Logo
AWS Certified Developer – Associate / Question #770 of 557

Question #770

A developer is troubleshooting an AWS Lambda function in a development environment. The Lambda function is configured to connect to an Amazon MQ broker (ActiveMQ) deployed in a private subnet within a VPC, using port 61617. The Lambda function encounters a connection timeout when attempting to communicate with the broker. Which two steps should the developer take to diagnose the issue? (Choose two.)

C

Verify that the VPC has a NAT gateway configured. Ensure the Amazon MQ broker is publicly accessible.
A

Check that the Lambda\u2019s security group allows outbound traffic on port 61617 to the Amazon MQ broker\u2019s security group. Check that the Amazon MQ broker\u2019s security group permits inbound traffic on port 61617 from the Lambda\u2019s security group.
B

Check that the Lambda\u2019s security group allows inbound traffic on port 61617 from the Amazon MQ broker\u2019s security group. Check that the Amazon MQ broker\u2019s security group permits outbound traffic on port 61617 to the Lambda\u2019s security group.
D

Check that the Lambda\u2019s execution role includes permissions for amazonmq:DescribeBroker, amazonmq:ModifyBroker, and amazonmq:DescribeConfiguration.
E

Check that the Lambda\u2019s execution role includes ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, and ec2:DeleteNetworkInterface permissions.

Explanation

Answer A ensures proper security group configuration: Lambda must have outbound access to the MQ broker's port (61617), and the broker must allow inbound traffic from Lambda's security group. Answer E addresses Lambda's VPC networking requirements: Lambda needs EC2 permissions (Create/Describe/DeleteNetworkInterface) to manage network interfaces in the VPC.

Other options are incorrect: B reverses inbound/outbound rules (Lambda initiates the connection, so inbound rules on Lambda are unnecessary). C is irrelevant because the MQ broker is in a private subnet and doesn't require public access or a NAT gateway for internal VPC communication. D focuses on MQ management permissions, which don't affect network connectivity. Key points: Lambda in a VPC requires EC2 network interface permissions and correct security group rules for bidirectional communication.

Answer

The correct answer is: AE