Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in which IAM execution role policy is required for Lambda functions running inside a VPC to communicate securely with an RDS instance. In production, this is about knowing exactly when AWSLambdaVPCAccessExecutionRole is mandatory versus the basic execution role — a subtle yet critical detail that impacts function networking and permissions. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
Innovatech Solutions is refactoring their monolithic app backend from EC2-based services into serverless AWS Lambda functions. The app stores data in an Amazon RDS for MySQL database. Both the Lambda functions and RDS instance are deployed in a private subnet within the same VPC, isolated from the public internet for security.
The Requirement #
The engineering team needs to ensure that the Lambda functions can connect seamlessly and securely to the RDS instance inside the private subnet. What is the correct AWS setup to allow this connection while adhering to least privilege and correct role usage?
The Options #
- A) Create Lambda functions inside the VPC with the AWSLambdaBasicExecutionRole policy attached to the Lambda execution role. Modify the RDS security group to allow inbound access from the Lambda functions’ security group.
- B) Create Lambda functions inside the VPC with the AWSLambdaVPCAccessExecutionRole policy attached to the Lambda execution role. Modify the RDS security group to allow inbound access from the Lambda functions’ security group.
- C) Create Lambda functions with the AWSLambdaBasicExecutionRole policy attached to the Lambda execution role. Create an interface VPC endpoint for Lambda. Configure the endpoint policy to allow Lambda:InvokeFunction for each Lambda ARN.
- D) Create Lambda functions with the AWSLambdaVPCAccessExecutionRole policy attached to the Lambda execution role. Create an interface VPC endpoint for Lambda. Configure the endpoint policy to allow Lambda:InvokeFunction for each Lambda ARN.
Google adsense #
leave a comment:
Correct Answer #
B
Quick Insight: The Developer Imperative #
When Lambda functions need to execute inside a VPC (to access resources like RDS in private subnets), the execution role must include the AWSLambdaVPCAccessExecutionRole managed policy. This policy grants the required Elastic Network Interface (ENI) management permissions for Lambda to create ENIs in your VPC subnets. Without it, the Lambda functions will fail to attach to the VPC and cannot access private resources such as RDS.
Simply attaching the AWSLambdaBasicExecutionRole does not provide these VPC networking permissions — leading to invocation errors.
Interface VPC endpoints for Lambda function invocation (options C and D) are unrelated to outbound connectivity from Lambda to RDS. They control inbound access to Lambda via the Lambda service API, not the network flow to RDS.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option B
The Winning Logic #
To enable Lambda functions to access an RDS DB inside a private subnet, the Lambda must run inside that VPC. For a Lambda function configured with a VPC, AWS requires that its execution role include the AWSLambdaVPCAccessExecutionRole policy. This policy contains permissions such as:
ec2:CreateNetworkInterfaceec2:DescribeNetworkInterfacesec2:DeleteNetworkInterface
These allow Lambda to dynamically create ENIs in the specified subnet and attach security groups, enabling network connectivity within the VPC. Without these permissions, Lambda will error out attempting to attach to the VPC during invocation.
In addition to the correct role permissions, the RDS security group must allow inbound traffic from the Lambda security group on the appropriate port (typically 3306 for MySQL). This ensures the Lambda function can actually establish a connection.
The Trap (Distractor Analysis): #
-
Why not A?
AWSLambdaBasicExecutionRole enables Lambda logging and basic execution permissions but lacks the critical EC2 network interface permissions. Lambda functions configured in a VPC will fail to start without AWSLambdaVPCAccessExecutionRole. -
Why not C or D?
Interface VPC endpoints for Lambda provide private API access to Lambda service (Lambda:InvokeFunction) from within a VPC — relevant for invoking Lambdas, not for Lambda functions to connect out to resources like RDS. Creating such endpoints does not grant network access from Lambda to RDS.
The Technical Blueprint #
B) For Developer / SysOps (Code/CLI Snippet): #
Example IAM policy snippet to attach to the Lambda execution role for VPC access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
CLI to update Lambda function configuration with VPC subnet and security group:
aws lambda update-function-configuration \
--function-name MyFunction \
--vpc-config SubnetIds=subnet-abc123,SecurityGroupIds=sg-0123456789abcdef0
The Comparative Analysis (Developer View) #
| Option | IAM Role Policy | Networking Configuration | Correct for Lambda-to-RDS? | Comments |
|---|---|---|---|---|
| A | AWSLambdaBasicExecutionRole | Lambda inside VPC, modify RDS SG to allow | No | Missing ENI permissions; Lambda errors out |
| B | AWSLambdaVPCAccessExecutionRole | Lambda inside VPC, modify RDS SG to allow | Yes | Correct role & network config |
| C | AWSLambdaBasicExecutionRole | Lambda outside VPC + Lambda interface VPC endpoint | No | Endpoint irrelevant for DB access |
| D | AWSLambdaVPCAccessExecutionRole | Lambda outside VPC + Lambda interface VPC endpoint | No | Endpoint irrelevant for DB access |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick AWSLambdaVPCAccessExecutionRole when you see Lambda functions configured in a VPC.
Real World #
Sometimes, teams attempt to keep Lambda functions outside the VPC to avoid cold-start latency. In such cases, they use RDS Proxy or NAT gateways for database access. But when direct secure access to a private RDS instance is mandatory, Lambda in VPC with this role is the best practice.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.