Exam AWS Certified Data Engineer - Associate DEA-C01 topic 1 question 32 discussion

This solution only modifies the inbound rules of the security group of the DB instance, but it does not modify the outbound rules of the security group of the Lambda function. Additionally, this solution does not facilitate a private connection from the Lambda function to the DB instance, hence, the Lambda function would still need to use the public internet to access the DB instance. Therefore, this option does not fulfill the requirements.

I would go with B & D. As C would have operational overhead in my opinion.

D is wrong. It is a bad security practice for a DB to share SG with the client. C is correct compared to the other opinions (A & E).

B & D C is wrong While you want the Lambda function to access the RDS instance privately, it does not need to run in the same subnet. As long as both are in the same VPC, the Lambda function can connect.

I will go with C and D on this one, because in my opinion B is not correctly phrased. The correct way to phrase it would be something like: Update the security group of the RDS instance to allow inbound traffic on the database port (3306) only from the security group associated with the Lambda function.

While placing the Lambda function in the same subnet as the DB instance would technically allow them to communicate privately within the same network, it introduces additional complexity and operational overhead. Lambda functions typically run in AWS-managed VPCs, and configuring them to run in a specific subnet might require manual intervention and ongoing maintenance.

bbb ddd

I would go with CD, since it's less operational effort, in my opinion

B: need update security group. and there there may be other application need to access db except for lambda function D: it works and reuse security group which has less operational overhead

A is not an option as it exposes the data to public B is not an option as we don't want the lambda to be the only entity accessing the db, there can be many other apps. doing this is not scalable

B. - While updating the security group of the DB instance to allow only Lambda function invocations on the database port may seem like a viable solution, it's not the most efficient approach. This option overlooks the need for the Lambda function to be able to communicate securely with the DB instance within the same VPC/subnet. - Reference: [Amazon RDS documentation on security groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithSecurityGroups.html)

- AWS Lambda supports VPC configurations, allowing you to run Lambda functions within your own VPC. This enables private connectivity between Lambda functions and resources within the VPC, such as RDS DB instances. Reference AWS Lambda documentation on VPC configurations: [AWS Lambda VPC Settings]https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html - AWS security groups provide a flexible and scalable way to control traffic to your instances or resources. By attaching the same security group to both the Lambda function and the RDS DB instance, you can ensure they share the same set of rules for inbound and outbound traffic. - Self-referencing rules within security groups enable instances within the same security group to communicate with each other over specified ports. - Reference AWS documentation on security groups and self-referencing rules: [Security Groups for Your VPC]https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

So, there coudl be a justified argument for the following: C. Configure the Lambda function to run in the same subnet that the DB instance uses: By running the Lambda function in the same subnet as the RDS DB instance, you enable them to communicate privately within the same network, eliminating the need for public internet access and reducing operational overhead. D. Attach the same security group to the Lambda function and the DB instance. Include a self-referencing rule that allows access through the database port: By attaching the same security group to both the Lambda function and the RDS DB instance, and including a self-referencing rule that allows access through the database port, you ensure secure communication between them within the same VPC without exposing the database to the public internet. This approach minimizes operational overhead by centralizing security management and simplifying access control.

Here's how you would implement this: 1. **Attach the same security group to both the Lambda function and the RDS DB instance**: Ensure that both resources are associated with the same security group. 2. **Create an inbound rule in the security group**: Configure the security group to allow inbound traffic on the database port (e.g., 3306 for MySQL) from the security group itself. For example, if the security group ID is sg-1234567890 and the database port is 3306, the inbound rule would look something like this: Type: Custom TCP Rule Protocol: TCP Port Range: 3306 (or the port your database uses) Source: sg-1234567890 (the security group ID itself) This rule allows the Lambda function, which is also part of the same security group, to communicate with the RDS DB instance through the specified port. It effectively creates a loopback or self-referencing rule within the security group, allowing internal communication between resources while maintaining security boundaries.

The phrase "Include a self-referencing rule that allows access through the database port" refers to configuring the security group associated with the resources (in this case, the Lambda function and the RDS DB instance) to allow inbound traffic from the resources themselves on a specific port, typically the port used for database communication. In AWS security groups, a self-referencing rule means allowing traffic from the security group itself. This setup is often used to facilitate communication between resources within the same security group or VPC without needing to specify individual IP addresses.

When you want Lambda to "privately" connect to a resource (RDS in this case) that sits inside a VPC, then you deploy Lambda inside VPC. = C Then you attach a proper IAM role to lambda. Then, to be more secure you open the RDS security group only on the specific port: MySQL/Aurora MySQL: 3306 SQL Server: 1433 PostgreSQL: 5432 Oracle: 1521

what does "Include a self-referencing rule that allows access through the database port." mean?