS service calls your application may make.

Step 5: Fix Access Denied — DB Credentials and IAM Auth

5a. Password authentication failures

Reset the master password via CLI or console if you are locked out:

aws rds modify-db-instance \
  --db-instance-identifier YOUR_DB_ID \
  --master-user-password 'NewSecurePassword123!' \
  --apply-immediately

# Wait for the modification to complete
aws rds wait db-instance-available --db-instance-identifier YOUR_DB_ID

For application user passwords, connect as the master user and reset:

-- PostgreSQL
ALTER USER app_user WITH PASSWORD 'new_password';

-- MySQL
ALTER USER 'app_user'@'%' IDENTIFIED BY 'new_password';
FLUSH PRIVILEGES;

5b. IAM database authentication (token expiry)

IAM auth tokens expire after 15 minutes. If your application is caching the token, you will see periodic access denied errors that resolve and recur.

# Generate a fresh IAM auth token
aws rds generate-db-auth-token \
  --hostname mydb.xxxx.us-east-1.rds.amazonaws.com \
  --port 5432 \
  --region us-east-1 \
  --username app_user

# The IAM role executing the above needs rds-db:connect permission:
# {
#   "Effect": "Allow",
#   "Action": "rds-db:connect",
#   "Resource": "arn:aws:rds-db:us-east-1:123456789012:dbuser:db-XXXXXXXXXX/app_user"
# }

Step 6: SSL Certificate Issues

AWS rotated the RDS CA certificate in 2023 (rds-ca-rsa2048-g1). If your client still has the old certificate bundle, SSL handshakes will fail with:

SSL SYSCALL error: EOF detected
certificate verify failed: unable to get local issuer certificate

# Download the global bundle covering all regions and CAs
wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem -O /etc/ssl/certs/rds-global-bundle.pem

# PostgreSQL connection with updated cert
psql "host=$RDS_HOST port=5432 dbname=mydb user=app_user \
      sslmode=verify-full sslrootcert=/etc/ssl/certs/rds-global-bundle.pem"

# MySQL connection with updated cert
mysql -h $RDS_HOST -P 3306 -u app_user -p \
      --ssl-ca=/etc/ssl/certs/rds-global-bundle.pem

Step 7: Publicly Accessible Flag for External Connections

If you are connecting from outside the VPC (local development, GitHub Actions, external monitoring), the instance must have PubliclyAccessible=true AND a security group rule allowing your external IP.

# Enable public accessibility
aws rds modify-db-instance \
  --db-instance-identifier YOUR_DB_ID \
  --publicly-accessible \
  --apply-immediately

# Get your current public IP and add it
MY_IP=$(curl -s https://checkip.amazonaws.com)
aws ec2 authorize-security-group-ingress \
  --group-id $SG_ID \
  --protocol tcp \
  --port 5432 \
  --cidr "${MY_IP}/32"

Warning: For production databases, prefer a bastion host, AWS Systems Manager Session Manager port forwarding, or VPN over setting PubliclyAccessible=true.

Systematic Diagnostic Flowchart

Can you resolve the DNS name? → nslookup mydb.xxxx.us-east-1.rds.amazonaws.com — if NXDOMAIN, the endpoint is wrong
Is the instance available? → Check via CLI or console
Does nc -zv succeed? → If refused: security group. If timeout: NACL/route table
Can the master user connect? → If yes, problem is with app user grants; if no, check SSL or password
Is access denied happening periodically? → IAM token expiry; implement token refresh in connection pool
Does it fail only for writes? → Check if instance is storage-full or read replica is being used for writes

Frequently Asked Questions

bash

#!/usr/bin/env bash
# rds-diagnose.sh — RDS connection troubleshooting script
# Usage: RDS_HOST=mydb.xxx.us-east-1.rds.amazonaws.com RDS_PORT=5432 DB_ID=mydb ./rds-diagnose.sh

set -euo pipefail

RDS_HOST="${RDS_HOST:?Set RDS_HOST}"
RDS_PORT="${RDS_PORT:-5432}"
DB_ID="${DB_ID:?Set DB_ID}"
REGION="${AWS_DEFAULT_REGION:-us-east-1}"

echo "=== 1. RDS INSTANCE STATUS ==="
aws rds describe-db-instances \
  --db-instance-identifier "$DB_ID" \
  --region "$REGION" \
  --query 'DBInstances[0].{Status:DBInstanceStatus,Engine:Engine,MultiAZ:MultiAZ,PubliclyAccessible:PubliclyAccessible,StorageSpace:AllocatedStorage,FreeStorage:FreeStorageSpace}' \
  --output table 2>/dev/null || echo "ERROR: Could not describe instance — check DB_ID and IAM permissions"

echo ""
echo "=== 2. DNS RESOLUTION ==="
nslookup "$RDS_HOST" || echo "FAIL: DNS resolution failed — check endpoint spelling"

echo ""
echo "=== 3. TCP CONNECTIVITY (timeout=5s) ==="
if nc -zv -w 5 "$RDS_HOST" "$RDS_PORT" 2>&1; then
  echo "PASS: TCP port $RDS_PORT is open"
else
  EXIT=$?
  if [ $EXIT -eq 1 ]; then
    echo "FAIL: Connection refused — check security group inbound rules"
  else
    echo "FAIL: Connection timed out — check NACLs, route tables, and VPC peering"
  fi
fi

echo ""
echo "=== 4. SECURITY GROUP RULES ==="
SG_ID=$(aws rds describe-db-instances \
  --db-instance-identifier "$DB_ID" \
  --region "$REGION" \
  --query 'DBInstances[0].VpcSecurityGroups[0].VpcSecurityGroupId' \
  --output text 2>/dev/null)
echo "RDS Security Group: $SG_ID"
aws ec2 describe-security-groups \
  --group-ids "$SG_ID" \
  --region "$REGION" \
  --query 'SecurityGroups[0].IpPermissions[?FromPort==`'"$RDS_PORT"'`]' \
  --output table 2>/dev/null || echo "Could not retrieve SG rules"

echo ""
echo "=== 5. RECENT RDS EVENTS (last 24h) ==="
aws rds describe-events \
  --source-identifier "$DB_ID" \
  --source-type db-instance \
  --duration 1440 \
  --region "$REGION" \
  --query 'Events[*].{Time:Date,Message:Message}' \
  --output table 2>/dev/null | tail -20

echo ""
echo "=== 6. CLOUDWATCH — DB CONNECTIONS (last 10 min) ==="
aws cloudwatch get-metric-statistics \
  --namespace AWS/RDS \
  --metric-name DatabaseConnections \
  --dimensions Name=DBInstanceIdentifier,Value="$DB_ID" \
  --start-time "$(date -u -d '10 minutes ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-10M +%Y-%m-%dT%H:%M:%SZ)" \
  --end-time "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
  --period 60 \
  --statistics Maximum \
  --region "$REGION" \
  --query 'sort_by(Datapoints, &Timestamp)[-3:].{Time:Timestamp,Connections:Maximum}' \
  --output table 2>/dev/null

echo ""
echo "=== DONE ==="
echo "Next steps:"
echo "  - If TCP failed: add inbound rule to SG $SG_ID for port $RDS_PORT"
echo "  - If timeout: check NACL on RDS subnet (needs ephemeral outbound 1024-65535)"
echo "  - If TCP OK but login fails: test with master user via psql/mysql client directly"
echo "  - If connections near max: deploy RDS Proxy or PgBouncer connection pooling"

Error Medic Editorial

The Error Medic Editorial team is composed of senior DevOps and SRE engineers with hands-on experience managing large-scale AWS infrastructure. Our troubleshooting guides are written and reviewed by practitioners who have encountered these errors in production, ensuring every step is tested and actionable.

Sources

Quickly diagnose and resolve the AWS RDS Storage Full error. Learn how to clear transaction logs, resize storage, and prevent future outages.

Troubleshooting "AWS RDS Access Denied", "Connection Refused", and Timeouts

Fix AWS RDS connection errors including Access Denied, Connection Refused, and Timeouts. A complete guide to Security Groups, IAM auth, VPC routing, and credent

AWS CloudFront 403 Forbidden: Complete Troubleshooting Guide (Rate Limits, Timeouts & Fixes)

Fix AWS CloudFront 403 Forbidden errors fast. Step-by-step diagnosis covering S3 OAC misconfig, WAF blocks, geo-restrictions, signed URL expiry, and rate limits

AWS ECS 502 Bad Gateway: Complete Troubleshooting Guide

Fix AWS ECS 502 Bad Gateway errors fast. Covers health check misconfig, security group blocks, port mismatches, and timeout issues with exact CLI commands.