can AWS Lambda connect to RDS mySQL database and update the database?
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
Yes, AWS Lambda can connect to an RDS MySQL instance and run updates, inserts, and deletes. The main work is not the SQL itself but getting networking, credentials, and connection management right so the function can reach the database reliably without exhausting MySQL connections.
What Has To Be In Place
A Lambda function can talk to RDS MySQL when all of these are true:
- the function can reach the database endpoint over the network
- the database security group allows inbound traffic from the Lambda side
- the function has the credentials to authenticate
- the runtime package includes a MySQL client library
If the RDS instance is in private subnets, the Lambda usually needs to run in the same VPC or a connected network path.
A Practical Python Example
This example uses pymysql to update one row. In real deployments, credentials should come from Secrets Manager or a secure parameter source rather than hard-coded strings.
This is a normal pattern:
- create or reuse a connection
- run parameterized SQL
- commit the transaction
- return a small result
Use Parameterized Queries
Never build update statements by concatenating raw event values into SQL strings. Parameterized queries protect you from SQL injection and reduce quoting mistakes.
The example above uses placeholders and a parameter tuple, which is the correct approach.
Networking and Security Group Basics
For private RDS instances, Lambda must usually be attached to the VPC. Once it is, make sure:
- the Lambda function uses subnets that can route to the RDS instance
- the RDS security group allows inbound MySQL traffic from the Lambda security group
- the Lambda execution environment can still reach any required AWS services if it needs them
A common operational mistake is getting the credentials right but forgetting that the function still has no path to the database endpoint.
Secrets and Connection Management
Credentials should be stored in AWS Secrets Manager or another managed secret store, not inside the source bundle.
Connection count is also important. Lambda can scale quickly, and each concurrent execution may try to open a database connection. That can overwhelm a small MySQL instance.
For heavier production workloads, RDS Proxy is often a better design because it manages connection pooling between Lambda and the database.
When This Pattern Works Well
Lambda to RDS is a good fit for:
- event-driven updates after file uploads or queue messages
- simple transactional writes
- low-to-moderate throughput administrative actions
- APIs with predictable concurrency and efficient SQL
It becomes trickier when thousands of concurrent invocations all want long-lived database sessions.
Common Pitfalls
Putting the function outside the right VPC path is one of the most common reasons connections fail.
Hard-coding passwords instead of using managed secrets is another operational mistake.
Ignoring connection scaling can hurt badly. Lambda concurrency and MySQL connection limits do not scale in the same way.
Finally, remember to package the MySQL client library for the Lambda runtime or include it through a layer if your deployment process requires that.
Summary
- Lambda can absolutely connect to RDS MySQL and issue updates
- the critical pieces are networking, security groups, credentials, and a packaged MySQL client
- use parameterized SQL and explicit commits for safe updates
- prefer Secrets Manager for credentials and consider RDS Proxy for higher-concurrency workloads
- most failures come from VPC or connection-management mistakes rather than from Lambda itself

