B AWS Config has a managed rule named acm-certificate-expiration-check to check for expiring certificates (configurable number of days)

https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-expiration/

AWS config rule to check the certificate expiry and with Event bridge to invoke an event to notify if certificate going to expiry

You would need event bridge to invoke lambda. That is missing in the option D

D Not B because AWS Config is more suitable for monitoring configuration compliance rather than tracking the expiry of certificates. Setting up an AWS Config rule specifically for certificate expiration would be complex and less efficient compared to using EventBridge.

The answer is D because: If you want to set up notifications for more than 45 days before an event's expiration, then use the alternative following methods. Create a custom EventBridge rule Use a custom event pattern with an EventBridge rule to match the AWS Config managed rule acm-certificate-expiration-check. Then, route the response to an Amazon Simple Notification Service topic. So if you want to be notified 30 days before expiration, you wont use aws config. Link: https://repost.aws/knowledge-center/acm-certificate-expiration

The correct answer is B bc: (LeGloupier has a popular post on this) https://repost.aws/knowledge-center/acm-certificate-expiration#:~:text=To%20get%20a%20notification%20that%20your%20certificate%20is%20about%20to%20expire%2C%20use%20one%20of%20the%20following%20methods%3A D IS INCORRECT bc: -Lambda is not necessary; AWS services (such as Amazon EC2, Amazon S3 & Amazon CloudWatch) can publish messages to your SNS topics to trigger event-driven computing and workflows. Using Lambda here goes against building the Well-Architected Framework pillar of Performance Efficiency. The more efficient solution is to use the managed service of AWS Config. -For those that argue against (B) bc of cost: The Cost Optimization pillar is upheld by (B) vs (D). Understanding how efficient your current architecture is in relation to your goals can remove unneeded expense. The goal is for the security team to be notified B4 expiration. If the certificate expires, there will be a far greater expense to pay.

AWS Config has a managed rule named acm-certificate-expiration-check to check for expiring certificates (configurable number of days)

C: AWS Trusted Advisor, which provides a check for ACM certificates nearing expiration among its other best practice checks. When Trusted Advisor detects a certificate nearing its expiration (typically within 30 days), its status change can trigger an Amazon CloudWatch alarm if integrated. This alarm, when set up accordingly, can be configured to notify an SNS topic, which in turn can send a custom alert to notify the security team. This approach leverages AWS services without requiring custom scripting or manual checks.

Amazon EventBridge (Amazon CloudWatch Events) can be used to detect any certificates that will expire within 30 days. An EventBridge rule can be configured to trigger an AWS Lambda function. The Lambda function can send a custom alert using Amazon SNS, notifying the security team about the impending certificate expiration.

we should use eventbridge guys common !! no use for config as it's only to detecte rules that have changed

Answer: D D is correct answer. which is less overhead and doesn't need continuous evaluation(like AWS Config) as its fully based on async events. Option B) - AWS Config has a managed rule named acm-certificate-expiration-check to check for expiring certificates. Note that, continuous monitoring and evaluation of resource configurations against predefined or custom rules, including checking for expiring ACM certificates.

B is correct because A,C,D is true but not complete

I think the answer is D as the question is to get a report only for the ACM notification not for the all non-compliant resource

Amazon EventBridge Rule: Set up a rule in Amazon EventBridge (formerly CloudWatch Events) to monitor for certificates nearing expiration. You can configure this rule to trigger actions based on certain events. AWS Lambda Function: Upon detection of certificates that will expire within 30 days, configure the EventBridge rule to invoke an AWS Lambda function. Lambda functions are ideal for executing custom logic in response to events. Lambda Function to Send Alert: In the Lambda function, implement the logic to send a custom alert via Amazon SNS. SNS is a messaging service that can send notifications to various endpoints, including email, SMS, or other AWS services. This ensures that the security team receives timely notifications regarding certificate expirations.

Answer: B Refer: https://repost.aws/knowledge-center/acm-certificate-expiration To get a notification that your certificate is about to expire, use one of the following methods: Use the ACM API in Amazon EventBridge to configure the ACM Certificate Approaching Expiration event. Create a custom EventBridge rule to receive email notifications when certificates are nearing the expiration date. Use AWS Config to check for certificates that are nearing the expiration date.

https://aws.amazon.com/certificate-manager/faqs/ This AWS document says: Imported certificates – If you want to use a third-party certificate with Amazon CloudFront, Elastic Load Balancing, or Amazon API Gateway, you may import it into ACM using the AWS Management Console, AWS CLI, or ACM APIs. ACM can not renew imported certificates, but it can help you manage the renewal process. You are responsible for monitoring the expiration date of your imported certificates and for renewing them before they expire. You can use ACM CloudWatch metrics to monitor the expiration dates of an imported certificates and import a new third-party certificate to replace an expiring one.