diff --git a/services/terraform/self-host/aws_db.tf b/services/terraform/self-host/aws_db.tf
new file mode 100644
index 000000000..e066f686c
--- /dev/null
+++ b/services/terraform/self-host/aws_db.tf
@@ -0,0 +1,44 @@
+# MariaDB Security Group
+resource "aws_security_group" "keyserver_mariadb_security_group" {
+  name        = "keyserver-mariadb-sg"
+  description = "Allow inbound traffic on port 3307 and all outbound traffic"
+  vpc_id      = aws_vpc.default.id
+
+  # Inbound rules
+  ingress {
+    from_port   = 3307
+    to_port     = 3307
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # Outbound rules
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+
+# MariaDB RDS Instance
+resource "aws_db_instance" "mariadb" {
+  allocated_storage      = 100
+  max_allocated_storage  = 3000
+  storage_type           = "gp3"
+  db_name                = "mariadb"
+  identifier             = "mariadb-instance"
+  engine                 = "mariadb"
+  engine_version         = "10.11"
+  instance_class         = "db.m6g.large"
+  db_subnet_group_name   = aws_db_subnet_group.public_db_subnet_group.name
+  vpc_security_group_ids = [aws_security_group.keyserver_mariadb_security_group.id]
+  username               = local.secrets["mariaDB"]["username"]
+  password               = local.secrets["mariaDB"]["password"]
+  parameter_group_name   = "default.mariadb10.11"
+  storage_encrypted      = true
+  publicly_accessible    = true
+  port                   = 3307
+  skip_final_snapshot    = true
+}
diff --git a/services/terraform/self-host/aws_vpc.tf b/services/terraform/self-host/aws_vpc.tf
index 36cc10165..11a7b01b4 100644
--- a/services/terraform/self-host/aws_vpc.tf
+++ b/services/terraform/self-host/aws_vpc.tf
@@ -1,46 +1,56 @@
 # VPC
 resource "aws_vpc" "default" {
   cidr_block           = "172.31.0.0/16"
   enable_dns_support   = true
   enable_dns_hostnames = true
 }
 
 # Public Subnets
 resource "aws_subnet" "public_a" {
   vpc_id                  = aws_vpc.default.id
   cidr_block              = "172.31.0.0/20"
   availability_zone       = "us-east-2a"
   map_public_ip_on_launch = true
 }
 
 resource "aws_subnet" "public_b" {
   vpc_id                  = aws_vpc.default.id
   cidr_block              = "172.31.16.0/20"
   availability_zone       = "us-east-2b"
   map_public_ip_on_launch = true
 }
 
 # Internet Gateway
 resource "aws_internet_gateway" "default" {
   vpc_id = aws_vpc.default.id
 }
 
 # Route Table for Internet Gateway
 resource "aws_route_table" "public_igw_route_table" {
   vpc_id = aws_vpc.default.id
 
   route {
     cidr_block = "0.0.0.0/0"
     gateway_id = aws_internet_gateway.default.id
   }
 }
 
 resource "aws_route_table_association" "public_a_igw_route_association" {
   subnet_id      = aws_subnet.public_a.id
   route_table_id = aws_route_table.public_igw_route_table.id
 }
 
 resource "aws_route_table_association" "public_b_igw_route_association" {
   subnet_id      = aws_subnet.public_b.id
   route_table_id = aws_route_table.public_igw_route_table.id
 }
+
+# DB Subnet Group
+resource "aws_db_subnet_group" "public_db_subnet_group" {
+  name       = "public-db-subnet-group"
+  subnet_ids = [aws_subnet.public_a.id, aws_subnet.public_b.id]
+
+  tags = {
+    Name = "DB subnet group associated with private vpc subnet"
+  }
+}