Exam AWS Certified Security - Specialty topic 1 question 446 discussion

B - If you do not use Amazon Route 53 to manage your public DNS records, contact your DNS provider to find out how to add records. If you lack authority to edit your domain's DNS database, you must use email validation instead. A - DNS validation is not required to be only route53 C - We know nothing about the actual domain. Other than 3rd party. D - Dns validate requires a CNAME record - Confirmed in question 349.

The question asks about dns validation process. Your domain does not have to be in route53 for this.

DNS not with Route53. Validation only happens with active DNS, which is 3rd party

I'd have to go with C here. It isn't A, the records just have to exist. See: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html "If you do not use Amazon Route 53 to manage your public DNS records, contact your DNS provider to find out how to add records." I can't see it being B. Notice we're not trying to automatically renew a certificate, we're trying to issue a new one (the *old* certificates are near expiration). I see nothing on: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html to suggest it requires to be hosted in Route53 (unless you want to click the 'create DNS' option in ACM). We then have D, which is incorrect, see https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html C seems the most plausible, given: https://docs.aws.amazon.com/acm/latest/userguide/dns-renewal-validation.html "ACM sends AWS Health events and Amazon EventBridge events when it cannot automatically validate a domain during renewal (for example, because of the presence of CAA record)"

C If you are not using Route 53 as your DNS provider, you need to manually enter CNAME records provided by ACM into your provider's database, usually through a website. CNAME records are used for a number of purposes, including as redirect mechanisms and as containers for vendor-specific metadata. For ACM, these records allow initial domain ownership validation and ongoing automated certificate renewal. https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html 'C' is the only valid choice

B: Automatic renewal for domain validation requires the domain to be hosted on Amazon Route 53. When using AWS Certificate Manager (ACM) for automatic renewal, the domain validation process requires the domain to be hosted on Amazon Route 53, which is Amazon Web Services' (AWS) DNS service. This means that the company's DNS hosting provider, which is a third-party provider, is not compatible with the automatic renewal process.

With DNS validation, you write a CNAME record to your DNS configuration to establish control of your domain name. After you have configured the CNAME record, ACM can automatically renew DNS-validated certificates before they expire, as long as the DNS record has not changed. To make it even easier to validate your domain, ACM can update your DNS configuration for you if you manage your DNS records with Amazon Route 53. If tou are not using Route53 you need to ensure that CNAME record exists for the certificate in the hosted domain

Documentation is clear on this: It's recommend using DNS validation over email validation for the following reasons: ACM automatically renews DNS-validated certificates for as long as a certificate remains in use and the DNS record is in place. To be renewed, email-validated certificates require an action by the domain owner. ACM begins sending renewal notices 45 days before expiration, using the domain's WHOIS mailbox addresses and five common administrator addressess. The notifications contain a link that the domain owner can click for easy renewal. Once all listed domains are validated, ACM issues a renewed certificate with the same ARN.

A When using AWS Certificate Manager (ACM) to request and manage SSL/TLS certificates, the DNS validation process requires that the domain be hosted on Amazon Route 53. If the company is using a third-party DNS hosting provider, the CNAME record created during the validation process will not be recognized by ACM, resulting in a validation failure. To resolve this issue, the company can either transfer their domain to Amazon Route 53, or they can use one of the other validation methods supported by ACM, such as email validation or HTTP validation.

why not A?

C. There is no requirement the domain name is hosted with R53 whatsoever.

C out of these choices based on this article: https://aws.amazon.com/premiumsupport/knowledge-center/acm-troubleshoot-caa-errors/ B is incorrect, your zone doesn't need to be in R53 at all for auto renewal, it just needs to be accessible via public DNS: https://docs.aws.amazon.com/acm/latest/userguide/dns-renewal-validation.html

Selected b

This is of of the ways certificate validation can fail. https://aws.amazon.com/premiumsupport/knowledge-center/acm-troubleshoot-caa-errors/ https://aws.amazon.com/blogs/security/easier-certificate-validation-using-dns-with-aws-certificate-manager/

Automatic renewal through DNS happens only when you are using R53 to manage your domains. https://repost.aws/questions/QU4uFrU2dDT4u2-Xsglm-qAg/help-i-am-not-technical-my-aws-certificate-manager-acm-was-unable-to-renew-the-certificate-automatically-using-dns-validation-how-can-i-solve-this?sc_ichannel=ha&sc_ilang=en&sc_isite=repost&sc_iplace=hp&sc_icontent=QU4uFrU2dDT4u2-Xsglm-qAg&sc_ipos=7