AWS Certified Solutions Architect – Associate (SAA-C03) — Question 608

An international company has a subdomain for each country that the company operates in. The subdomains are formatted as example.com, country1.example.com, and country2.example.com. The company's workloads are behind an Application Load Balancer. The company wants to encrypt the website data that is in transit.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Use the AWS Certificate Manager (ACM) console to request a public certificate for the apex top domain example com and a wildcard certificate for *.example.com.
• B. Use the AWS Certificate Manager (ACM) console to request a private certificate for the apex top domain example.com and a wildcard certificate for *.example.com.
• C. Use the AWS Certificate Manager (ACM) console to request a public and private certificate for the apex top domain example.com.
• D. Validate domain ownership by email address. Switch to DNS validation by adding the required DNS records to the DNS provider.
• E. Validate domain ownership for the domain by adding the required DNS records to the DNS provider.

Correct answer: A, E

Explanation

To secure public-facing traffic routed through an ALB, a public SSL/TLS certificate is required, and requesting a wildcard (*.example.com) along with the apex domain (example.com) ensures all country subdomains are covered. DNS validation is the most efficient and recommended method to prove domain ownership in ACM by adding CNAME records. Private certificates are incorrect because they are not trusted by public browsers, and switching validation methods mid-process is unnecessary.