AWS Certified Solutions Architect – Associate (SAA-C02) — Question 607

A company is deploying a new public web application to AWS. The application will run behind an Application Load Balancer (ALB). The application needs to be encrypted at the edge with an SSUTLS certificate that is issued by an external certificate authority (CA). The certificate must be rotated each year before the certificate expires.
What should a solutions architect do to meet these requirements?

Answer options

• A. Use AWS Certificate Manager (ACM) to issue an SSUTLS certificate. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
• B. Use AWS Certificate Manager (ACM) to issue an SSUTLS certificate. Import the key material from the certificate. Apply the certificate to the ALB.
• C. Use the managed renewal feature to automatically rotate the certificate. Use AWS Certificate Manager (ACM) Private Certificate Authority to issue an SSUTLS certificate from the root CA. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
• D. Use AWS Certificate Manager (ACM) to import an SSUTLS certificate. Apply the certificate to the ALB. Use Amazon EventBridge (Amazon CloudWatch Events) to send a notification when the certificate is nearing expiration. Rotate the certificate manually.

Correct answer: A, D

Explanation

Because the requirement specifies an external certificate authority (CA), the certificate must be imported into AWS Certificate Manager (ACM), which does not support automatic managed renewal for imported certificates, requiring manual rotation and expiration monitoring via Amazon EventBridge (Option D). If the certificate could be issued directly by ACM instead of an external CA, ACM's managed renewal feature would automate the rotation process (Option A).