AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is deploying a new public web application to AWS. The application will run behind an Application Load Balancer (ALB). The application needs to be encrypted at the edge with an SSL/TLS certificate that is issued by an external certificate authority (CA). The certificate must be rotated each year before the certificate expires.

What should a solutions architect do to meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificate. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.

Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificate. Import the key material from the certificate. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.

Use AWS Certificate Manager (ACM) Private Certificate Authority to issue an SSL/TLS certificate from the root CA. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.

Use AWS Certificate Manager (ACM) to import an SSL/TLS certificate. Apply the certificate to the ALB. Use Amazon EventBridge (Amazon CloudWatch Events) to send a notification when the certificate is nearing expiration. Rotate the certificate manually.

Explanation:

Explanation

The correct answer is D because:

External CA Certificate Requirement: The question explicitly states that the SSL/TLS certificate must be "issued by an external certificate authority (CA)". This means the certificate cannot be issued by AWS Certificate Manager (ACM) or ACM Private CA, as those are AWS-managed certificate authorities.
ACM Import Functionality: AWS Certificate Manager (ACM) allows you to import certificates obtained from external certificate authorities. This is the appropriate solution when you need to use certificates from third-party CAs.
Manual Rotation Requirement: Since the certificate is imported from an external CA, ACM cannot automatically renew it. The managed renewal feature only works for certificates issued by ACM. Therefore, you need to:
- Import the external certificate into ACM
- Apply it to the ALB
- Set up monitoring (using Amazon EventBridge/CloudWatch Events) to notify you when the certificate is nearing expiration
- Manually rotate the certificate by importing the renewed certificate from the external CA

Why the other options are incorrect:

A: Incorrect because ACM-issued certificates are from AWS's own CA, not an external CA.
B: Incorrect for the same reason as A - ACM issues certificates from its own CA, not external CAs.
C: Incorrect because ACM Private CA is still an AWS-managed CA, not an external CA.

Key AWS Services:

AWS Certificate Manager (ACM): For importing and managing certificates
Application Load Balancer (ALB): For terminating SSL/TLS connections
Amazon EventBridge (CloudWatch Events): For monitoring certificate expiration

This solution ensures encryption at the edge with an externally-issued certificate while maintaining proper certificate lifecycle management.

Powered ByGPT-5.2

Comments

Loading comments...