AWS Certified Solutions Architect – Associate (SAA-C02) — Question 476

A solutions architect is designing a two-tiered architecture that has separate private subnets for compute resources and the database. An AWS Lambda function that is deployed in the compute subnets needs connectivity to the database.
Which solution will provide this connectivity in the MOST secure way?

Answer options

• A. Configure the Lambda function to use Amazon RDS Proxy outside the VPC.
• B. Associate a security group with the Lambda function. Authorize this security group in the database's security group.
• C. Authorize the compute subnet's CIDR ranges in the database's security group.
• D. During the initialization phase, authorize all IP addresses in the database's security group temporarily. Remove the rule after the initialization is complete.

Correct answer: B

Explanation

Associating a dedicated security group with the AWS Lambda function and referencing it directly in the database's security group ensures the most secure, least-privilege access control. Allowing entire subnet CIDR ranges is less secure because it permits any resource in those subnets to connect to the database, while temporarily allowing all IP addresses creates a severe security vulnerability. Amazon RDS Proxy operates within a VPC, making its external configuration incorrect and insecure.