AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company hosts its web applications in the AWS Cloud. The company configures Elastic Load Balancers to use certificates that are imported into AWS Certificate Manager (ACM). The company's security team must be notified 30 days before the expiration of each certificate.
What should a solutions architect recommend to meet this requirement?
Other
Community
UAnonymous
A
Add a rule in ACM to publish a custom message to an Amazon Simple Notification Service (Amazon SNS) topic every day, beginning 30 days before any certificate will expire.
B
Create an AWS Config rule that checks for certificates that will expire within 30 days. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke a custom alert by way of Amazon Simple Notification Service (Amazon SNS) when AWS Config reports a noncompliant resource.
C
Use AWS Trusted Advisor to check for certificates that will expire within 30 days. Create an Amazon CloudWatch alarm that is based on Trusted Advisor metrics for check status changes. Configure the alarm to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS).
D
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect any certificates that will expire within 30 days. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS).
Explanation:
Explanation
Correct Answer: D
Why Option D is correct:
- Amazon EventBridge (CloudWatch Events) can monitor ACM certificate expiration events. ACM automatically sends events to EventBridge when certificates are nearing expiration (typically at 45, 30, 7, and 1 day before expiration).
- AWS Lambda function provides the flexibility to process the event and send custom notifications via Amazon SNS.
- This solution leverages native AWS services that are specifically designed for event-driven architectures and certificate lifecycle management.
Why other options are incorrect:
Option A: ACM does not have a built-in feature to "add a rule" to publish custom messages to SNS topics. While ACM sends expiration events to EventBridge, it doesn't have direct SNS publishing capabilities.
Option B: AWS Config can check for certificate expiration, but this is an overly complex solution. AWS Config is primarily for compliance monitoring and configuration management, not for real-time event-driven notifications. It would require additional setup and incur unnecessary costs.
Option C: AWS Trusted Advisor does check for expiring certificates, but it's not designed for real-time notifications. Trusted Advisor checks run periodically (not in real-time), and creating CloudWatch alarms on Trusted Advisor metrics would not provide timely 30-day notifications.
Key AWS Services Involved:
- AWS Certificate Manager (ACM): Manages SSL/TLS certificates
- Amazon EventBridge (CloudWatch Events): Captures ACM certificate expiration events
- AWS Lambda: Processes events and sends notifications
- Amazon SNS: Delivers notifications to the security team
Best Practice: This solution follows the AWS Well-Architected Framework by using serverless, event-driven architecture that scales automatically and minimizes operational overhead.
Comments
Loading comments...