Here are three common methods used to limit access to the AWS environment for DBAs and developers:
- Bastion host : A bastion can be used as a jump box' / proxy server. Developers and DBAs would be given access using SSH and than use other credentials to log into the web, application, and database servers. More on bastion host security can be found here: http://cloudconclave.blogspot.com/2013/05/aws-bastion-host-as-single-point-of.html. There is the cost of the EC2 instance that is the bastion host and data transfer out costs.
- VPN with customer gateway and virtual private gateway. In the case, you create a VPN tunnel. The costs here are the VPN hardware on your side (customer gateway), cost of virtual private gateway (VPG), and costs of VPN connections and data transfer out of AWS. More on VPN costs here (this assumes this option): http://cloudconclave.blogspot.com/2013/05/vpn-costs-for-connections-and-data.html
- OpenVPN : You do not incur the cost of hardware on your side and the VPG on the AWS side. You still have the cost of the data transfer out. You would also incur the cost of the EC2 instances that is running an open source VPN software stack (in this case OpenVPN).
I am sure there are other methods as well.
Could also use these constructs to provide secure integration from your on premise or third party applications (SFTP for flat file integration, VPN for web services).