A company hosts its web applications in the AWS Cloud. The company configures Elastic Load Balancers to use certificates that are imported into AWS Certificate Manager (ACM). The company's security team must be notified 30 days before the expiration of each certificate.
What should a solutions architect recommend to meet this requirement?
A solutions architect should recommend creating an AWS Config rule that checks for certificates expiring within 30 days. Configure Amazon EventBridge to invoke a custom alert via Amazon Simple Notification Service (SNS) when AWS Config reports a noncompliant resource. AWS Config provides a managed rule, acm-certificate-expiration-check, specifically for this purpose. This approach allows for automated, event-driven notifications and ensures that certificates expiring within the specified timeframe trigger an alert, meeting the requirement efficiently.
B AWS Config has a managed rule named acm-certificate-expiration-check to check for expiring certificates (configurable number of days)
https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-expiration/
Answer B and answer D are possible according to this article. So, need to read B & D carefully to determine the most suitable answer. Reference: https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-expiration/
Its B, simply because in option D - event bridge cannot "detect" anything.
My understanding is that the ACM sends a Cert Expiration event to EventBridge. Thus EB. does not need to detect anything.
"ACM sends a Cert Expiration event to EventBridge" yes, but 45 (not 30) days before expiration.
This can be configured to whatever you need in the Days to expiry box
AWS Certificate Manager (ACM) now publishes certificate metrics and events through Amazon CloudWatch and Amazon EventBridge. https://aws.amazon.com/about-aws/whats-new/2021/03/aws-certificate-manager-provides-certificate-expiry-monitoring-through-amazon-cloudwatch/
But from the link shared. It doesnt state that you should invoke lambda function as stated in option D. Option B is explicitly stated in the article as also worded in option B. So i think B should be the answer. My thought though. i stand to be corrected.
B costs more than D To get a notification that your certificate is about to expire, use one of the following methods: Use the ACM API in Amazon EventBridge to configure the ACM Certificate Approaching Expiration event. Create a custom EventBridge rule to receive email notifications when certificates are nearing the expiration date. Use AWS Config to check for certificates that are nearing the expiration date. If you use AWS Config for this resolution, then be aware of the following: Before you set up the AWS Config rule, create the Amazon Simple Notification Service (Amazon SNS) topic and EventBridge rule. This makes sure that all non-compliant certificates invoke a notification before the expiration date. Activating AWS Config incurs an additional cost based on usage. For more information, see AWS Config pricing. https://repost.aws/knowledge-center/acm-certificate-expiration
Nobody asked for cost optimization.
It does not have a built-in rule for checking the expiration of ACM certificates directly.
https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-expiration/
Amazon EventBridge Rule: Set up a rule in Amazon EventBridge (formerly CloudWatch Events) to monitor for certificates nearing expiration. You can configure this rule to trigger actions based on certain events. AWS Lambda Function: Upon detection of certificates that will expire within 30 days, configure the EventBridge rule to invoke an AWS Lambda function. Lambda functions are ideal for executing custom logic in response to events. Lambda Function to Send Alert: In the Lambda function, implement the logic to send a custom alert via Amazon SNS. SNS is a messaging service that can send notifications to various endpoints, including email, SMS, or other AWS services. This ensures that the security team receives timely notifications regarding certificate expirations.
C: AWS Trusted Advisor, which provides a check for ACM certificates nearing expiration among its other best practice checks. When Trusted Advisor detects a certificate nearing its expiration (typically within 30 days), its status change can trigger an Amazon CloudWatch alarm if integrated. This alarm, when set up accordingly, can be configured to notify an SNS topic, which in turn can send a custom alert to notify the security team. This approach leverages AWS services without requiring custom scripting or manual checks.
The correct answer is B bc: (LeGloupier has a popular post on this) https://repost.aws/knowledge-center/acm-certificate-expiration#:~:text=To%20get%20a%20notification%20that%20your%20certificate%20is%20about%20to%20expire%2C%20use%20one%20of%20the%20following%20methods%3A D IS INCORRECT bc: -Lambda is not necessary; AWS services (such as Amazon EC2, Amazon S3 & Amazon CloudWatch) can publish messages to your SNS topics to trigger event-driven computing and workflows. Using Lambda here goes against building the Well-Architected Framework pillar of Performance Efficiency. The more efficient solution is to use the managed service of AWS Config. -For those that argue against (B) bc of cost: The Cost Optimization pillar is upheld by (B) vs (D). Understanding how efficient your current architecture is in relation to your goals can remove unneeded expense. The goal is for the security team to be notified B4 expiration. If the certificate expires, there will be a far greater expense to pay.
https://aws.amazon.com/certificate-manager/faqs/ This AWS document says: Imported certificates – If you want to use a third-party certificate with Amazon CloudFront, Elastic Load Balancing, or Amazon API Gateway, you may import it into ACM using the AWS Management Console, AWS CLI, or ACM APIs. ACM can not renew imported certificates, but it can help you manage the renewal process. You are responsible for monitoring the expiration date of your imported certificates and for renewing them before they expire. You can use ACM CloudWatch metrics to monitor the expiration dates of an imported certificates and import a new third-party certificate to replace an expiring one.
Answer: B Refer: https://repost.aws/knowledge-center/acm-certificate-expiration To get a notification that your certificate is about to expire, use one of the following methods: Use the ACM API in Amazon EventBridge to configure the ACM Certificate Approaching Expiration event. Create a custom EventBridge rule to receive email notifications when certificates are nearing the expiration date. Use AWS Config to check for certificates that are nearing the expiration date.
I think the answer is D as the question is to get a report only for the ACM notification not for the all non-compliant resource
B is correct because A,C,D is true but not complete
Answer: D D is correct answer. which is less overhead and doesn't need continuous evaluation(like AWS Config) as its fully based on async events. Option B) - AWS Config has a managed rule named acm-certificate-expiration-check to check for expiring certificates. Note that, continuous monitoring and evaluation of resource configurations against predefined or custom rules, including checking for expiring ACM certificates.
we should use eventbridge guys common !! no use for config as it's only to detecte rules that have changed
Amazon EventBridge (Amazon CloudWatch Events) can be used to detect any certificates that will expire within 30 days. An EventBridge rule can be configured to trigger an AWS Lambda function. The Lambda function can send a custom alert using Amazon SNS, notifying the security team about the impending certificate expiration.
AWS Config has a managed rule named acm-certificate-expiration-check to check for expiring certificates (configurable number of days)
The answer is D because: If you want to set up notifications for more than 45 days before an event's expiration, then use the alternative following methods. Create a custom EventBridge rule Use a custom event pattern with an EventBridge rule to match the AWS Config managed rule acm-certificate-expiration-check. Then, route the response to an Amazon Simple Notification Service topic. So if you want to be notified 30 days before expiration, you wont use aws config. Link: https://repost.aws/knowledge-center/acm-certificate-expiration
D Not B because AWS Config is more suitable for monitoring configuration compliance rather than tracking the expiry of certificates. Setting up an AWS Config rule specifically for certificate expiration would be complex and less efficient compared to using EventBridge.
You would need event bridge to invoke lambda. That is missing in the option D
AWS config rule to check the certificate expiry and with Event bridge to invoke an event to notify if certificate going to expiry