Skip to main content

AWS DVA-C02 Drill: Lambda VPC Integration - IAM Policies for RDS Connectivity

·1149 words·6 mins·
Certification Drills AWS DVA-C02 AWS Lambda Amazon RDS VPC IAM Policies AWSLambdaVPCAccessExecutionRole
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Jeff’s Note
#

“Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.”

“For DVA-C02 candidates, the confusion often lies in distinguishing between Lambda execution policies for basic CloudWatch logging versus VPC-enabled Lambda functions. In production, this is about knowing exactly which IAM managed policy grants your Lambda the ENI creation permissions needed to operate inside a VPC. Let’s drill down.”

The Certification Drill (Simulated Question)
#

Scenario
#

TechFlow Industries is modernizing their inventory management system by migrating from EC2-based compute to a serverless architecture. Their current setup includes an Amazon RDS for MySQL database instance running in a private subnet within a VPC. The application tier, previously running on EC2 instances, is being replaced with AWS Lambda functions. The development team needs to ensure the Lambda functions can securely connect to the existing RDS database while maintaining network isolation.

The Requirement:
#

Establish connectivity between AWS Lambda functions and an RDS MySQL database instance located in a private subnet, ensuring proper IAM permissions and network security group configuration.

The Options
#

  • A) Create Lambda functions inside the VPC with the AWSLambdaBasicExecutionRole policy attached to the Lambda Execution role. Modify the RDS security group to allow inbound access from the Lambda security group.
  • B) Create Lambda functions inside the VPC with the AWSLambdaVPCAccessExecutionRole policy attached to the Lambda Execution role. Modify the RDS security group to allow inbound access from the Lambda security group.
  • C) Create Lambda functions with the AWSLambdaBasicExecutionRole policy attached to the Lambda execution role. Create an interface VPC endpoint for the Lambda functions. Configure the interface endpoint policy to allow the Lambda:InvokeFunction action for each Lambda function’s Amazon Resource Name (ARN).
  • D) Create Lambda functions with the AWSLambdaVPCAccessExecutionRole policy attached to the Lambda execution role. Create an interface VPC endpoint for the Lambda functions. Configure the interface endpoint policy to allow the Lambda:InvokeFunction action for each Lambda function’s Amazon Resource Name (ARN).

Correct Answer
#

Option B.

Quick Insight: The VPC Lambda ENI Imperative
#

When Lambda functions need to access resources inside a VPC (like RDS in private subnets), AWS creates Elastic Network Interfaces (ENIs) in your VPC subnets. The AWSLambdaVPCAccessExecutionRole managed policy grants the specific EC2 permissions (ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DeleteNetworkInterface) required for this ENI lifecycle management—permissions that AWSLambdaBasicExecutionRole does NOT include.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option B

The Winning Logic
#

This solution correctly addresses both the IAM permission and networking requirements for Lambda-to-RDS connectivity:

  1. VPC Configuration: The Lambda functions are deployed inside the VPC, which is mandatory for direct private IP connectivity to RDS instances in private subnets.

  2. Correct IAM Policy: The AWSLambdaVPCAccessExecutionRole managed policy includes:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DeleteNetworkInterface"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:*"
    }
  ]
}

    These EC2 permissions are essential for Lambda to create ENIs in your VPC subnets.

  3. Security Group Configuration: Modifying the RDS security group to allow inbound traffic from the Lambda security group (on port 3306 for MySQL) completes the network connectivity path.

The Trap (Distractor Analysis):
#

  • Why not Option A?

    • AWSLambdaBasicExecutionRole only provides CloudWatch Logs permissions (logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents).
    • It lacks the EC2 network interface permissions required for VPC integration.
    • Your Lambda deployment would fail with an error like: The provided execution role does not have permissions to call CreateNetworkInterface on EC2.

  • Why not Options C & D?

    • VPC Endpoints for Lambda invocation are used when you want to invoke Lambda from within a VPC without using the public internet—this is the reverse direction of what’s needed.
    • The scenario requires Lambda to initiate connections to RDS, not external services invoking Lambda.
    • The Lambda:InvokeFunction endpoint policy is irrelevant to database connectivity.
    • These options demonstrate a fundamental misunderstanding of VPC endpoint use cases (service invocation vs. resource access).

The Technical Blueprint
#

Lambda VPC Integration Configuration (AWS CLI):

# 1. Create Lambda function with VPC configuration
aws lambda create-function \
  --function-name inventory-processor \
  --runtime python3.11 \
  --role arn:aws:iam::123456789012:role/lambda-vpc-execution-role \
  --handler index.handler \
  --vpc-config SubnetIds=subnet-0abc123,subnet-0def456,SecurityGroupIds=sg-0lambda123 \
  --zip-file fileb://function.zip

# 2. Attach the AWSLambdaVPCAccessExecutionRole managed policy
aws iam attach-role-policy \
  --role-name lambda-vpc-execution-role \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

# 3. Update RDS security group to allow Lambda access
aws ec2 authorize-security-group-ingress \
  --group-id sg-0rds456 \
  --protocol tcp \
  --port 3306 \
  --source-group sg-0lambda123

# 4. Verify ENI creation (after first Lambda invocation)
aws ec2 describe-network-interfaces \
  --filters "Name=description,Values=AWS Lambda VPC ENI*" \
  --query "NetworkInterfaces[*].[NetworkInterfaceId,PrivateIpAddress,Status]"

Python Lambda Handler Example (connecting to RDS):

import pymysql
import os

def handler(event, context):
    connection = pymysql.connect(
        host=os.environ['DB_HOST'],
        user=os.environ['DB_USER'],
        password=os.environ['DB_PASSWORD'],
        database=os.environ['DB_NAME'],
        connect_timeout=5
    )
    
    try:
        with connection.cursor() as cursor:
            cursor.execute("SELECT VERSION()")
            version = cursor.fetchone()
            return {
                'statusCode': 200,
                'body': f'Connected to RDS MySQL {version[0]}'
            }
    finally:
        connection.close()

The Comparative Analysis
#

Option IAM Policy VPC Integration Network Path Deployment Complexity Exam Trap
A ❌ AWSLambdaBasicExecutionRole (insufficient) ✅ Lambda in VPC ✅ Security groups configured Low Missing EC2 ENI permissions
B ✅ AWSLambdaVPCAccessExecutionRole ✅ Lambda in VPC ✅ Security groups configured Medium CORRECT ANSWER
C ❌ AWSLambdaBasicExecutionRole ❌ Lambda outside VPC ❌ VPC endpoint wrong direction High Misunderstands endpoint purpose
D ✅ AWSLambdaVPCAccessExecutionRole ❌ Lambda outside VPC ❌ VPC endpoint wrong direction High Correct policy, wrong architecture

Key Decision Factors:

  • API Complexity: Options C & D introduce unnecessary VPC endpoint configuration for the wrong use case
  • Performance: VPC-enabled Lambda has ~10s cold start for ENI creation (first invocation); subsequent calls are fast
  • Use Case: Direct database access requires Lambda inside the VPC with proper ENI permissions

Real-World Application (Practitioner Insight)
#

Exam Rule
#

“For the DVA-C02 exam, when Lambda needs to access VPC resources (RDS, ElastiCache, internal ALBs), always ensure AWSLambdaVPCAccessExecutionRole is attached and Lambda is deployed with VPC subnet/security group configuration.”

Real World
#

“In production environments, we often create custom IAM policies instead of using the managed AWSLambdaVPCAccessExecutionRole, applying least-privilege by scoping ENI permissions to specific VPC/subnet combinations:

{
  "Effect": "Allow",
  "Action": [
    "ec2:CreateNetworkInterface",
    "ec2:DescribeNetworkInterfaces"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "ec2:Vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-abc123"
    }
  }
}

Additionally, for high-traffic applications, we utilize RDS Proxy between Lambda and RDS to handle connection pooling efficiently—Lambda’s stateless nature can exhaust database connections quickly without it. The exam won’t test RDS Proxy extensively, but it’s critical for real-world serverless database architectures.”

Performance Tip: Lambda Hyperplane ENIs (introduced in 2019) drastically reduced cold start times for VPC Lambdas, but the first invocation of a new function still requires ENI provisioning (~10-30 seconds). Always use provisioned concurrency for latency-sensitive workloads.

Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the DVA-C02 exam. Always refer to the official AWS Documentation and your practical experience when making architectural decisions.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.