AWS Certified Security – Specialty — Question 427

A company is using HTTPS for all its public endpoints. A third-party certificate authority (CA) issues the certificates. The company imports the certificates and attaches the certificates to an Elastic Load Balancer or an Amazon CloudFront distribution. The company also is using a third-party DNS hosting provider.

The certificates are near expiration. The company wants to migrate to AWS Certificate Manager (ACM) with automatic renewal. When the company adds the CNAME record during DNS validation, the certificate status changes to Failed.

What is the root cause of this issue?

Answer options

• A. DNS validation requires the domain to be hosted on Amazon Route 53.
• B. Automatic renewal for domain validation requires the domain to be hosted on Amazon Route 53.
• C. The domain has Certification Authority Authorization (CAA) DNS records that allow only specific certificate authorities.
• D. DNS validation requires a TXT record instead of a CNAME record.

Correct answer: C

Explanation

The 'Failed' status during ACM DNS validation typically occurs if the domain's DNS configuration contains Certification Authority Authorization (CAA) records that do not explicitly permit Amazon to issue certificates. ACM does not require Amazon Route 53 for DNS validation or automatic renewals, making options A and B incorrect. Additionally, ACM utilizes CNAME records rather than TXT records for DNS validation, which invalidates option D.