AWS Certified Security – Specialty — Question 431

A company uses Amazon Route 53 to create a public DNS zone for the domain example.com in Account A. The company creates another public DNS zone for the subdomain dev.example.com in Account B. A security engineer creates a wildcard certificate (*.dev.example.com) with DNS validation by using AWS Certificate Manager (ACM). The security engineer validates that the corresponding CNAME records have been created in the zone for dev.example.com in Account B.

After all these operations are completed, the certificate status is still pending validation.

What should the security engineer do to resolve this issue?

Answer options

• A. Purchase a valid wildcard certificate authority (CA) certificate that supports managed renewal. Import this certificate into ACM in Account B.
• B. Add NS records for the subdomain dev.example.com to the Route 53 parent zone example.com in Account A.
• C. Use AWS Certificate Manager Private Certificate Authority to create a subordinate certificate authority (CA). Use ACM to generate a private certificate that supports managed renewal.
• D. Resend the email message that requests ownership validation of dev.example.com.

Correct answer: B

Explanation

The certificate remains in a pending state because public DNS resolvers cannot find the CNAME validation records in Account B without proper delegation from the parent domain. To establish this trust chain, NS records for the subdomain dev.example.com must be added to the parent domain's hosted zone in Account A. Once this delegation is complete, AWS Certificate Manager will be able to query and verify the CNAME records to complete the validation process.