AWS Certified Solutions Architect – Associate (SAA-C02) — Question 751
A company hosts its web applications in the AWS Cloud. The company configures Elastic Load Balancers to use certificates that are imported into AWS Certificate
Manager (ACM). The company's security team must be notified 30 days before the expiration of each certificate.
What should a solutions architect recommend to meet this requirement?
Answer options
- A. Add a rule in ACM to publish a custom message to an Amazon Simple Notification Service (Amazon SNS) topic every day, beginning 30 days before any certificate will expire.
- B. Create an AWS Config rule that checks for certificates that will expire within 30 days. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke a custom alert by way of Amazon Simple Notification Service (Amazon SNS) when AWS Config reports a noncompliant resource.
- C. Use AWS Trusted Advisor to check for certificates that will expire within 30 days. Create an Amazon CloudWatch alarm that is based on Trusted Advisor metrics for check status changes. Configure the alarm to send a custom alerts by way of Amazon Simple Notification Service (Amazon SNS).
- D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect any certificates that will expire within 30 days. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS).
Correct answer: B
Explanation
AWS Config provides a managed rule (acm-certificate-expiration-check) that can evaluate ACM certificates and mark them as noncompliant if they are within 30 days of expiration, which can then trigger an EventBridge rule to send an SNS notification. Option A is incorrect because ACM does not have a native feature to directly publish daily expiration warnings to an SNS topic. Options C and D are incorrect because Trusted Advisor and direct EventBridge rules do not provide the same seamless, managed compliance tracking for imported certificates as AWS Config does.