SCS-C02 · Question #416
SCS-C02 Question #416: Real Exam Question with Answer & Explanation
The correct answer is C: Request validation of the domains for ACM through DNS. Insert CNAME records into each. F is correct because CloudFront requires ACM certificates to be provisioned specifically in us-east-1 (N. Virginia) - no other region works, regardless of where your users or origins are located. C is correct because DNS validation (via CNAME records) enables ACM to renew certifi
Question
An application team wants to use AWS Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53. The application team wants to use an AWS managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers. The distribution solution will use a primary domain name that is customized. The distribution solution also will use several alternative domain names. The certificates must renew automatically over an indefinite period of time. Which combination of steps should the application team take to deploy this architecture? (Choose three.)
Options
- ARequest a certificate from ACM in the us-west-2 Region. Add the domain names that the
- BSend an email message to the domain administrators to request validation of the domains for
- CRequest validation of the domains for ACM through DNS. Insert CNAME records into each
- DCreate an Application Load Balancer for the caching solution. Select the newly requested
- ECreate an Amazon CloudFront distribution for the caching solution. Enter the main CNAME
- FRequest a certificate from ACM in the us-east-1 Region. Add the domain names that the
Explanation
F is correct because CloudFront requires ACM certificates to be provisioned specifically in us-east-1 (N. Virginia) - no other region works, regardless of where your users or origins are located. C is correct because DNS validation (via CNAME records) enables ACM to renew certificates automatically and indefinitely without human intervention, which satisfies the "indefinite automatic renewal" requirement - even when domains are not on Route 53, you simply insert the CNAME records manually at your DNS registrar. E is correct because CloudFront is AWS's managed CDN and caching service with global edge locations (points of presence), and it supports custom primary and alternative domain names tied to an ACM certificate.
A is wrong for the same reason F is right - us-west-2 certificates cannot be used with CloudFront. B is wrong because email validation requires a human to click an approval link on every renewal cycle, making indefinite automatic renewal impossible. D is wrong because an Application Load Balancer is not a caching/CDN solution and has no global points of presence - that's CloudFront's job.
Memory tip: Think "CloudFront = us-East-1, always" (the only AWS service with a hard regional certificate requirement), and "DNS validation = auto-renew forever" (ACM just re-checks the CNAME, no inbox required).
Topics
Community Discussion
No community discussion yet for this question.