Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 82 discussion

B AWS Config has a managed rule named acm-certificate-expiration-check to check for expiring certificates (configurable number of days)

https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-expiration/

D is the one

D- because it notified 30 days BEFORE the expiration of each certificate

The first of the two options I describe is to use the ACM built-in Certificate Expiration event, which is raised through Amazon EventBridge, to invoke a Lambda function. In this option, the function is configured to publish the result as a finding in Security Hub, and also as an SNS topic used for email subscriptions. As a result, an administrator can be notified of a specific expiring certificate, or an IT service management (ITSM) system can automatically open a case or incident through email or SNS.

Answer is D. Operational Overhead: Using AWS Config for this purpose might add unnecessary operational overhead, as it involves additional configuration and management steps compared to a more direct EventBridge and Lambda setup.

D

I think B is correct

Ans D - I must admit it wasn't clear until I read... "zhaoxiaobing101" (1 week, 5 days ago): "AWS Config is primarily designed for compliance monitoring rather than straightforward event detection like certificate expiration. It requires setting up compliance rules and monitoring them, which adds complexity. By focusing directly on the task at hand, D minimizes operational overhead and simplifies the architecture, making it the better choice for the specific requirement of monitoring and alerting on certificate expiration."

AWS Config is primarily designed for compliance monitoring rather than straightforward event detection like certificate expiration. It requires setting up compliance rules and monitoring them, which adds complexity. By focusing directly on the task at hand, D minimizes operational overhead and simplifies the architecture, making it the better choice for the specific requirement of monitoring and alerting on certificate expiration.

AWS config dont have capacity to check expiration

D https://aws.amazon.com/blogs/security/how-to-monitor-expirations-of-imported-certificates-in-aws-certificate-manager-acm/

AWS config rule to check the certificate expiry and with Event bridge to invoke an event to notify if certificate going to expiry

You would need event bridge to invoke lambda. That is missing in the option D

D Not B because AWS Config is more suitable for monitoring configuration compliance rather than tracking the expiry of certificates. Setting up an AWS Config rule specifically for certificate expiration would be complex and less efficient compared to using EventBridge.

The answer is D because: If you want to set up notifications for more than 45 days before an event's expiration, then use the alternative following methods. Create a custom EventBridge rule Use a custom event pattern with an EventBridge rule to match the AWS Config managed rule acm-certificate-expiration-check. Then, route the response to an Amazon Simple Notification Service topic. So if you want to be notified 30 days before expiration, you wont use aws config. Link: https://repost.aws/knowledge-center/acm-certificate-expiration

The correct answer is B bc: (LeGloupier has a popular post on this) https://repost.aws/knowledge-center/acm-certificate-expiration#:~:text=To%20get%20a%20notification%20that%20your%20certificate%20is%20about%20to%20expire%2C%20use%20one%20of%20the%20following%20methods%3A D IS INCORRECT bc: -Lambda is not necessary; AWS services (such as Amazon EC2, Amazon S3 & Amazon CloudWatch) can publish messages to your SNS topics to trigger event-driven computing and workflows. Using Lambda here goes against building the Well-Architected Framework pillar of Performance Efficiency. The more efficient solution is to use the managed service of AWS Config. -For those that argue against (B) bc of cost: The Cost Optimization pillar is upheld by (B) vs (D). Understanding how efficient your current architecture is in relation to your goals can remove unneeded expense. The goal is for the security team to be notified B4 expiration. If the certificate expires, there will be a far greater expense to pay.