AWS Certified Security – Specialty (SCS-C02) — Question 305

A company has public certificates that are managed by AWS Certificate Manager (ACM). The certificates are either imported certificates or managed certificates from ACM with mixed validation methods. A security engineer needs to design a monitoring solution to provide alerts by email when a certificate is approaching its expiration date.

What is the MOST operationally efficient way to meet this requirement?

Answer options

• A. Create an AWS Lambda function to list all certificates and to go through each certificate to describe the certificate by using the AWS SDK. Filter on the NotAfter attribute and send an email notification. Use an Amazon EventBridge rate expression to schedule the Lambda function to run daily.
• B. Create an Amazon CloudWatch alarm. Add all the certificate ARNs in the AWS/CertificateManager namespace to the DaysToExpiry metric. Configure the alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when the value for the DaysToExpiry metric is less than or equal to 31.
• C. Set up AWS Security Hub. Turn on the AWS Foundational Security Best Practices standard with integrated ACM to send findings. Configure and use a custom action by creating a rule to match the pattern from the ACM findings on the NotBefore attribute as the event source. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target.
• D. Create an Amazon EventBridge rule by using a predefined pattern for ACM Choose the metric in the ACM Certificate Approaching Expiration event as the event pattern. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target.

Correct answer: D

Explanation

Option D is the most operationally efficient solution because AWS Certificate Manager (ACM) natively publishes 'ACM Certificate Approaching Expiration' events to Amazon EventBridge, allowing direct integration with an Amazon SNS topic for alerts without custom code. Option A requires writing and maintaining custom AWS Lambda code, which increases operational overhead. Option B is incorrect because CloudWatch metrics do not support imported certificates, and Option C is overly complex and incorrectly references the 'NotBefore' attribute instead of expiration.