Which solution will meet these requirements?

By:
In: DVA-C02
Tagged:
With: 1 Comment
A company is updating an application to move the backend of the application from Amazon EC2 instances to a serverless model.The application uses an Amazon RDS for MySQL DB instance and runs in a single VPC on AWS.The application and the DB instance are deployed in a private subnet in the VPC.The company needs to connect AWS Lambda functions to the DB instance.

Which solution will meet these requirements?

Create Lambda functions inside the VPC with the AWSLambdaBasicExecutionRole policy attached to the Lambda execution role. Modify the RDS security group to allow inbound access from the Lambda security group.

Create Lambda functions inside the VPC with the AWSLambdaVPCAccessExecutionRole policy attached to the Lambda execution role. Modify the RDS security group to allow inbound access from the Lambda security group.

Create Lambda functions with the AWSLambdaBasicExecutionRole policy attached to the Lambda execution role. Create an interface VPC endpoint for the Lambda functions. Configure the interface endpoint policy to allow the lambda:InvokeFunclion action for each Lambda function’s Amazon Resource Name (ARN).

Create Lambda functions with the AWSLambdaVPCAccessExecutionRole policy attached to the Lambda execution role. Create an interface VPC endpoint for the Lambda functions. Configure the interface endpoint policy to allow the lambda:InvokeFunction action for each Lambda function’s Amazon Resource Name (ARN).

Explanations:

While this option suggests creating Lambda functions inside the VPC and modifying the RDS security group to allow access, it fails to mention the necessary IAM role that would allow Lambda to connect to resources inside the VPC. Without the appropriate VPC access execution role, the Lambda function won’t be able to access the RDS instance.

This option correctly specifies creating Lambda functions inside the VPC with the AWSLambdaVPCAccessExecutionRole policy, which is required for accessing resources in a VPC. Additionally, it includes modifying the RDS security group to allow inbound access from the Lambda security group, ensuring that the Lambda functions can connect to the RDS instance.

This option suggests creating Lambda functions with the AWSLambdaBasicExecutionRole policy, which does not grant the necessary permissions for accessing VPC resources. An interface VPC endpoint is also not required for Lambda functions to access RDS instances; Lambda functions need to be in the VPC to connect directly to RDS.

Although this option uses the correct AWSLambdaVPCAccessExecutionRole policy, it suggests creating an interface VPC endpoint for Lambda functions, which is unnecessary for connecting Lambda to RDS. The interface endpoint would only allow Lambda to invoke, not directly connect to the RDS instance, making it an incorrect approach for this scenario.

2025-10-08

1 Comment

  1. Donna
    Author

    I have a feeling that the answer is:
    Create Lambda functions inside the VPC with the AWSLambdaVPCAccessExecutionRole policy attached to the Lambda execution role. Modify the RDS security group to allow inbound access from the Lambda security group.

Leave a Reply to Donna Cancel reply

Your email address will not be published. Required fields are marked *

fifteen − 9 =