A company hosts its web applications in the AWS Cloud. Elastic Load Balancers use certificates imported into AWS Certificate Manager (ACM). The security team must be notified 30 days before each certificate expires. What should a solutions architect recommend?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an AWS Config rule that checks for certificates that will expire within 30 days. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke a custom alert via Amazon Simple Notification Service (Amazon SNS) when AWS Config reports a noncompliant resource..
Why this is the answer
The correct solution leverages AWS Config to monitor certificate expiration. AWS Config can evaluate certificates against a rule that flags those expiring within 30 days. When AWS Config detects a noncompliant resource (an expiring certificate), it triggers an event that EventBridge can capture. EventBridge then invokes an SNS topic to send a notification to the security team. This provides a robust, automated, and serverless solution for proactive alerts. Incorrect options: ACM does not have a built-in feature to publish custom messages to SNS based on expiration dates. While Trusted Advisor can check for expiring certificates, it doesn't offer the granular, automated alerting mechanism described for custom alerts via SNS based on specific expiration windows. EventBridge can detect events, but directly detecting certificate expiration 30 days out without an underlying service like AWS Config or a custom Lambda polling mechanism is not its primary function for this specific scenario. A Lambda function would need to be custom-coded to regularly check ACM, making it more complex than the AWS Config approach.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed