Logo
AWS Certified Developer – Associate / Question #1059 of 557

Question #1059

A company manages SSL certificates using AWS Certificate Manager (ACM) for their public-facing applications. The security team needs to receive notifications 90 days before any certificate expires. The company has an existing Amazon SNS topic subscribed by the security team's email and an Amazon SQS queue configured for other alerts.

Which solution ensures the security team is notified on time?

A

Set up an Amazon EventBridge rule that triggers on the 'ACM Certificate Expired' event. Configure the SNS topic as the target.
B

Develop an AWS Lambda function that lists all ACM certificates daily, checks their expiration dates, and publishes a message to the SQS queue for certificates expiring within 90 days.
C

Use AWS Config to enable the 'acm-certificate-expiration-check' managed rule, setting the threshold to 90 days. Create an EventBridge rule that triggers on compliance change events from AWS Config, targeting the SNS topic.
D

Configure an Amazon CloudWatch alarm based on the ACM 'DaysToExpiry' metric, set the threshold to 90, and set the SNS topic as the alarm action.

Explanation

Option C is correct because AWS Config's managed rule 'acm-certificate-expiration-check' allows setting a threshold (e.g., 90 days) to check certificate expiration. When a certificate is non-compliant (expiring within 90 days), AWS Config triggers a compliance change event. An EventBridge rule captures this event and forwards it to the SNS topic, notifying the security team.

Other options are incorrect because:
- A: The 'ACM Certificate Expired' event triggers after expiration, not 90 days prior.
- B: Publishing to SQS (instead of SNS) does not notify the security team via email.
- D: ACM does not natively send a 'DaysToExpiry' metric to CloudWatch, making this approach invalid.

Key Points:
1. Use AWS Config managed rules for compliance checks like certificate expiration.
2. EventBridge integrates with AWS Config to route compliance events to targets like SNS.
3. Ensure notifications are sent via the correct channel (SNS, not SQS).

Answer

The correct answer is: C