Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 40 discussion

ooooh this one was rough. I am going with A --> https://repost.aws/knowledge-center/connect-lambda-to-an-rds-instance I was between A and C... wording for both tricky. But the only way C would work is if the last portion of the sentence the read "Add an inbound rule to SG2 to allow TCP traffic from port 3306" or "Add an outbound rule to SG1 to allow TCP traffic... "

Correct Answer is Answer A For B creating new VPC for lambda does not seems a suitable solution For C Assigning differrent security groups to both will not work Option D will not be suitable for relational data and involve S3 in solution

B) Eliminated - Placing the Lambda function in a public subnet compromises security C) Eliminated - The rule should allow traffic to SG2 (the database’s security group) from SG1 (the Lambda function’s security group), not the other way around. D) Eliminated - Adds significant operational complexity

this one is badly written hehe I would say A, but they missed to mention that this only works securely if the secgroup is listed as destination of the rules. B would also work, but you need to properly configure it....

Correction answer should be option C. Lambda function, configure VPC1 access, and assign separate security groups: Lambda Function: Associate the Lambda function with VPC1. Security Group (SG1): Assign SG1 to the Lambda function. Security Group (SG2): Assign a second security group (SG2) to the Aurora database. Inbound Rule: Add an inbound rule to SG1 to allow TCP traffic from Port 3306 (Aurora database port). This approach ensures proper separation of concerns and simplifies security group management.

This appear at 17 Jun exam

A is the correct answer.

A seems the answer, although a single SG for both the DB and Lambda is not a great practice. I would go with 2 SGs.

Security groups are statefull so you dont need to specify both inbound and outbound rules. However, you should have security groups on both resources as a best practice, and I dont think it is enough to have an inbound rule just on the lambda security group in this case. This would essentially give the DB access to send traffic to the lambda function, rather than the lambda function accessing data from the DB like we want. If the lambda function doesnt have a permission on its security group letting it access the DB, then it will never communicate with it unless the DB contacts it first. If C had placed the inbound permission on the DB, or if it had placed the outbound permission on the lambda then I think it would be right. So while the wording is a little confusing, I think A is correct

A Lambda function and RDS instance in different VPCs First, use VPC peering to connect the two VPCs. Then, use the networking configurations to connect the Lambda function in one VPC to the RDS instance in the other:

This is the only one where lambda can reach the Database anyway, seems to me a prerequisite if the VPC was mentioned. Lambda by default, launched outside your VPC (in an AWS-owned VPC) so it cannot access resources.

B is correct?

C, need 2 SG

Need two security groups. One is for Lambda function. The other one is for DB

A. right B. public, unsecure C. excessive connections D. additional cost and complexity

VPC Configuration: Ensure that your Lambda function is configured to run within the same VPC where your Amazon Aurora database resides (VPC1 in this case). Configure the Lambda function to use the appropriate subnets within VPC1, which are associated with the private subnet where your Amazon Aurora database is located. Security Groups: Attach a security group (SG1) to both the Lambda function and the Amazon Aurora database. Configure the security group inbound rules for SG1 to allow incoming TCP traffic on Port 3306, which is the default port for MySQL (used by Aurora). This will allow communication between the Lambda function and the database. Outbound rules should be allowed by default, so you don't need to make any changes there.

There isn't the ideal solution to the use case among the options. B) no need to create a new VPC and also you need to add route tables and configure SGs to make it works C) this could work if the rule on SG1 was outbound instead of inbound (the connection is initiated from Lambda to Aurora) D) export data to S3 is overkill and if you do that you no longer need to deploy the lambda in the VPC A) works, as SG1 is attached to both Lambda and Aurora we need outbound rule to 3306 (Lambda initiate communication to Aurora) and also inbound rule from 3306 (to allow Aurora accept connection from Lambda). I don't like to have the same SG1 for both the Lambda and the Aurora