AWS Certified Data Engineer – Associate (DEA-C01) — Question 65

A company uses Amazon RDS to store transactional data. The company runs an RDS DB instance in a private subnet. A developer wrote an AWS Lambda function with default settings to insert, update, or delete data in the DB instance.
The developer needs to give the Lambda function the ability to connect to the DB instance privately without using the public internet.
Which combination of steps will meet this requirement with the LEAST operational overhead? (Choose two.)

Answer options

• A. Turn on the public access setting for the DB instance.
• B. Update the security group of the DB instance to allow only Lambda function invocations on the database port.
• C. Configure the Lambda function to run in the same subnet that the DB instance uses.
• D. Attach the same security group to the Lambda function and the DB instance. Include a self-referencing rule that allows access through the database port.
• E. Update the network ACL of the private subnet to include a self-referencing rule that allows access through the database port.

Correct answer: C, D

Explanation

Option C is correct because running the Lambda function in the same subnet as the DB instance allows for private connectivity. Option D is also correct as it ensures that both the Lambda function and DB instance can communicate through the same security group with appropriate permissions, while the other options (A, B, and E) do not provide the necessary private connectivity or add unnecessary complexity.