A company is deploying a public web application to AWS behind an Application Load Balancer (ALB). The application must be encrypted at the edge with an SSL/TLS certificate that is issued by an external certificate authority (CA). The certificate must be rotated annually before expiration. What should a solutions architect do to meet these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Use AWS Certificate Manager (ACM) to import an SSL/TLS certificate. Apply the certificate to the ALB. Use Amazon EventBridge (Amazon CloudWatch Events) to send a notification when the certificate is nearing expiration. Rotate the certificate manually..
Why this is the answer
The correct answer is to import the external SSL/TLS certificate into ACM. ACM can manage certificates issued by external CAs, but it cannot issue them directly when the requirement specifies an external CA. Once imported, the certificate can be applied to the ALB. For imported certificates, ACM's managed renewal feature is not available, so manual rotation is necessary. Amazon EventBridge (formerly CloudWatch Events) can be configured to send notifications when an imported certificate approaches its expiration date, facilitating timely manual rotation. Incorrect options: Using ACM to issue a certificate is incorrect because the requirement specifies a certificate from an external CA. Importing key material from an ACM-issued certificate is redundant and doesn't address the external CA requirement. Using ACM Private Certificate Authority is incorrect because it issues private certificates, not public certificates from an external CA.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed