DVA-C02 · Question #516
DVA-C02 Question #516: Real Exam Question with Answer & Explanation
The correct answer is D: Configure AWS Config with the acm-certificate-expiration-check managed rule to run every 24. Option D is correct because the acm-certificate-expiration-check AWS Config managed rule has a configurable daysToExpiration parameter that can be set to exactly 90 days - it runs on a 24-hour schedule and marks non-compliant certificates, triggering the existing SNS topic to not
Question
A company generates SSL certificates from a third-party provider. The company imports the certificates into AWS Certificate Manager (ACM) to use with public web applications. A developer must implement a solution to notify the company's security team 90 days before an imported certificate expires. The company already has configured an Amazon Simple Queue Service (Amazon SQS) queue. The company also has configured an Amazon Simple Notification Service (Amazon SNS) topic that has the security team's email address as a subscriber. Which solution will provide the security team with the required notification about certificates?
Options
- ACreate an Amazon EventBridge rule that specifies the ACM Certificate Approaching Expiration
- BCreate an AWS Lambda function to search for all certificates that are expiring within 90 days.
- CCreate an AWS Step Functions workflow that is invoked by each certificate's expiration
- DConfigure AWS Config with the acm-certificate-expiration-check managed rule to run every 24
Explanation
Option D is correct because the acm-certificate-expiration-check AWS Config managed rule has a configurable daysToExpiration parameter that can be set to exactly 90 days - it runs on a 24-hour schedule and marks non-compliant certificates, triggering the existing SNS topic to notify the security team.
Option A is wrong because ACM's native EventBridge "Certificate Approaching Expiration" events fire at fixed intervals (45, 30, 15, 7, 3, and 1 day before expiry) for imported certificates - there is no built-in 90-day trigger, making it impossible to meet the exact requirement.
Option B is wrong because a custom Lambda function introduces unnecessary complexity and maintenance overhead when a purpose-built AWS Config managed rule already handles this use case natively.
Option C is wrong because Step Functions is a workflow orchestration service; there is no native certificate-expiration trigger to invoke it, making this an unsupported and over-engineered approach.
Memory tip: Think "Config = Compliance checks on a schedule." Whenever an exam question asks about monitoring AWS resource configurations (including certificates, S3 bucket policies, security groups) on a recurring basis with configurable thresholds, AWS Config managed rules are almost always the right answer over custom Lambda or EventBridge alone.
Topics
Community Discussion
No community discussion yet for this question.