AWS Certified Solutions Architect – Professional — Question 554

You're trying to delete an SSL certificate from the IAM certificate store, and you're getting the message "Certificate: <certificate-id> is being used by CloudFront."
Which of the following statements is probably the reason why you are getting this error?

Answer options

• A. Before you can delete an SSL certificate you need to set up https on your server.
• B. Before you can delete an SSL certificate, you need to set up the appropriate access level in IAM
• C. Before you can delete an SSL certificate, you need to either rotate SSL certificates or revert from using a custom SSL certificate to using the default CloudFront certificate.
• D. You can't delete SSL certificates. You need to request it from AWS.

Correct answer: C

Explanation

An SSL certificate cannot be deleted from IAM if it is currently associated with an active CloudFront distribution. To resolve this error, you must first disassociate the certificate by either updating the distribution to use a new certificate or reverting to the default CloudFront certificate. Once the certificate is no longer in use by any CloudFront distribution, it can be safely deleted.