AWS Certified SysOps Administrator – Associate (legacy) — Question 669

A SysOps administrator is re-architecting an application. The SysOps administrator has moved the database from a public subnet, where the database used a public endpoint, into a private subnet to restrict access from the public network. After this change, an AWS Lambda function that requires read access to the database cannot connect to the database. The SysOps administrator must resolve this issue without compromising security.
Which solution meets these requirements?

Answer options

• A. Create an AWS PrivateLink interface endpoint for the Lambda function. Connect to the database using its private endpoint.
• B. Connect the Lambda function to the database VPC. Connect to the database using its private endpoint.
• C. Attach an IAM role to the Lambda function with read permissions to the database.
• D. Move the database to a public subnet. Use security groups for secure access.

Correct answer: D

Explanation

Moving the database back to a public subnet and utilizing strictly configured security groups allows the Lambda function to connect to the database's public endpoint without needing complex VPC integration. This solution ensures that only authorized entities, such as the Lambda function, can access the database, maintaining security while restoring connectivity. Other options either do not solve the connectivity issue for a Lambda function outside the VPC or fail to provide network-level access control.