AWS Certified Developer – Associate (DVA-C02) — Question 222

A developer needs to troubleshoot an AWS Lambda function in a development environment. The Lambda function is configured in VPC mode and needs to connect to an existing Amazon RDS for SQL Server DB instance. The DB instance is deployed in a private subnet and accepts connections by using port 1433.

When the developer tests the function, the function reports an error when it tries to connect to the database.

Which combination of steps should the developer take to diagnose this issue? (Choose two.)

Answer options

• A. Check that the function’s security group has outbound access on port 1433 to the DB instance’s security group. Check that the DB instance’s security group has inbound access on port 1433 from the function’s security group.
• B. Check that the function’s security group has inbound access on port 1433 from the DB instance’s security group. Check that the DB instance’s security group has outbound access on port 1433 to the function’s security group.
• C. Check that the VPC is set up for a NAT gateway. Check that the DB instance has the public access option turned on.
• D. Check that the function’s execution role permissions include rds:DescribeDBInstances, rds:ModifyDBInstance. and rds:DescribeDBSecurityGroups for the DB instance.
• E. Check that the function’s execution role permissions include ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, and ec2:DeleteNetworkInterface.

Correct answer: A, E

Explanation

Option A is correct because it ensures that the Lambda function can communicate with the RDS instance through the appropriate security group settings. Option E is also correct as it provides the necessary permissions for the function to create and manage network interfaces, which is essential for VPC connectivity. The other options either misconfigure the security group rules or address irrelevant permissions.