AWS Certified Security – Specialty — Question 315

A company uses AWS Certificate Manager (ACM) to automate the renewal of SSL/TLS certificates that the company's Elastic Load Balancers use. The company recently noticed that ACM was unable to automatically renew some certificates. These certificates have a status of "pending validation” in the ACM console.

A security engineer configured the certificates by using DNS validation. The security engineer has verified that the existing certificates have not expired.

What should the security engineer do to correct this issue?

Answer options

• A. Manually validate ownership of each domain in the ACM console.
• B. Verify that the DNS CNAME for each domain matches the ACM certificate CNAME record.
• C. Export and then reimport the certificates into ACM.
• D. Validate the ownership of each domain by using email validation.

Correct answer: B

Explanation

For ACM to successfully execute automated renewal using DNS validation, the specific CNAME record generated by ACM must remain present in the domain's DNS configuration. If this CNAME record is missing or incorrect, ACM cannot verify domain ownership, leading to a "pending validation" status. Correcting the CNAME records resolves this without needing to switch validation methods or manually reimport certificates.