ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 389 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 389
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has public certificates that are managed by AWS Certificate Manager (ACM). The certificates are either imported certificates or managed certificates from ACM with mixed validation methods. A security engineer needs to design a monitoring solution to provide alerts by email when a certificate is approaching its expiration date.

What is the MOST operationally efficient way to meet this requirement?

  • A. Create an AWS Lambda function to list al certificates and to go through each certificate to describe the certificate by using the AW'S SDK. Filter on the NotAfter attribute and send an email notification. Use an Amazon EventBridge (Amazon CloudWatch Events) rate expression to schedule the Lambda function to run daily.
  • B. Create an Amazon CloudWatch alarm. Add all the certificate ARNs in the AWS/CertificateManager namespace to the DaysToExpiry metric. Configure the alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when the value for the DaysToExpiry metric is less than or equal to 31.
  • C. Set up AWS Security Hub. Turn on the AWS Foundational Security Best Practices standard with integrated ACM to send findings. Configure and use a custom action by creating a rule to match the pattern from the ACM findings on the NotBefore attribute as the event source. Create an Amazon Simple Notification Service (Amazon SNS) top as the target.
  • D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule by using a predefined pattern for ACM. Choose the metric in the ACM Certficate Approaching Expiration event as the event pattern. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by AdamWest at Nov. 21, 2022, 2:56 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Isaias
Highly Voted 2 years, 6 months ago
Selected Answer: D
I go with D https://docs.aws.amazon.com/acm/latest/userguide/supported-events.html
upvoted 11 times
AdamWest
2 years, 6 months ago
Agree D - 100%
upvoted 2 times
...
...
Toptip
Most Recent 2 years ago
Selected Answer: D
D .. i remember i did it once and it actually works ✅
upvoted 1 times
...
awsgugu
2 years, 2 months ago
D. { "version": "0", "id": "abc", "detail-type": "ACM Certificate Approaching Expiration", "source": "aws.acm", "account": "", "time": "2020-09-30T06:51:08Z", "region": "us-east-1", "resources": ["arn:aws:acm:us-east-1:*:certificate/abc"], "detail": { "DaysToExpiry": 31, "CommonName": "example.com" } }
upvoted 3 times
...
nairj
2 years, 2 months ago
Answer is D: Use EventBridge Rules - https://docs.aws.amazon.com/acm/latest/userguide/example-actions.html
upvoted 1 times
...
c73bf38
2 years, 3 months ago
Selected Answer: D
EventBridge using predefined patterns for ACM is operationally efficient compared to adding all the certificates ARN to CloudWatch.
upvoted 2 times
...
c73bf38
2 years, 3 months ago
Selected Answer: B
https://docs.aws.amazon.com/acm/latest/userguide/cloudwatch-metrics.html PDF RSS Amazon CloudWatch is a monitoring service for AWS resources. You can use CloudWatch to collect and track metrics, set alarms, and automatically react to changes in your AWS resources. ACM publishes metrics once per day for every certificate in an account until expiration. The AWS/CertificateManager namespace includes the following metric. Metric Description Unit Dimensions DaysToExpiry Number of days until a certificate expires. ACM stops publishing this metric after a certificate expires.
upvoted 1 times
c73bf38
2 years, 3 months ago
Change to D since its least overhead.
upvoted 1 times
...
...
Artaggedon
2 years, 3 months ago
Selected Answer: D
D is the correct answer since DaysToExpire is good-to-go as an alert in AWS CloudWatch and, also, any future certificate is automatically monitored.
upvoted 1 times
...
Smartphone
2 years, 4 months ago
Correct Answer is B Read the below text from the AWS documentation "The second option uses the recently launched DaysToExpiry metric to schedule a batch search of expiring certificates and to log all the findings. The metric also provides a single SNS notification for all expiring certificates...." https://aws.amazon.com/blogs/security/how-to-monitor-expirations-of-imported-certificates-in-aws-certificate-manager-acm/
upvoted 3 times
derpeedoo
2 years, 3 months ago
It's not efficient because you have to add new certs to CloudWatch every time. Operationally efficient is D.
upvoted 3 times
...
Smartphone
2 years, 4 months ago
Cloudwatch metric DaysToExpiry is already available. So, only need to create an alarm for that. https://docs.aws.amazon.com/acm/latest/userguide/cloudwatch-metrics.html
upvoted 2 times
...
...
sakibmas
2 years, 4 months ago
Selected Answer: B
https://aws.amazon.com/about-aws/whats-new/2021/03/aws-certificate-manager-provides-certificate-expiry-monitoring-through-amazon-cloudwatch/
upvoted 1 times
...
sahanpere
2 years, 4 months ago
Selected Answer: B
The answer is B, There is no predefined event rule under eventBridge. It has to be setup with Config --> CWEvent Bridge which is not mentioned here. But, ACM daily sending the metrics called DaystoEpiry to CW on all the ACM certificates. You have to set the alarm base on this metrics under the ACM namespace. https://docs.aws.amazon.com/acm/latest/userguide/cloudwatch-metrics.html
upvoted 1 times
...
krishccie
2 years, 5 months ago
Selected Answer: D
https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-expiration/
upvoted 1 times
...
tainh
2 years, 6 months ago
Selected Answer: D
D is correct D: provide alerts by email when a certificate is approaching its expiration date. B: using run report for all certificates on a timer with DaysToExpiry metric in CloudWatch (option 2 of reference link) https://aws.amazon.com/blogs/security/how-to-monitor-expirations-of-imported-certificates-in-aws-certificate-manager-acm/
upvoted 3 times
...
AdamWest
2 years, 7 months ago
Selected Answer: B
B - ACM works with cloud watch and SNS https://docs.aws.amazon.com/acm/latest/userguide/cloudwatch-events.html
upvoted 3 times
AdamWest
2 years, 6 months ago
This is wrong. Isaias is correct - D.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel