Q13 — AWS DVA-C02 Ch.2

Question 13 of 100 | ← Chapter 2

A company has deployed infrastructure on AWS. The development team wants to create an AWS Lambda function to retrieve data from an Amazon Aurora database. The Amazon Aurora database resides in a private subnet within the company's VPC, named VPC1. Data security is critical. The Lambda function must securely access the database. Which solution meets these requirements?

Correct Answer: A. Create the Lambda function. Configure the function for VPC1 access. Attach a security group named SG1 to both the Lambda function and the database. Configure inbound and outbound rules on the security group to allow TCP traffic on port 3306.

Explanation

Lambda function associated with VPC1: The Lambda function must reside within the company's VPC1 to securely access the Amazon Aurora database located in a private subnet. Security group configuration: Lambda function's security group SG1: This security group must be configured to allow outbound TCP traffic to port 3306 on the database, ensuring the Lambda function can establish a connection and send queries. Database's security group SG2: The database's security group must allow inbound TCP traffic on port 3306 from the Lambda function's security group SG1, enabling the database to respond to queries. Security and access control: Security groups are an effective AWS access control mechanism to restrict traffic between resources. Outbound rules on the Lambda function's security group ensure secure data transmission, while inbound rules on the database's security group control which resources may access it. Why other options are unsuitable: Option A: Although both the Lambda function and database use security group SG1, it omits configuring inbound rules on the database, preventing successful connection establishment. Option C: Creating the Lambda function in a separate VPC (VPC2) and peering with VPC1 introduces unnecessary complexity and is generally not recommended for database access due to security and performance concerns. Option D: Exporting data to Amazon S3 and reading from there adds cost and latency, and does not support real-time data access requirements. Therefore, option B provides a secure and effective way to configure the Lambda function to access the Amazon Aurora database in VPC1.