AWS Certified Developer – Associate (DVA-C02) — Question 481
A company generates SSL certificates from a third-party provider. The company imports the certificates into AWS Certificate Manager (ACM) to use with public web applications.
A developer must implement a solution to notify the company’s security team 90 days before an imported certificate expires. The company already has configured an Amazon Simple Queue Service (Amazon SQS) queue. The company also has configured an Amazon Simple Notification Service (Amazon SNS) topic that has the security team’s email address as a subscriber.
Which solution will provide the security team with the required notification about certificates?
Answer options
- A. Create an Amazon EventBridge rule that specifies the ACM Certificate Approaching Expiration event type. Set the SNS topic as the EventBridge rule’s target.
- B. Create an AWS Lambda function to search for all certificates that are expiring within 90 days. Program the Lambda function to send each identified certificate’s Amazon Resource Name (ARN) in a message to the SQS queue.
- C. Create an AWS Step Functions workflow that is invoked by each certificate’s expiration notification from AWS CloudTrail. Create an AWS Lambda function to send each certificate's Amazon Resource Name (ARN) in a message to the SQS queue.
- D. Configure AWS Config with the acm-certificate-expiration-check managed rule to run every 24 hours. Create an Amazon EventBridge rule that includes an event pattern that specifies the Config Rules Compliance Change detail type and the configured rule. Set the SNS topic as the EventBridge rule’s target.
Correct answer: D
Explanation
AWS Config provides a managed rule called acm-certificate-expiration-check which can be configured with a custom threshold, such as 90 days, to flag expiring certificates. When a certificate becomes non-compliant, EventBridge can detect this compliance change and trigger the SNS topic to notify the security team. Other options are incorrect because the default ACM expiration event in EventBridge is fixed at 45 days and cannot be customized, while the Lambda and Step Functions options are overly complex and target the SQS queue instead of the SNS topic.