AWS Certified Solutions Architect – Associate (SAA-C03) — Question 798

A company wants to configure its Amazon CloudFront distribution to use SSL/TLS certificates. The company does not want to use the default domain name for the distribution. Instead, the company wants to use a different domain name for the distribution.

Which solution will deploy the certificate without incurring any additional costs?

Answer options

• A. Request an Amazon issued private certificate from AWS Certificate Manager (ACM) in the us-east-1 Region.
• B. Request an Amazon issued private certificate from AWS Certificate Manager (ACM) in the us-west-1 Region.
• C. Request an Amazon issued public certificate from AWS Certificate Manager (ACM) in the us-east-1 Region.
• D. Request an Amazon issued public certificate from AWS Certificate Manager (ACM) in the us-west-1 Region.

Correct answer: C

Explanation

To associate a custom SSL/TLS certificate with an Amazon CloudFront distribution, the certificate must be located in the us-east-1 (US East (N. Virginia)) Region. Public certificates provided by AWS Certificate Manager (ACM) are free of charge, whereas private certificates incur additional costs for running a private CA. Therefore, requesting a public ACM certificate in us-east-1 is the only zero-cost solution that meets the requirement.