Databases AWS

MySQL Community Server on AWS User Guide

Last updated: 2026-05-24 | Product: MySQL Community Server on AWS

Overview

This image runs MySQL Community Server, the world's most popular open source relational database, used by enterprises and SaaS platforms for transactional applications, content management, analytics back ends and modern web workloads. MySQL is the only workload on the image, so the platform stays lean, predictable and easy to reason about. The current widely deployed GA line is provided, version 8.0, installed from the official MySQL APT repository.

The image ships with password authentication enforced for every user account. No anonymous logins, no remote root login, no test database, and no shared default credentials. On the first boot of your instance a one shot service initialises a fresh data directory, generates a strong random password for the root user and a separate password for a cloudimg administrative user, applies them to the database and writes them to /root/mysql-credentials.txt, a file that only the root user can read. No shared or default database credentials ship in the image.

MySQL data, transaction logs and binary logs live on a dedicated EBS volume mounted at /var/lib/mysql. Keeping database files on their own volume means storage can be grown, snapshotted and backed up independently of the operating system disk. The server listens for the MySQL wire protocol on the standard port 3306 on all interfaces so application instances on the same VPC can connect once a security group rule is opened from the application subnet.

This is a headless image. MySQL has no built in web interface; you administer it over SSH with the mysql command line client, covered below.

Prerequisites

Before you deploy this image you need:

An Amazon Web Services account where you can launch EC2 instances
IAM permissions to launch instances, create security groups, and subscribe to AWS Marketplace products
An EC2 key pair in the target Region for SSH access to the instance
A VPC and subnet in the target Region, with a security group allowing inbound port 22 from your management network
The AWS CLI (version 2) installed locally if you plan to deploy from the command line

Recommended instance type: m5.large (2 vCPU, 8 GB RAM) or larger. MySQL auto tunes its InnoDB buffer pool from available memory and benefits from additional CPU and RAM for production workloads.

Step 1: Launch the Instance from the AWS Marketplace

Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for MySQL Community Server. Select the cloudimg listing and choose Select, then Continue on the subscription summary.

Pick an instance type of m5.large or larger. Choose your EC2 key pair under Key pair (login). Under Network settings select your VPC and subnet, and either create or select a security group that allows inbound port 22 from your management network. To allow application tier instances to connect to MySQL, add an inbound rule for TCP port 3306 from the security group of your application subnet. Leave the root volume at the default size or larger; the MySQL data volume is attached automatically from the image.

Select Launch instance. First boot initialisation, which initialises the data directory and generates the root and cloudimg passwords, takes a minute or two after the instance state becomes Running and the status checks pass.

Step 2: Launch the Instance from the AWS CLI

The following block launches an instance from the cloudimg MySQL Community Server Marketplace AMI into an existing subnet and security group. Replace <ami-id> with the AMI ID shown on the Marketplace listing, <key-name> with your EC2 key pair name, <subnet-id> with your subnet ID, and <security-group-id> with a security group that opens inbound port 22 from your management network.

aws ec2 run-instances \
  --image-id <ami-id> \
  --instance-type m5.large \
  --key-name <key-name> \
  --subnet-id <subnet-id> \
  --security-group-ids <security-group-id> \
  --metadata-options HttpTokens=required \
  --block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":12,"VolumeType":"gp3"}}]' \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=mysql-01}]'

The command prints a JSON document on success. Note the instance ID, then retrieve its public address once it is running with aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[].Instances[].PublicIpAddress" --output text.

Step 3: Connect over SSH

Connect over SSH with the key pair you selected and the public IP address from step 2. The SSH login user depends on the operating system of the AMI variant you launched:

AMI variant	SSH login user
MySQL Community Server 8.0 on Ubuntu 24.04	`ubuntu`

ssh <login-user>@<public-ip>

Wait until the instance has passed both EC2 status checks before connecting. The first boot service runs before the SSH daemon is ready, so MySQL is initialised by the time you can log in.

Step 4: Retrieve the Generated Passwords

The first boot service generates a fresh root password and a separate cloudimg administrative user password for this instance and writes them, with the connection details, to /root/mysql-credentials.txt. The file is readable only by the root user. Display it from your SSH session:

sudo cat /root/mysql-credentials.txt

The file looks like this, with unique passwords on your instance:

# MySQL Community Server 8.0 — Per-Instance Credentials
# Generated on first boot: Sun May 24 21:42:18 UTC 2026
#
# Open the local mysql client with:
#   sudo mysql -u root          (uses socket auth — no password needed)
# Or remotely from an app tier:
#   mysql -u cloudimg -p -h <instance-ip> -P 3306 cloudimg
#
MYSQL_PORT=3306
MYSQL_SOCKET=/var/run/mysqld/mysqld.sock
MYSQL_DEFAULT_DATABASE=cloudimg
MYSQL_ROOT_PASSWORD=<your generated root password>
MYSQL_CLOUDIMG_USER=cloudimg
MYSQL_CLOUDIMG_PASSWORD=<your generated cloudimg password>

The root user authenticates with the new password on TCP and with operating system socket authentication when invoked with sudo. The cloudimg user is a standard administrative user with full privileges on the preconfigured cloudimg database and is intended for application connections from other instances in your VPC.

Step 5: Confirm the Service and the Listener

MySQL runs under systemd as the mysql service and starts automatically on boot. Confirm it is active:

systemctl is-active mysql

The command prints active. Confirm the MySQL wire protocol is listening on port 3306 on all interfaces, so application tier instances can connect across the VPC:

ss -tln | grep 3306

You should see a listening socket on 0.0.0.0:3306. The MySQL X Protocol on 33060 is restricted to the loopback address by default.

Step 6: Connect with the mysql Command Line Client

The mysql command line client ships with the image. The most convenient local connection uses Unix socket authentication as root without prompting for a password:

sudo mysql -u root

You enter the mysql> interactive prompt. Type exit to leave the prompt.

To connect over TCP, which is how application code connects, pass the host, port and password on the command line. Replace <password> with the value of MYSQL_ROOT_PASSWORD from the credentials file:

mysql -u root -p'<password>' -h 127.0.0.1 -P 3306

You can also run a single statement without entering the interactive shell by adding -e. To verify the connection non interactively, query the server version:

sudo mysql -u root -e "SELECT VERSION();"

The query returns the running MySQL release:

+-----------+
| VERSION() |
+-----------+
| 8.0.46    |
+-----------+

Step 7: Explore the Default Database

List the databases on the instance. The four MySQL system schemas are present alongside the preconfigured cloudimg database, ready for your application data:

sudo mysql -u root -e "SHOW DATABASES;"

+--------------------+
| Database           |
+--------------------+
| cloudimg           |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+

The cloudimg database is empty by default. The cloudimg administrative user owns full privileges on it. To create your own database for a new application, run a CREATE DATABASE statement:

sudo mysql -u root -e "CREATE DATABASE IF NOT EXISTS my_app CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"

Step 8: Create a Schema and a Table

Connect into the cloudimg database and create a small schema. The following statements, run inside mysql, create a table, insert two rows and query them back. Replace <root-password> with the value of MYSQL_ROOT_PASSWORD:

sudo mysql -u root cloudimg

CREATE TABLE products (
  id INT AUTO_INCREMENT PRIMARY KEY,
  name VARCHAR(120) NOT NULL,
  price DECIMAL(10, 2) NOT NULL
);

INSERT INTO products (name, price) VALUES
  ('Mechanical Keyboard', 89.00),
  ('Wireless Mouse', 39.50);

SELECT id, name, price FROM products ORDER BY id;

Each statement returns its result and a row count. Type exit to leave the prompt.

Step 9: Create an Application User and Grant Privileges

A common pattern is to create one MySQL user per application database with privileges scoped to that database only. The following statements create an app user with a password and grant it full access to the my_app database created in step 7. Replace <app-password> with a strong password for the application:

sudo mysql -u root <<SQL
CREATE USER 'app'@'%' IDENTIFIED WITH caching_sha2_password BY '<app-password>';
GRANT ALL PRIVILEGES ON my_app.* TO 'app'@'%';
FLUSH PRIVILEGES;
SQL

The 'app'@'%' host specifier permits the user to connect from any IP address; combine this with a security group rule that only allows inbound 3306 from your application subnet to scope network access correctly. For the caching_sha2_password plugin the MySQL connector library in your application must be a recent version that supports it.

Step 10: Connect from an Application Tier

From an application instance in the same VPC, connect using the cloudimg administrative user or the per application user you created. Replace <instance-ip> with the private IP address of the database instance:

mysql -u cloudimg -p -h <instance-ip> -P 3306 cloudimg

For application code, set the connection string for your library to point at the database instance, for example with the Python mysql-connector-python package:

import mysql.connector
conn = mysql.connector.connect(
  host='<instance-ip>',
  port=3306,
  user='cloudimg',
  password='<cloudimg-password>',
  database='cloudimg',
)

Step 11: The MySQL Data Volume

MySQL data, transaction logs and binary logs are stored under /var/lib/mysql, which is a dedicated EBS volume separate from the operating system disk. Confirm the mount:

findmnt /var/lib/mysql

TARGET         SOURCE       FSTYPE OPTIONS
/var/lib/mysql /dev/nvme1n1 ext4   rw,relatime

Check the available space:

df -h /var/lib/mysql

Filesystem      Size  Used Avail Use% Mounted on
/dev/nvme1n1     30G  192M   28G   1% /var/lib/mysql

To grow the data volume, increase its size in the AWS console or with the AWS CLI, then expand the filesystem on the instance:

sudo growpart /dev/nvme1n1 1 || true
sudo resize2fs /dev/nvme1n1

For a fresh instance the data volume is sized to 30 GiB by default. The fstab entry is keyed on the filesystem UUID so the mount survives reboots and AMI relaunches regardless of NVMe device name ordering.

Step 12: Service Management

MySQL runs under systemd as the mysql service. Use the standard systemctl commands to restart, stop or start it:

sudo systemctl status mysql
sudo systemctl restart mysql
sudo systemctl stop mysql
sudo systemctl start mysql

Server logs are available with journalctl:

sudo journalctl -u mysql --since "10 minutes ago" --no-pager

The MySQL error log is also written to /var/log/mysql/error.log and the optional slow query log can be enabled in /etc/mysql/mysql.conf.d/mysqld.cnf.

Step 13: Backups with mysqldump

mysqldump ships with the image and produces a portable SQL script that can be restored into any MySQL or compatible server. The following command dumps the cloudimg database to a file:

sudo mysqldump --single-transaction --routines --triggers cloudimg \
  > /tmp/cloudimg-backup.sql

The --single-transaction flag uses a consistent snapshot of the InnoDB tables without holding write locks, so the dump runs against a live production database. Copy the dump file to durable storage, such as Amazon S3, with the AWS CLI. Replace <your-backup-bucket> with the name of an S3 bucket your instance role can write to:

aws s3 cp /tmp/cloudimg-backup.sql s3://<your-backup-bucket>/cloudimg-$(date -u +%Y%m%d).sql

To restore a dump into a new instance, create a destination database and pipe the script through the mysql client. Replace <target-database> with the database name you want to restore into:

sudo mysql -u root -e "CREATE DATABASE <target-database>;"
sudo mysql -u root <target-database> < /tmp/cloudimg-backup.sql

For larger databases consider physical backups with the AWS EBS snapshot service against the data volume; an EBS snapshot taken with the database in a consistent state restores the entire /var/lib/mysql directory in one step.

Step 14: Replication and High Availability

The image runs as a single MySQL primary. For high availability and read scaling, add one or more replica instances launched from the same Marketplace AMI and configure them with CHANGE REPLICATION SOURCE TO to follow the primary. The MySQL Reference Manual covers replication configuration in detail; the cloudimg image ships the standard mysql binary so every replication topology supported by MySQL Community Server is available.

For automatic failover, layer a high availability tool such as MySQL InnoDB Cluster, ProxySQL or Orchestrator on top of the replica set. cloudimg support can advise on the topology that best fits your workload.

Screenshots

MySQL server version and status

The mysql command line client connected as root reporting the running MySQL Community Server version on the instance.

Databases on the new instance

The SHOW DATABASES output listing the system schemas and the preconfigured cloudimg database on a freshly launched instance.

SQL round trip on the cloudimg database

A CREATE TABLE, INSERT and SELECT round trip on the cloudimg database confirming the engine is fully operational.

Support

cloudimg provides 24/7 technical support for this image by email and chat. Help is available with MySQL deployment, replication and high availability, schema design, performance tuning and database administration. Open a support request from the cloudimg website with your AWS Marketplace subscription identifier to hand off any operational issue.

All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.