ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 488 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 488
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A solutions architect is designing a two-tiered architecture that has separate private subnets for compute resources and the database. An AWS Lambda function that is deployed in the compute subnets needs connectivity to the database.
Which solution will provide this connectivity in the MOST secure way?

  • A. Configure the Lambda function to use Amazon RDS Proxy outside the VPC.
  • B. Associate a security group with the Lambda function. Authorize this security group in the database's security group.
  • C. Authorize the compute subnet's CIDR ranges in the database's security group.
  • D. During the initialization phase, authorize all IP addresses in the database's security group temporarily. Remove the rule after the initialization is complete.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by byhyey at Aug. 31, 2021, 9:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
akba09
Highly Voted 3 years, 7 months ago
My thought process for why it should be Option B, not Option C: You can assign security groups specifically to the Lambda, and since for security groups, the source / destination can be set specifically to another Security Group (either itself or another in the same VPC), this will limit the access ONLY to that Lambda, not to all compute resources that share the CIDR block. With Option C, since a CIDR block is whitelisted and there may be other compute resources in the compute resource subnet, this would mean that they would also get access - which doesn't sound like the "MOST SECURE" way. Any thoughts?
upvoted 39 times
induna
3 years, 6 months ago
I like this comment
upvoted 1 times
...
Phyo007
3 years, 6 months ago
Yes, using Security Group ID as source is the most flexible and secure way.
upvoted 3 times
...
...
byhyey
Highly Voted 3 years, 7 months ago
Looks like the answer is C: https://aws.amazon.com/blogs/aws/new-access-resources-in-a-vpc-from-your-lambda-functions/ Your Lambda functions can now access Amazon Redshift data warehouses, Amazon ElastiCache clusters, Amazon Relational Database Service (RDS) instances, and service endpoints that are accessible only from within a particular VPC. In order to do this, you simply select one of your VPCs and identify the relevant subnets and security groups. Lambda uses this information to set up elastic network interfaces (ENIs) and private IP addresses (drawn from the subnet or subnets that you specified) so that your Lambda function has access to resources in the VPC. Accessing Resources in a VPC You can set this up when you create a new function. You can also update an existing function so that it has VPC access. You can configure this feature from the Lambda Console or from the CLI. Here’s how you set it up from the Console:
upvoted 7 times
...
naveenagurjara
Most Recent 2 years, 11 months ago
Selected Answer: B
You can call the LAM-SG ID to allow in DB-SG...
upvoted 2 times
...
Thawdr
3 years, 4 months ago
I choose B
upvoted 1 times
...
Edgarrt
3 years, 5 months ago
Selected Answer: B
"All subnets within a VPC contain a local route by default. The destination is the VPC's Classless Inter-Domain Routing (CIDR) and the target is local. For more information... ...For instances in different security groups—make sure that both security groups allow access to one another." https://aws.amazon.com/premiumsupport/knowledge-center/connect-lambda-to-an-rds-instance/
upvoted 2 times
...
Raj1703
3 years, 7 months ago
Akba09, you are right, allowing entire compute subnet will not be secured as per requirement. Current requirement is to allow Lamda to access database, hence B should be fine
upvoted 4 times
...
cJay722
3 years, 7 months ago
Answer is B. I would always prefer rules with security groups over CIDRs. https://aws.amazon.com/blogs/aws/new-access-resources-in-a-vpc-from-your-lambda-functions/
upvoted 4 times
...
Jamati
3 years, 7 months ago
I'll go with C
upvoted 1 times
...
Nishi90
3 years, 7 months ago
I will go with Option C : Authorize the compute subnets CIDR ranges in the database's security group Because, we need to ,make sure that For the Lambda function's security group, that traffic is allowed to go in and out of the CIDR of the RDS instance's VPC.
upvoted 4 times
Edgarrt
3 years, 5 months ago
All subnets within a VPC contain a local route by default. The destination is the VPC's Classless Inter-Domain Routing (CIDR) and the target is local. https://aws.amazon.com/premiumsupport/knowledge-center/connect-lambda-to-an-rds-instance/
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel