AWS Certified Security – Specialty — Question 336

A company has public certificates that are managed by AWS Certificate Manager (ACM). The certificates are either imported certificates or managed certificates from ACM with mixed validation methods. A security engineer needs to design a monitoring solution to provide alerts by email when a certificate is approaching its expiration date.

What is the MOST operationally efficient way to meet this requirement?

Answer options

• A. Create an AWS Lambda function to list al certificates and to go through each certificate to describe the certificate by using the AW'S SDK. Filter on the NotAfter attribute and send an email notification. Use an Amazon EventBridge (Amazon CloudWatch Events) rate expression to schedule the Lambda function to run daily.
• B. Create an Amazon CloudWatch alarm. Add all the certificate ARNs in the AWS/CertificateManager namespace to the DaysToExpiry metric. Configure the alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when the value for the DaysToExpiry metric is less than or equal to 31.
• C. Set up AWS Security Hub. Turn on the AWS Foundational Security Best Practices standard with integrated ACM to send findings. Configure and use a custom action by creating a rule to match the pattern from the ACM findings on the NotBefore attribute as the event source. Create an Amazon Simple Notification Service (Amazon SNS) top as the target.
• D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule by using a predefined pattern for ACM. Choose the metric in the ACM Certficate Approaching Expiration event as the event pattern. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target.

Correct answer: D

Explanation

Option D is the most operationally efficient solution because AWS Certificate Manager (ACM) natively integrates with Amazon EventBridge to publish 'ACM Certificate Approaching Expiration' events automatically, requiring no custom code or complex configuration. Option A is less efficient because it requires writing, maintaining, and scheduling a custom AWS Lambda function. Options B and C are operationally complex and error-prone, as Option B requires manually tracking and adding individual certificate ARNs to alarms, while Option C targets the incorrect 'NotBefore' attribute and introduces unnecessary overhead with AWS Security Hub.