Amazon RDS for PostgreSQL + CHION

Ask your Amazon RDS Postgres in plain English
no Bedrock build required

Verified read-only SQL
NL→SQL agent for Amazon RDS Postgres
Reusable AI SQL skills you export to Claude Code, Cursor & Codex

No ECS, no CloudFormation, no LLM endpoint to host. Skip the LangChain-on-Fargate project — Chion connects to your Amazon RDS or Aurora PostgreSQL reader endpoint read-only, turns plain-English questions into verified SQL you can audit line by line, and renders the chart, connected in two minutes, not two sprints. Connect a reader endpoint in two minutes — Multi-AZ failover and RLS handled for you.

Every answer shows the verified, read-only SQL beneath the chart — line by line, nothing to trust blindly.

Start your 7-day trial Read the connection guide

Turn your RDS reader endpoint into a verified SQL analyst — without managing a single container.

Chion turns your Amazon RDS or Aurora PostgreSQL into an AI SQL analyst for conversational analytics — connect read-only, ask in plain English, and turn every verified query into a reusable skill with the SQL skills generator. Credentials are wrapped in an AES-256-GCM vault, every query runs as a read-only SELECT capped at 1,000 rows, and the row-level security on the role you provide is honored on every call. It is the AI SQL workforce your team can point at a reader endpoint in two minutes.

Go deeper: the verified pipeline, question to chart · how the typed SQL contract blocks out-of-schema columns · the credential vault and read-only model · the SQL query generator.

Chion vs. building it on Bedrock + LangChain

	Chion	Bedrock + LangChain DIY
Setup time	Two minutes	Days
Verified SQL	Shown beneath every chart	Hidden in the chain
Read-only + RLS	Enforced by code	DIY
Portable export	CHION.md, yours to keep	Locked in your stack
LLM-agnostic	Yes	Bedrock-locked

Your answers leave with you — export every verified query as a portable SQL skill.

Example question & SQL

See what Chion generates from a plain-English question.

You ask

"Show me monthly revenue for the last 6 months"

Chion generates

SELECT
  date_trunc('month', created_at) AS month,
  SUM(amount) AS revenue
FROM orders
WHERE created_at >= now() - interval '6 months'
GROUP BY 1
ORDER BY 1;

Create a read-only Postgres role

Run this once before you connect. Chion enforces read-only at the SQL validator, but a least-privilege role is the canonical pattern.

CREATE ROLE chion_read LOGIN PASSWORD '<strong-password>';
GRANT CONNECT ON DATABASE <dbname> TO chion_read;
GRANT USAGE ON SCHEMA public TO chion_read;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO chion_read;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT SELECT ON TABLES TO chion_read;

Replace <dbname> with your database name. The ALTER DEFAULT PRIVILEGES line ensures new tables are auto-readable.

Connection string format

Reference for parsing. Chion accepts the six fields directly, no string concatenation needed.

postgresql://chion_read:<password>@<instance>.<id>.<region>.rds.amazonaws.com:5432/<dbname>?sslmode=require

Read-only by code. Verified by Chion's 13-step SQL pipeline.

Finding your Amazon RDS for PostgreSQL credentials

AWS Console → RDS → Databases → [your instance] → Connectivity & security

Field	Where to Find	Default
Server (Endpoint)	Connectivity & security tab → Endpoint	<instance>.<id>.<region>.rds.amazonaws.com
Port	Same tab, next to Endpoint	5432
Database	Configuration tab → DB name	postgres (or what you set at creation)
Schema	Not in console; default is public	public
User	Configuration tab → Master username	postgres (or what you set)
Password	Set at instance creation. Modify → change Master password to reset	(not retrievable)

Quick steps

1.Log in at console.aws.amazon.com/rds
2.Click Databases in the left sidebar
3.Click your PostgreSQL instance name
4.Connectivity & security tab → copy the Endpoint and Port
5.Configuration tab → note the DB name and Master username
6.Password is what you entered during creation (use Modify to reset if needed)

Open Amazon RDS for PostgreSQL console

Amazon RDS for PostgreSQL troubleshooting

Common issues and how to fix them.

Connection timeout: security group not open

Edit the security group associated with your RDS instance. Add an inbound rule allowing TCP on port 5432 from the Chion IP range. For initial testing, scope the rule to your laptop's egress IP, then narrow to the Chion IP range before going live — avoid opening the instance to the internet. RDS instances in private subnets require a NAT gateway or VPN peering.

Master password forgotten

In the RDS console, select your instance → Modify → set a new Master password. The change applies immediately or during the next maintenance window depending on your selection.

Aurora vs RDS PostgreSQL compatibility

Aurora PostgreSQL-Compatible uses the same wire protocol. Point Chion at the Aurora reader endpoint for read-only workloads. The cluster endpoint works too but directs queries to the writer.

Aurora Serverless v2 cold start

Aurora Serverless v2 scales capacity in seconds but a cold scale-up may delay the first query by 1-3 seconds. Set a higher minimum ACU on the cluster if predictable latency matters more than cost.

VPC peering and private subnets

For RDS in a private subnet, expose the endpoint via VPC peering or AWS PrivateLink to a Chion-accessible network. Public-subnet instances with a security group allow-list are simpler for trial setups.

Official Amazon RDS for PostgreSQL documentation

Authoritative references from the provider. Opens in a new tab.

Connecting to a DB instance running PostgreSQL
Official AWS guide for endpoint discovery and client connections.
Aurora PostgreSQL-Compatible Edition
Aurora-specific behaviors, reader endpoints, and Serverless v2.
Amazon RDS Multi-AZ deployments
How failover and DNS updates work for high-availability instances.
PostgreSQL CREATE ROLE
Reference for the read-only role used by Chion.

Your credentials are encrypted

All connection credentials are encrypted with AES-256-GCM and stored in an isolated vault. Chion connects with read-only permissions. No INSERT, UPDATE, or DELETE is ever possible. Row-level security policies are honored on every query.

Read our security model

Frequently asked questions

Common questions about using Chion with Amazon RDS for PostgreSQL.

Does Chion support Amazon Aurora PostgreSQL?

Yes. Aurora PostgreSQL-Compatible uses the same wire protocol as standard RDS PostgreSQL. Point Chion at the reader endpoint for optimal read-only performance.

Can I use IAM authentication with Chion?

Not currently. Chion uses standard PostgreSQL password authentication. Create a dedicated read-only role with a strong password.

Does Chion work with RDS Multi-AZ deployments?

Yes. Chion connects to the primary endpoint. During a failover, the endpoint DNS updates automatically and Chion reconnects on the next query.

Does Chion work with Aurora Serverless v2?

Yes. Aurora Serverless v2 is wire-compatible with standard PostgreSQL. Expect a 1-3 second cold-start latency on the first query after auto-pause; subsequent queries run at normal speed.

How do I connect Chion to RDS in a private VPC?

Either move the instance to a public subnet with a security group allow-list, or set up VPC peering / PrivateLink to a network Chion can reach. Direct private-subnet access is not currently supported.

Which PostgreSQL versions does RDS support for Chion?

Chion supports all PostgreSQL versions that AWS RDS offers (currently 11 through 16). PostgreSQL 14+ is recommended for full window-function and CTE coverage.