Logo
AWS Certified Developer – Associate / Question #1095 of 557

Question #1095

A company imports SSL certificates into AWS Certificate Manager (ACM) for their public-facing applications. They need to notify their security team via email 60 days before a certificate expires. They have an Amazon SNS topic configured with the team's email addresses as subscribers and an Amazon SQS queue for other alerts.

Which solution ensures the security team receives the notification on time?

A

Set up an Amazon EventBridge rule that listens for ACM Certificate Expiration events and sends a message to the SNS topic.
B

Develop an AWS Lambda function that checks certificate expiration dates daily and publishes a message to the SQS queue if any certificate is within 60 days of expiry.
C

Use AWS CloudTrail to monitor ACM API calls and trigger an AWS Step Functions workflow that sends notifications via SNS.
D

Configure AWS Config with the acm-certificate-expiration-check rule, set to 60 days. Create an EventBridge rule that triggers on AWS Config compliance changes and publishes to the SNS topic.

Explanation

Option D is correct because:
1. AWS Config provides the acm-certificate-expiration-check managed rule, which evaluates ACM certificates against a predefined expiration threshold (e.g., 60 days).
2. When a certificate is within the 60-day window, AWS Config flags it as non-compliant.
3. An EventBridge rule can detect this compliance status change and publish a message to the SNS topic, triggering email notifications.

Why other options are incorrect:
- A: ACM only generates expiration events for certificates it manages, not imported ones. Imported certificates won't trigger this EventBridge rule.
- B: While a Lambda function could check expiration dates, it requires custom code and sends alerts to SQS instead of the SNS topic specified for the security team.
- C: CloudTrail monitors API calls, not certificate expiration events, making it unsuitable for this use case.

Key Points:
- Use AWS Config managed rules for compliance checks like certificate expiration.
- EventBridge integrates with AWS Config to trigger actions based on compliance changes.
- Imported ACM certificates require proactive monitoring via AWS Config, as ACM does not auto-renew them.

Answer

The correct answer is: D