# Authorizing Amazon Aurora MySQL to access other AWS services on your behalf
For your Aurora MySQL DB cluster to access other services on your behalf, create and configure an AWS Identity and Access Management (IAM) role. This role authorizes database users in your DB cluster to access other AWS services. For more information, see [Setting up IAM roles to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.md).
You must also configure your Aurora DB cluster to allow outbound connections to the target AWS service. For more information, see [Enabling network communication from Amazon Aurora to other AWS services](AuroraMySQL.Integrating.Authorizing.Network.md).
If you do so, your database users can perform these actions using other AWS services:
+ Synchronously or asynchronously invoke an AWS Lambda function using the native functions `lambda_sync` or `lambda_async`. Or, asynchronously invoke an AWS Lambda function using the `mysql.lambda_async` procedure. For more information, see [Invoking a Lambda function with an Aurora MySQL native function](AuroraMySQL.Integrating.NativeLambda.md).
+ Load data from text or XML files stored in an Amazon S3 bucket into your DB cluster by using the `LOAD DATA FROM S3` or `LOAD XML FROM S3` statement. For more information, see [Loading data into an Amazon Aurora MySQL DB cluster from text files in an Amazon S3 bucket](AuroraMySQL.Integrating.LoadFromS3.md).
+ Save data from your DB cluster into text files stored in an Amazon S3 bucket by using the `SELECT INTO OUTFILE S3` statement. For more information, see [Saving data from an Amazon Aurora MySQL DB cluster into text files in an Amazon S3 bucket](AuroraMySQL.Integrating.SaveIntoS3.md).
+ Export log data to Amazon CloudWatch Logs MySQL. For more information, see [Publishing Amazon Aurora MySQL logs to Amazon CloudWatch Logs](AuroraMySQL.Integrating.CloudWatch.md).
+ Automatically add or remove Aurora Replicas with Application Auto Scaling. For more information, see [Amazon Aurora Auto Scaling with Aurora Replicas](Aurora.Integrating.AutoScaling.md).
# Setting up IAM roles to access AWS services
To permit your Aurora DB cluster to access another AWS service, do the following:
1. Create an IAM policy that grants permission to the AWS service. For more information, see the following topics.
+ [Creating an IAM policy to access Amazon S3 resources](AuroraMySQL.Integrating.Authorizing.IAM.S3CreatePolicy.md)
+ [Creating an IAM policy to access AWS Lambda resources](AuroraMySQL.Integrating.Authorizing.IAM.LambdaCreatePolicy.md)
+ [Creating an IAM policy to access CloudWatch Logs resources](AuroraMySQL.Integrating.Authorizing.IAM.CWCreatePolicy.md)
+ [Creating an IAM policy to access AWS KMS resources](AuroraMySQL.Integrating.Authorizing.IAM.KMSCreatePolicy.md)
1. Create an IAM role and attach the policy that you created. For more information, see [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md).
1. Associate that IAM role with your Aurora DB cluster. For more information, see [Associating an IAM role with an Amazon Aurora MySQL DB cluster](AuroraMySQL.Integrating.Authorizing.IAM.AddRoleToDBCluster.md).
# Creating an IAM policy to access Amazon S3 resources
Aurora can access Amazon S3 resources to either load data to or save data from an Aurora DB cluster. However, you must first create an IAM policy that provides the bucket and object permissions that allow Aurora to access Amazon S3.
The following table lists the Aurora features that can access an Amazon S3 bucket on your behalf, and the minimum required bucket and object permissions required by each feature.
| Feature | Bucket permissions | Object permissions |
| --- | --- | --- |
| `LOAD DATA FROM S3` | `ListBucket` | `GetObject` `GetObjectVersion` |
| LOAD XML FROM S3 | `ListBucket` | `GetObject` `GetObjectVersion` |
| `SELECT INTO OUTFILE S3` | `ListBucket` | `AbortMultipartUpload` `DeleteObject` `GetObject` `ListMultipartUploadParts` `PutObject` |
The following policy adds the permissions that might be required by Aurora to access an Amazon S3 bucket on your behalf.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAuroraToExampleBucket",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:s3:::amzn-s3-demo-bucket"
]
}
]
}
```
------
**Note**
Make sure to include both entries for the `Resource` value. Aurora needs the permissions on both the bucket itself and all the objects inside the bucket.
Based on your use case, you might not need to add all of the permissions in the sample policy. Also, other permissions might be required. For example, if your Amazon S3 bucket is encrypted, you need to add `kms:Decrypt` permissions.
You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to access an Amazon S3 bucket on your behalf. To allow Aurora to access all of your Amazon S3 buckets, you can skip these steps and use either the `AmazonS3ReadOnlyAccess` or `AmazonS3FullAccess` predefined IAM policy instead of creating your own.
**To create an IAM policy to grant access to your Amazon S3 resources**
1. Open the [IAM Management Console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. On the **Visual editor** tab, choose **Choose a service**, and then choose **S3**.
1. For **Actions**, choose **Expand all**, and then choose the bucket permissions and object permissions needed for the IAM policy.
Object permissions are permissions for object operations in Amazon S3, and need to be granted for objects in a bucket, not the bucket itself. For more information about permissions for object operations in Amazon S3, see [Permissions for object operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-objects).
1. Choose **Resources**, and choose **Add ARN** for **bucket**.
1. In the **Add ARN(s)** dialog box, provide the details about your resource, and choose **Add**.
Specify the Amazon S3 bucket to allow access to. For instance, if you want to allow Aurora to access the Amazon S3 bucket named *amzn-s3-demo-bucket*, then set the Amazon Resource Name (ARN) value to `arn:aws:s3:::amzn-s3-demo-bucket`.
1. If the **object** resource is listed, choose **Add ARN** for **object**.
1. In the **Add ARN(s)** dialog box, provide the details about your resource.
For the Amazon S3 bucket, specify the Amazon S3 bucket to allow access to. For the object, you can choose **Any** to grant permissions to any object in the bucket.
**Note**
You can set **Amazon Resource Name (ARN)** to a more specific ARN value in order to allow Aurora to access only specific files or folders in an Amazon S3 bucket. For more information about how to define an access policy for Amazon S3, see [Managing access permissions to your Amazon S3 resources](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html).
1. (Optional) Choose **Add ARN** for **bucket** to add another Amazon S3 bucket to the policy, and repeat the previous steps for the bucket.
**Note**
You can repeat this to add corresponding bucket permission statements to your policy for each Amazon S3 bucket that you want Aurora to access. Optionally, you can also grant access to all buckets and objects in Amazon S3.
1. Choose **Review policy**.
1. For **Name**, enter a name for your IAM policy, for example `AllowAuroraToExampleBucket`. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional **Description** value.
1. Choose **Create policy**.
1. Complete the steps in [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md).
# Creating an IAM policy to access AWS Lambda resources
You can create an IAM policy that provides the minimum required permissions for Aurora to invoke an AWS Lambda function on your behalf.
The following policy adds the permissions required by Aurora to invoke an AWS Lambda function on your behalf.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAuroraToExampleFunction",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:example_function"
}
]
}
```
------
You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to invoke an AWS Lambda function on your behalf. To allow Aurora to invoke all of your AWS Lambda functions, you can skip these steps and use the predefined `AWSLambdaRole` policy instead of creating your own.
**To create an IAM policy to grant invoke to your AWS Lambda functions**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. On the **Visual editor** tab, choose **Choose a service**, and then choose **Lambda**.
1. For **Actions**, choose **Expand all**, and then choose the AWS Lambda permissions needed for the IAM policy.
Ensure that `InvokeFunction` is selected. It is the minimum required permission to enable Amazon Aurora to invoke an AWS Lambda function.
1. Choose **Resources** and choose **Add ARN** for **function**.
1. In the **Add ARN(s)** dialog box, provide the details about your resource.
Specify the Lambda function to allow access to. For instance, if you want to allow Aurora to access a Lambda function named `example_function`, then set the ARN value to `arn:aws:lambda:::function:example_function`.
For more information on how to define an access policy for AWS Lambda, see [Authentication and access control for AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/lambda-auth-and-access-control.html).
1. Optionally, choose **Add additional permissions** to add another AWS Lambda function to the policy, and repeat the previous steps for the function.
**Note**
You can repeat this to add corresponding function permission statements to your policy for each AWS Lambda function that you want Aurora to access.
1. Choose **Review policy**.
1. Set **Name** to a name for your IAM policy, for example `AllowAuroraToExampleFunction`. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional **Description** value.
1. Choose **Create policy**.
1. Complete the steps in [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md).
# Creating an IAM policy to access CloudWatch Logs resources
Aurora can access CloudWatch Logs to export audit log data from an Aurora DB cluster. However, you must first create an IAM policy that provides the log group and log stream permissions that allow Aurora to access CloudWatch Logs.
The following policy adds the permissions required by Aurora to access Amazon CloudWatch Logs on your behalf, and the minimum required permissions to create log groups and export data.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EnableCreationAndManagementOfRDSCloudwatchLogEvents",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*"
},
{
"Sid": "EnableCreationAndManagementOfRDSCloudwatchLogGroupsAndStreams",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutRetentionPolicy",
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/rds/*"
}
]
}
```
------
You can modify the ARNs in the policy to restrict access to a specific AWS Region and account.
You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to access CloudWatch Logs on your behalf. To allow Aurora full access to CloudWatch Logs, you can skip these steps and use the `CloudWatchLogsFullAccess` predefined IAM policy instead of creating your own. For more information, see [Using identity-based policies (IAM policies) for CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-identity-based-access-control-cwl.html#managed-policies-cwl) in the* Amazon CloudWatch User Guide.*
**To create an IAM policy to grant access to your CloudWatch Logs resources**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. On the **Visual editor** tab, choose **Choose a service**, and then choose **CloudWatch Logs**.
1. For **Actions**, choose **Expand all** (on the right), and then choose the Amazon CloudWatch Logs permissions needed for the IAM policy.
Ensure that the following permissions are selected:
+ `CreateLogGroup`
+ `CreateLogStream`
+ `DescribeLogStreams`
+ `GetLogEvents`
+ `PutLogEvents`
+ `PutRetentionPolicy`
1. Choose **Resources** and choose **Add ARN** for **log-group**.
1. In the **Add ARN(s)** dialog box, enter the following values:
+ **Region** – An AWS Region or `*`
+ **Account** – An account number or `*`
+ **Log Group Name** – `/aws/rds/*`
1. In the **Add ARN(s)** dialog box, choose **Add**.
1. Choose **Add ARN** for **log-stream**.
1. In the **Add ARN(s)** dialog box, enter the following values:
+ **Region** – An AWS Region or `*`
+ **Account** – An account number or `*`
+ **Log Group Name** – `/aws/rds/*`
+ **Log Stream Name** – `*`
1. In the **Add ARN(s)** dialog box, choose **Add**.
1. Choose **Review policy**.
1. Set **Name** to a name for your IAM policy, for example `AmazonRDSCloudWatchLogs`. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional **Description** value.
1. Choose **Create policy**.
1. Complete the steps in [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md).
# Creating an IAM policy to access AWS KMS resources
Aurora can access the AWS KMS keys used for encrypting their database backups. However, you must first create an IAM policy that provides the permissions that allow Aurora to access KMS keys.
The following policy adds the permissions required by Aurora to access KMS keys on your behalf.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAuroraToAccessKey",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/key-ID"
}
]
}
```
------
You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to access KMS keys on your behalf.
**To create an IAM policy to grant access to your KMS keys**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. On the **Visual editor** tab, choose **Choose a service**, and then choose **KMS**.
1. For **Actions**, choose **Write**, and then choose **Decrypt**.
1. Choose **Resources**, and choose **Add ARN**.
1. In the **Add ARN(s)** dialog box, enter the following values:
+ **Region** – Type the AWS Region, such as `us-west-2`.
+ **Account** – Type the user account number.
+ **Log Stream Name** – Type the KMS key identifier.
1. In the **Add ARN(s)** dialog box, choose **Add**.
1. Choose **Review policy**.
1. Set **Name** to a name for your IAM policy, for example `AmazonRDSKMSKey`. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional **Description** value.
1. Choose **Create policy**.
1. Complete the steps in [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md).
# Creating an IAM role to allow Amazon Aurora to access AWS services
After creating an IAM policy to allow Aurora to access AWS resources, you must create an IAM role and attach the IAM policy to the new IAM role.
To create an IAM role to permit your Amazon RDS cluster to communicate with other AWS services on your behalf, take the following steps.
**To create an IAM role to allow Amazon RDS to access AWS services**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Roles**.
1. Choose **Create role**.
1. Under **AWS service**, choose **RDS**.
1. Under **Select your use case**, choose **RDS – Add Role to Database**.
1. Choose **Next**.
1. On the **Permissions policies** page, enter the name of your policy in the **Search** field.
1. When it appears in the list, select the policy that you defined earlier using the instructions in one of the following sections:
+ [Creating an IAM policy to access Amazon S3 resources](AuroraMySQL.Integrating.Authorizing.IAM.S3CreatePolicy.md)
+ [Creating an IAM policy to access AWS Lambda resources](AuroraMySQL.Integrating.Authorizing.IAM.LambdaCreatePolicy.md)
+ [Creating an IAM policy to access CloudWatch Logs resources](AuroraMySQL.Integrating.Authorizing.IAM.CWCreatePolicy.md)
+ [Creating an IAM policy to access AWS KMS resources](AuroraMySQL.Integrating.Authorizing.IAM.KMSCreatePolicy.md)
1. Choose **Next**.
1. In **Role name**, enter a name for your IAM role, for example `RDSLoadFromS3`. You can also add an optional **Description** value.
1. Choose **Create Role**.
1. Complete the steps in [Associating an IAM role with an Amazon Aurora MySQL DB cluster](AuroraMySQL.Integrating.Authorizing.IAM.AddRoleToDBCluster.md).
# Associating an IAM role with an Amazon Aurora MySQL DB cluster
To permit database users in an Amazon Aurora DB cluster to access other AWS services, you associate the IAM role that you created in [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md) with that DB cluster. You can also have AWS create a new IAM role by associating the service directly.
To associate an IAM role with a DB cluster you do two things:
1. Add the role to the list of associated roles for a DB cluster by using the RDS console, the [add-role-to-db-cluster](https://docs.aws.amazon.com/cli/latest/reference/rds/add-role-to-db-cluster.html) AWS CLI command, or the [AddRoleToDBCluster](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_AddRoleToDBCluster.html) RDS API operation.
You can add a maximum of five IAM roles for each Aurora DB cluster.
1. Set the cluster-level parameter for the related AWS service to the ARN for the associated IAM role.
The following table describes the cluster-level parameter names for the IAM roles used to access other AWS services.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Authorizing.IAM.AddRoleToDBCluster.html)
To associate an IAM role to permit your Amazon RDS cluster to communicate with other AWS services on your behalf, take the following steps.
## Console
**To associate an IAM role with an Aurora DB cluster using the console**
1. Open the RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
1. Choose **Databases**.
1. Choose the name of the Aurora DB cluster that you want to associate an IAM role with to show its details.
1. On the **Connectivity & security** tab, in the **Manage IAM roles** section, do one of the following:
+ **Select IAM roles to add to this cluster** (default)
+ **Select a service to connect to this cluster**
![\[Associate an IAM role with a DB cluster\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/AuroraAssociateIAMRole-02.png)
1. To use an existing IAM role, choose it from the menu, then choose **Add role**.
If adding the role is successful, its status shows as `Pending`, then `Available`.
1. To connect a service directly:
1. Choose **Select a service to connect to this cluster**.
1. Choose the service from the menu, then choose **Connect service**.
1. For **Connect cluster to *Service Name***, enter the Amazon Resource Name (ARN) to use to connect to the service, then choose **Connect service**.
AWS creates a new IAM role for connecting to the service. Its status shows as `Pending`, then `Available`.
1. (Optional) To stop associating an IAM role with a DB cluster and remove the related permission, choose the role and then choose **Delete**.
**To set the cluster-level parameter for the associated IAM role**
1. In the RDS console, choose **Parameter groups** in the navigation pane.
1. If you are already using a custom DB parameter group, you can select that group to use instead of creating a new DB cluster parameter group. If you are using the default DB cluster parameter group, create a new DB cluster parameter group, as described in the following steps:
1. Choose **Create parameter group**.
1. For **Parameter group family**, choose `aurora-mysql8.0` for an Aurora MySQL 8.0-compatible DB cluster, or `aurora-mysql5.7` for an Aurora MySQL 5.7-compatible DB cluster.
1. For **Type**, choose **DB Cluster Parameter Group**.
1. For **Group name**, type the name of your new DB cluster parameter group.
1. For **Description**, type a description for your new DB cluster parameter group.
![\[Create a DB cluster parameter group\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/AuroraAssociateIAMRole-03.png)
1. Choose **Create**.
1. On the **Parameter groups** page, select your DB cluster parameter group and choose **Edit** for **Parameter group actions**.
1. Set the appropriate cluster-level [parameters](#aurora_cluster_params_iam_roles) to the related IAM role ARN values.
For example, you can set just the `aws_default_s3_role` parameter to `arn:aws:iam::123456789012:role/AllowS3Access`.
1. Choose **Save changes**.
1. To change the DB cluster parameter group for your DB cluster, complete the following steps:
1. Choose **Databases**, and then choose your Aurora DB cluster.
1. Choose **Modify**.
1. Scroll to **Database options** and set **DB cluster parameter group** to the DB cluster parameter group.
1. Choose **Continue**.
1. Verify your changes and then choose **Apply immediately**.
1. Choose **Modify cluster**.
1. Choose **Databases**, and then choose the primary instance for your DB cluster.
1. For **Actions**, choose **Reboot**.
When the instance has rebooted, your IAM role is associated with your DB cluster.
For more information about cluster parameter groups, see [Aurora MySQL configuration parameters](AuroraMySQL.Reference.ParameterGroups.md).
## CLI
**To associate an IAM role with a DB cluster by using the AWS CLI**
1. Call the `add-role-to-db-cluster` command from the AWS CLI to add the ARNs for your IAM roles to the DB cluster, as shown following.
```
PROMPT> aws rds add-role-to-db-cluster --db-cluster-identifier my-cluster --role-arn arn:aws:iam::123456789012:role/AllowAuroraS3Role
PROMPT> aws rds add-role-to-db-cluster --db-cluster-identifier my-cluster --role-arn arn:aws:iam::123456789012:role/AllowAuroraLambdaRole
```
1. If you are using the default DB cluster parameter group, create a new DB cluster parameter group. If you are already using a custom DB parameter group, you can use that group instead of creating a new DB cluster parameter group.
To create a new DB cluster parameter group, call the `create-db-cluster-parameter-group` command from the AWS CLI, as shown following.
```
PROMPT> aws rds create-db-cluster-parameter-group --db-cluster-parameter-group-name AllowAWSAccess \
--db-parameter-group-family aurora5.7 --description "Allow access to Amazon S3 and AWS Lambda"
```
For an Aurora MySQL 5.7-compatible DB cluster, specify `aurora-mysql5.7` for `--db-parameter-group-family`. For an Aurora MySQL 8.0-compatible DB cluster, specify `aurora-mysql8.0` for `--db-parameter-group-family`.
1. Set the appropriate cluster-level parameter or parameters and the related IAM role ARN values in your DB cluster parameter group, as shown following.
```
PROMPT> aws rds modify-db-cluster-parameter-group --db-cluster-parameter-group-name AllowAWSAccess \
--parameters "ParameterName=aws_default_s3_role,ParameterValue=arn:aws:iam::123456789012:role/AllowAuroraS3Role,method=pending-reboot" \
--parameters "ParameterName=aws_default_lambda_role,ParameterValue=arn:aws:iam::123456789012:role/AllowAuroraLambdaRole,method=pending-reboot"
```
1. Modify the DB cluster to use the new DB cluster parameter group and then reboot the cluster, as shown following.
```
PROMPT> aws rds modify-db-cluster --db-cluster-identifier my-cluster --db-cluster-parameter-group-name AllowAWSAccess
PROMPT> aws rds reboot-db-instance --db-instance-identifier my-cluster-primary
```
When the instance has rebooted, your IAM roles are associated with your DB cluster.
For more information about cluster parameter groups, see [Aurora MySQL configuration parameters](AuroraMySQL.Reference.ParameterGroups.md).
# Enabling network communication from Amazon Aurora to other AWS services
To use certain other AWS services with Amazon Aurora, the network configuration of your Aurora DB cluster must allow outbound connections to endpoints for those services. The following operations require this network configuration.
+ Invoking AWS Lambda functions. To learn about this feature, see [Invoking a Lambda function with an Aurora MySQL native function](AuroraMySQL.Integrating.NativeLambda.md).
+ Accessing files from Amazon S3. To learn about this feature, see [Loading data into an Amazon Aurora MySQL DB cluster from text files in an Amazon S3 bucket](AuroraMySQL.Integrating.LoadFromS3.md) and [Saving data from an Amazon Aurora MySQL DB cluster into text files in an Amazon S3 bucket](AuroraMySQL.Integrating.SaveIntoS3.md).
+ Accessing AWS KMS endpoints. AWS KMS access is required to use database activity streams with Aurora MySQL. To learn about this feature, see [Monitoring Amazon Aurora with Database Activity Streams](DBActivityStreams.md).
+ Accessing SageMaker AI endpoints. SageMaker AI access is required to use SageMaker AI machine learning with Aurora MySQL. To learn about this feature, see [Using Amazon Aurora machine learning with Aurora MySQL](mysql-ml.md).
Aurora returns the following error messages if it can't connect to a service endpoint.
```
ERROR 1871 (HY000): S3 API returned error: Network Connection
```
```
ERROR 1873 (HY000): Lambda API returned error: Network Connection. Unable to connect to endpoint
```
```
ERROR 1815 (HY000): Internal error: Unable to initialize S3Stream
```
For database activity streams using Aurora MySQL, the activity stream stops functioning if the DB cluster can't access the AWS KMS endpoint. Aurora notifies you about this issue using RDS Events.
If you encounter these messages while using the corresponding AWS services, check if your Aurora DB cluster is public or private. If your Aurora DB cluster is private, you must configure it to enable connections.
For an Aurora DB cluster to be public, it must be marked as publicly accessible. If you look at the details for the DB cluster in the AWS Management Console, **Publicly Accessible** is **Yes** if this is the case. The DB cluster must also be in an Amazon VPC public subnet. For more information about publicly accessible DB instances, see [Working with a DB cluster in a VPC](USER_VPC.WorkingWithRDSInstanceinaVPC.md). For more information about public Amazon VPC subnets, see [Your VPC and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html).
If your Aurora DB cluster isn't publicly accessible and in a VPC public subnet, it is private. You might have a DB cluster that is private and want to use one of the features that requires this network configuration. If so, configure the cluster so that it can connect to Internet addresses through Network Address Translation (NAT). As an alternative for Amazon S3, Amazon SageMaker AI, and AWS Lambda, you can instead configure the VPC to have a VPC endpoint for the other service associated with the DB cluster's route table, see [Working with a DB cluster in a VPC](USER_VPC.WorkingWithRDSInstanceinaVPC.md). For more information about configuring NAT in your VPC, see [NAT gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html). For more information about configuring VPC endpoints, see [VPC endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html). You can also create an S3 gateway endpoint to access your S3 bucket. For more information, see [Gateway endpoints for Amazon S3](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html).
You might also have to open the ephemeral ports for your network access control lists (ACLs) in the outbound rules for your VPC security group. For more information on ephemeral ports for network ACLs, see [Ephemeral ports](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports) in the *Amazon Virtual Private Cloud User Guide*.
## Related topics
+ [Integrating Aurora with other AWS services](Aurora.Integrating.md)
+ [Managing an Amazon Aurora DB cluster](CHAP_Aurora.md)