AWS Certified Developer – Associate (DVA-C02) — Question 352

A company is developing a serverless application by using AWS Lambda functions. One of the Lambda functions needs to access an Amazon RDS DB instance. The DB instance is in a private subnet inside a VPC.

The company creates a role that includes the necessary permissions to access the DB instance. The company then assigns the role to the Lambda function. A developer must take additional action to give the Lambda function access to the DB instance.

What should the developer do to meet these requirements?

Answer options

• A. Assign a public IP address to the DB instance. Modify the security group of the DB instance to allow inbound traffic from the IP address of the Lambda function.
• B. Set up an AWS Direct Connect connection between the Lambda function and the DB instance.
• C. Configure an Amazon CloudFront distribution to create a secure connection between the Lambda function and the DB instance.
• D. Configure the Lambda function to connect to the private subnets in the VPC. Add security group rules to allow traffic to the DB instance from the Lambda function.

Correct answer: D

Explanation

To allow an AWS Lambda function to access resources inside a private subnet of a VPC, such as an Amazon RDS DB instance, the Lambda function must be configured to connect to that VPC. Additionally, the security group associated with the RDS DB instance must be updated to allow inbound traffic from the Lambda function's security group. Options A, B, and C are incorrect because they either compromise security by exposing the database publicly, or use services (Direct Connect, CloudFront) that are not designed for internal Lambda-to-VPC database connectivity.