Turning on SSRS or PBIRS
Use the following process to turn on SSRS or PBIRS for your DB instance:
-
Create a new option group, or choose an existing option group.
-
Add the
SSRSoption (for SQL Server 2016–2022) or thePBIRSoption (for SQL Server 2025 and higher) to the option group. -
Associate the option group with the DB instance.
-
Allow inbound access to the virtual private cloud (VPC) security group for the SSRS or PBIRS listener port.
Creating an option group for SSRS or PBIRS
To work with SSRS or PBIRS, create an option group that corresponds to the SQL Server engine and version of the DB instance that you plan to use. To do this, use the AWS Management Console or the AWS CLI.
Note
You can also use an existing option group if it's for the correct SQL Server engine and version.
The following procedure creates an option group for SQL Server Standard Edition
2017. For SQL Server 2025, follow the same steps but choose the appropriate engine version and use the PBIRS option.
To create the option group
Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/
. -
In the navigation pane, choose Option groups.
-
Choose Create group.
-
In the Create option group pane, do the following:
-
For Name, enter a name for the option group that is unique within your AWS account, such as
ssrs-se-2017for SSRS orpbirs-se-2025for PBIRS. The name can contain only letters, digits, and hyphens. -
For Description, enter a brief description of the option group, such as
SSRS option group for SQL Server SE 2017orPBIRS option group for SQL Server SE 2025. The description is used for display purposes. -
For Engine, choose sqlserver-se.
-
For Major engine version, choose 14.00 if you are adding the SSRS option, or 17.00 if you are adding the PBIRS option.
-
-
Choose Create.
The following procedures create option groups for SQL Server Standard Edition 2017 (SSRS) and SQL Server Standard Edition 2025 (PBIRS).
To create the option group for SSRS
-
Run one of the following commands.
Example
For Linux, macOS, or Unix:
aws rds create-option-group \ --option-group-namessrs-se-2017\ --engine-namesqlserver-se\ --major-engine-version14.00\ --option-group-description "SSRS option group for SQL Server SE 2017"
For Windows:
aws rds create-option-group ^ --option-group-namessrs-se-2017^ --engine-namesqlserver-se^ --major-engine-version14.00^ --option-group-description "SSRS option group for SQL Server SE 2017"
To create the option group for PBIRS
-
Run one of the following commands.
Example
For Linux, macOS, or Unix:
aws rds create-option-group \ --option-group-namepbirs-se-2025\ --engine-namesqlserver-se\ --major-engine-version17.00\ --option-group-description "PBIRS option group for SQL Server SE 2025"
For Windows:
aws rds create-option-group ^ --option-group-namepbirs-se-2025^ --engine-namesqlserver-se^ --major-engine-version17.00^ --option-group-description "PBIRS option group for SQL Server SE 2025"
Adding the SSRS or PBIRS option to your option group
Next, use the AWS Management Console or the AWS CLI to add the SSRS option (for SQL Server
2016–2022) or the PBIRS option (for SQL Server 2025 and higher) to your option group.
To add the SSRS option
Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/
. -
In the navigation pane, choose Option groups.
-
Choose the option group that you just created, then choose Add option.
-
Under Option details, choose SSRS for Option name.
-
Under Option settings, do the following:
-
Enter the port for the SSRS service to listen on. The default is 8443. For a list of allowed values, see Limitations and recommendations.
-
Enter a value for Max memory.
Max memory specifies the upper threshold above which no new memory allocation requests are granted to report server applications. The number is a percentage of the total memory of the DB instance. The allowed values are 10–80.
-
For Security groups, choose the VPC security group to associate with the option. Use the same security group that is associated with your DB instance.
-
-
To use SSRS Email to send reports, choose the Configure email delivery options check box under Email delivery in reporting services, and then do the following:
-
For Sender email address, enter the email address to use in the From field of messages sent by SSRS Email.
Specify a user account that has permission to send mail from the SMTP server.
-
For SMTP server, specify the SMTP server or gateway to use.
It can be an IP address, the NetBIOS name of a computer on your corporate intranet, or a fully qualified domain name.
-
For SMTP port, enter the port to use to connect to the mail server. The default is 25.
-
To use authentication:
-
Select the Use authentication check box.
-
For Secret Amazon Resource Name (ARN) enter the AWS Secrets Manager ARN for the user credentials.
Use the following format:
arn:aws:secretsmanager:Region:AccountId:secret:SecretName-6RandomCharactersFor example:
arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3For more information on creating the secret, see Using reporting services email to send reports.
-
-
Select the Use Secure Sockets Layer (SSL) check box to encrypt email messages using SSL.
-
-
Under Scheduling, choose whether to add the option immediately or at the next maintenance window.
-
Choose Add option.
To add the PBIRS option (SQL Server 2025 and higher)
Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/
. -
In the navigation pane, choose Option groups.
-
Choose the option group that you just created for PBIRS, then choose Add option.
-
Under Option details, choose PBIRS for Option name.
-
Under Option settings, do the following:
-
Enter the port for the PBIRS service to listen on. The default is 8443. For a list of allowed values, see Limitations and recommendations.
-
Enter a value for Max memory.
Max memory specifies the upper threshold above which no new memory allocation requests are granted to report server applications. The number is a percentage of the total memory of the DB instance. The allowed values are 10–80.
-
For Security groups, choose the VPC security group to associate with the option. Use the same security group that is associated with your DB instance.
-
-
To use reporting services email to send reports, choose the Configure email delivery options check box under Email delivery in reporting services, and then do the following:
-
For Sender email address, enter the email address to use in the From field of messages sent by reporting services email.
Specify a user account that has permission to send mail from the SMTP server.
-
For SMTP server, specify the SMTP server or gateway to use.
It can be an IP address, the NetBIOS name of a computer on your corporate intranet, or a fully qualified domain name.
-
For SMTP port, enter the port to use to connect to the mail server. The default is 25.
-
To use authentication:
-
Select the Use authentication check box.
-
For Secret Amazon Resource Name (ARN) enter the AWS Secrets Manager ARN for the user credentials.
Use the following format:
arn:aws:secretsmanager:Region:AccountId:secret:SecretName-6RandomCharactersFor example:
arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3For more information on creating the secret, see Using reporting services email to send reports.
-
-
Select the Use Secure Sockets Layer (SSL) check box to encrypt email messages using SSL.
-
-
Under Scheduling, choose whether to add the option immediately or at the next maintenance window.
-
Choose Add option.
To add the SSRS option
-
Create a JSON file, for example
ssrs-option.json.-
Set the following required parameters:
-
OptionGroupName– The name of option group that you created or chose previously (ssrs-se-2017in the following example). -
Port– The port for the SSRS service to listen on. The default is 8443. For a list of allowed values, see Limitations and recommendations. -
VpcSecurityGroupMemberships– VPC security group memberships for your RDS DB instance. -
MAX_MEMORY– The upper threshold above which no new memory allocation requests are granted to report server applications. The number is a percentage of the total memory of the DB instance. The allowed values are 10–80.
-
-
(Optional) Set the following parameters to use SSRS Email:
-
SMTP_ENABLE_EMAIL– Set totrueto use SSRS Email. The default isfalse. -
SMTP_SENDER_EMAIL_ADDRESS– The email address to use in the From field of messages sent by SSRS Email. Specify a user account that has permission to send mail from the SMTP server. -
SMTP_SERVER– The SMTP server or gateway to use. It can be an IP address, the NetBIOS name of a computer on your corporate intranet, or a fully qualified domain name. -
SMTP_PORT– The port to use to connect to the mail server. The default is 25. -
SMTP_USE_SSL– Set totrueto encrypt email messages using SSL. The default istrue. -
SMTP_EMAIL_CREDENTIALS_SECRET_ARN– The Secrets Manager ARN that holds the user credentials. Use the following format:arn:aws:secretsmanager:Region:AccountId:secret:SecretName-6RandomCharactersFor more information on creating the secret, see Using reporting services email to send reports.
-
SMTP_USE_ANONYMOUS_AUTHENTICATION– Set totrueand don't includeSMTP_EMAIL_CREDENTIALS_SECRET_ARNif you don't want to use authentication.The default is
falsewhenSMTP_ENABLE_EMAIListrue.
-
The following example includes the SSRS Email parameters, using the secret ARN.
{ "OptionGroupName": "ssrs-se-2017", "OptionsToInclude": [ { "OptionName": "SSRS", "Port":8443, "VpcSecurityGroupMemberships": ["sg-0abcdef123"], "OptionSettings": [ {"Name": "MAX_MEMORY","Value": "60"}, {"Name": "SMTP_ENABLE_EMAIL","Value": "true"} {"Name": "SMTP_SENDER_EMAIL_ADDRESS","Value": "nobody@example.com"}, {"Name": "SMTP_SERVER","Value": "email-smtp.us-west-2.amazonaws.com"}, {"Name": "SMTP_PORT","Value": "25"}, {"Name": "SMTP_USE_SSL","Value": "true"}, {"Name": "SMTP_EMAIL_CREDENTIALS_SECRET_ARN","Value": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3"} ] }], "ApplyImmediately": true } -
-
Add the
SSRSoption to the option group.Example
For Linux, macOS, or Unix:
aws rds add-option-to-option-group \ --cli-input-json file://ssrs-option.json\ --apply-immediatelyFor Windows:
aws rds add-option-to-option-group ^ --cli-input-json file://ssrs-option.json^ --apply-immediately
To add the PBIRS option (SQL Server 2025 and higher)
-
Create a JSON file, for example
pbirs-option.json.-
Set the following required parameters:
-
OptionGroupName– The name of the option group that you created or chose previously (pbirs-se-2025in the following example). -
Port– The port for the PBIRS service to listen on. The default is 8443. For a list of allowed values, see Limitations and recommendations. -
VpcSecurityGroupMemberships– VPC security group memberships for your RDS DB instance. -
MAX_MEMORY– The upper threshold above which no new memory allocation requests are granted to report server applications. The number is a percentage of the total memory of the DB instance. The allowed values are 10–80.
-
-
(Optional) Set the following parameters to use reporting services email:
-
SMTP_ENABLE_EMAIL– Set totrueto use reporting services email. The default isfalse. -
SMTP_SENDER_EMAIL_ADDRESS– The email address to use in the From field of messages sent by reporting services email. Specify a user account that has permission to send mail from the SMTP server. -
SMTP_SERVER– The SMTP server or gateway to use. It can be an IP address, the NetBIOS name of a computer on your corporate intranet, or a fully qualified domain name. -
SMTP_PORT– The port to use to connect to the mail server. The default is 25. -
SMTP_USE_SSL– Set totrueto encrypt email messages using SSL. The default istrue. -
SMTP_EMAIL_CREDENTIALS_SECRET_ARN– The Secrets Manager ARN that holds the user credentials. Use the following format:arn:aws:secretsmanager:Region:AccountId:secret:SecretName-6RandomCharactersFor more information on creating the secret, see Using reporting services email to send reports.
-
SMTP_USE_ANONYMOUS_AUTHENTICATION– Set totrueand don't includeSMTP_EMAIL_CREDENTIALS_SECRET_ARNif you don't want to use authentication.The default is
falsewhenSMTP_ENABLE_EMAIListrue.
-
The following example includes the reporting services email parameters, using the secret ARN.
{ "OptionGroupName": "pbirs-se-2025", "OptionsToInclude": [ { "OptionName": "PBIRS", "Port":8443, "VpcSecurityGroupMemberships": ["sg-0abcdef123"], "OptionSettings": [ {"Name": "MAX_MEMORY","Value": "60"}, {"Name": "SMTP_ENABLE_EMAIL","Value": "true"}, {"Name": "SMTP_SENDER_EMAIL_ADDRESS","Value": "nobody@example.com"}, {"Name": "SMTP_SERVER","Value": "email-smtp.us-west-2.amazonaws.com"}, {"Name": "SMTP_PORT","Value": "25"}, {"Name": "SMTP_USE_SSL","Value": "true"}, {"Name": "SMTP_EMAIL_CREDENTIALS_SECRET_ARN","Value": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3"} ] }], "ApplyImmediately": true } -
-
Add the
PBIRSoption to the option group.Example
For Linux, macOS, or Unix:
aws rds add-option-to-option-group \ --cli-input-json file://pbirs-option.json\ --apply-immediatelyFor Windows:
aws rds add-option-to-option-group ^ --cli-input-json file://pbirs-option.json^ --apply-immediately
Associating your option group with your DB instance
Use the AWS Management Console or the AWS CLI to associate your option group with your DB instance.
Note
If you use an existing DB instance, it must already have an Active Directory domain and AWS Identity and Access Management (IAM) role associated with it. If you create a new instance, specify an existing Active Directory domain and IAM role. For more information, see Working with Active Directory with RDS for SQL Server.
You can associate your option group with a new or existing DB instance:
-
For a new DB instance, associate the option group when you launch the instance. For more information, see Creating an Amazon RDS DB instance.
-
For an existing DB instance, modify the instance and associate the new option group. For more information, see Modifying an Amazon RDS DB instance.
You can associate your option group with a new or existing DB instance.
To create a DB instance that uses your option group
-
Specify the same DB engine type and major version as you used when creating the option group.
Example
For Linux, macOS, or Unix:
aws rds create-db-instance \ --db-instance-identifiermyssrsinstance\ --db-instance-classdb.m5.2xlarge\ --enginesqlserver-se\ --engine-version14.00.3223.3.v1\ --allocated-storage100\ --manage-master-user-password \ --master-usernameadmin\ --storage-typegp2\ --license-modelli\ --domain-iam-role-namemy-directory-iam-role\ --domainmy-domain-id\ --option-group-namessrs-se-2017For Windows:
aws rds create-db-instance ^ --db-instance-identifiermyssrsinstance^ --db-instance-classdb.m5.2xlarge^ --enginesqlserver-se^ --engine-version14.00.3223.3.v1^ --allocated-storage100^ --manage-master-user-password ^ --master-usernameadmin^ --storage-typegp2^ --license-modelli^ --domain-iam-role-namemy-directory-iam-role^ --domainmy-domain-id^ --option-group-namessrs-se-2017
To modify a DB instance to use your option group
-
Run one of the following commands.
Example
For Linux, macOS, or Unix:
aws rds modify-db-instance \ --db-instance-identifiermyssrsinstance\ --option-group-namessrs-se-2017\ --apply-immediatelyFor Windows:
aws rds modify-db-instance ^ --db-instance-identifiermyssrsinstance^ --option-group-namessrs-se-2017^ --apply-immediately
Allowing inbound access to your VPC security group
To allow inbound access to the VPC security group associated with your DB instance, create an inbound rule for the specified SSRS or PBIRS listener port. For more information about setting up security groups, see Provide access to your DB instance in your VPC by creating a security group.