ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 82 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 82
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company hosts its web applications in the AWS Cloud. The company configures Elastic Load Balancers to use certificates that are imported into AWS Certificate Manager (ACM). The company's security team must be notified 30 days before the expiration of each certificate.
What should a solutions architect recommend to meet this requirement?

  • A. Add a rule in ACM to publish a custom message to an Amazon Simple Notification Service (Amazon SNS) topic every day, beginning 30 days before any certificate will expire.
  • B. Create an AWS Config rule that checks for certificates that will expire within 30 days. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke a custom alert by way of Amazon Simple Notification Service (Amazon SNS) when AWS Config reports a noncompliant resource.
  • C. Use AWS Trusted Advisor to check for certificates that will expire within 30 days. Create an Amazon CloudWatch alarm that is based on Trusted Advisor metrics for check status changes. Configure the alarm to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS).
  • D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect any certificates that will expire within 30 days. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS).
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Moonus at Oct. 16, 2022, 10:41 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
LeGloupier
Highly Voted 2 years, 3 months ago
B AWS Config has a managed rule named acm-certificate-expiration-check to check for expiring certificates (configurable number of days)
upvoted 85 times
Mia2009687
1 year, 6 months ago
B costs more than D To get a notification that your certificate is about to expire, use one of the following methods: Use the ACM API in Amazon EventBridge to configure the ACM Certificate Approaching Expiration event. Create a custom EventBridge rule to receive email notifications when certificates are nearing the expiration date. Use AWS Config to check for certificates that are nearing the expiration date. If you use AWS Config for this resolution, then be aware of the following: Before you set up the AWS Config rule, create the Amazon Simple Notification Service (Amazon SNS) topic and EventBridge rule. This makes sure that all non-compliant certificates invoke a notification before the expiration date. Activating AWS Config incurs an additional cost based on usage. For more information, see AWS Config pricing. https://repost.aws/knowledge-center/acm-certificate-expiration
upvoted 5 times
pentium75
1 year, 1 month ago
Nobody asked for cost optimization.
upvoted 10 times
...
...
824c449
9 months, 1 week ago
It does not have a built-in rule for checking the expiration of ACM certificates directly.
upvoted 2 times
...
LeGloupier
2 years, 3 months ago
https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-expiration/
upvoted 15 times
...
ChrisG1454
1 year, 10 months ago
Answer B and answer D are possible according to this article. So, need to read B & D carefully to determine the most suitable answer. Reference: https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-expiration/
upvoted 9 times
Bayebrymo
9 months, 1 week ago
But from the link shared. It doesnt state that you should invoke lambda function as stated in option D. Option B is explicitly stated in the article as also worded in option B. So i think B should be the answer. My thought though. i stand to be corrected.
upvoted 8 times
...
TTaws
1 year, 6 months ago
Its B, simply because in option D - event bridge cannot "detect" anything.
upvoted 9 times
RupeC
1 year, 6 months ago
My understanding is that the ACM sends a Cert Expiration event to EventBridge. Thus EB. does not need to detect anything.
upvoted 3 times
pentium75
1 year, 1 month ago
"ACM sends a Cert Expiration event to EventBridge" yes, but 45 (not 30) days before expiration.
upvoted 2 times
mrkmtei
9 months, 4 weeks ago
This can be configured to whatever you need in the Days to expiry box
upvoted 2 times
...
...
...
darekw
1 year, 5 months ago
AWS Certificate Manager (ACM) now publishes certificate metrics and events through Amazon CloudWatch and Amazon EventBridge. https://aws.amazon.com/about-aws/whats-new/2021/03/aws-certificate-manager-provides-certificate-expiry-monitoring-through-amazon-cloudwatch/
upvoted 4 times
...
...
...
...
ManoAni
Highly Voted 2 years, 3 months ago
Selected Answer: B
https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-expiration/
upvoted 17 times
...
Dharmarajan
Most Recent 1 week ago
Selected Answer: B
B or D both will work. Per the documentation: To get a notification that your certificate is about to expire, use one of the following methods: Use the ACM API in Amazon EventBridge to configure the ACM Certificate Approaching Expiration event. Create a custom EventBridge rule to receive email notifications when certificates are near the expiration date. Use AWS Config to check for certificates that are near the expiration date. Create an Amazon CloudWatch alarm based on a static threshold when certificates are near the expiration date.
upvoted 1 times
...
itsmeDiyan
1 week, 1 day ago
Selected Answer: D
Use EventBridge, Lambda, and SNS
upvoted 1 times
...
zdi561
1 week, 3 days ago
Selected Answer: C
Based on this article it is C if the notification is within 45 days, otherwise use B https://repost.aws/knowledge-center/acm-certificate-expiration
upvoted 1 times
...
iagotb
1 week, 6 days ago
Selected Answer: B
Correct answer is B. Based on https://repost.aws/knowledge-center/acm-certificate-expiration D is not valid because by default AWS Config will send ACM Certificate Approaching Expiration event at 45 days. Question asks for 30 days so then we will need to: After you create the rule, you can change the timing of the expiration notification. In the ACM API's PutAccountConfiguration action, enter a value between 1-45 for DaysBeforeExpiry. As D answer doesn't say that is not valid. In the other hand, answer B is completely valid.
upvoted 1 times
...
FlyingHawk
2 weeks, 3 days ago
Selected Answer: D
Based on this article, D is a better solution. reasons: - AWS Config has charges - AWS cofig can only be configured for the day, so D will be more real time.
upvoted 1 times
...
d8
2 weeks, 3 days ago
Selected Answer: D
Option D: Fully automated and customizable solution. Real-time monitoring and notifications. Scalable and cost-efficient.
upvoted 1 times
...
AshishDhole
3 weeks, 1 day ago
Selected Answer: B
Answer Should be : B Create a custom EventBridge rule to receive email notifications when certificates are near the expiration date. Use AWS Config to check for certificates that are near the expiration date. Create an Amazon CloudWatch alarm based on a static threshold when certificates are near the expiration date
upvoted 1 times
...
ricktechie66
1 month ago
Selected Answer: D
D is incorrect because EventBridge alone cannot directly detect certificate expiration - it needs to work with another service (like AWS Config) to get this information
upvoted 1 times
rindatta
1 month ago
No, EventBridge can do that alone with configuring the "ACM Certificate Approaching Expiration" event in EventBridge. Ceck the below link: https://repost.aws/knowledge-center/acm-certificate-expiration
upvoted 2 times
...
...
hashepsut
1 month, 1 week ago
Selected Answer: D
Option D provides a straightforward, reliable, and customizable solution that directly addresses the requirement of notifying the security team 30 days before certificate expiration.
upvoted 1 times
...
hilker1983
1 month, 1 week ago
Selected Answer: D
Option D provides a reliable, automated, and straightforward solution that directly integrates ACM events, EventBridge, Lambda, and SNS for timely notifications.
upvoted 1 times
...
dipenich
1 month, 3 weeks ago
Selected Answer: D
EventBridge for Monitoring Expiration: EventBridge can detect certificate expiration events in ACM automatically, including those 30 days before expiration. Custom Notifications via Lambda and SNS: A Lambda function processes the detected event and formats a custom alert. This alert is sent through Amazon SNS to notify the security team.
upvoted 1 times
...
Tjazz04
1 month, 3 weeks ago
Selected Answer: B
Based on Copilot: Here's a summary of why Option B is the best choice for notifying the security team about expiring certificates: AWS Config: Continuously monitors and evaluates the compliance of AWS resources, including ACM certificates. EventBridge Integration: Automatically triggers alerts when AWS Config detects a noncompliant resource, such as an expiring certificate. Amazon SNS: Sends notifications to the security team, ensuring timely alerts 30 days before expiration. Option B is more integrated, reliable, and easier to manage compared to Options C and D, which involve more complexity and maintenance.
upvoted 3 times
...
Penjerla
1 month, 3 weeks ago
Selected Answer: B
Another reason it is not D. EventBridge event can by itself publish to SNS without invoking a lambda function
upvoted 3 times
...
EllenLiu
1 month, 4 weeks ago
Selected Answer: B
AWS config has a build-in rule 'acm-certificate-expiration-check' which can be used to Checks whether ACM Certificates in your account are marked for expiration within the specified number of days. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import.
upvoted 1 times
...
ddewitexamtopics
2 months, 1 week ago
Selected Answer: D
A. ACM does not support custom rules for notifications. Notifications are published via EventBridge, not directly to SNS or based on custom conditions like "30 days before expiration." B. AWS Config is better suited for compliance checks, not continuous monitoring of certificate expiration. Creating a custom rule for this purpose would be unnecessarily complex. C. Trusted Advisor does not monitor certificate expiration, and CloudWatch alarms are not applicable for this use case.
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago