AWS Certificate Manager (ACM)

ACM simplifies the process of provisioning, managing, and deploying SSL/TLS certificates to secure websites, APIs, and other AWS resources.

1. Key Features

  1. Automatic Renewal: Certificates managed by ACM are renewed automatically before expiration.
  2. Free Public Certificates: ACM provides free SSL/TLS certificates for use with AWS services like CloudFront, Elastic Load Balancer, and API Gateway.
  3. Private Certificates: Supports issuing and managing private certificates for internal applications (requires AWS Private CA).
  4. Integration: Seamless integration with AWS services (e.g., ALB, NLB, CloudFront).

2. Operational Insights

  1. ACM is region-specific for certain AWS services but supports global services like CloudFront.
  2. Certificates issued by ACM cannot be exported for use outside AWS.

3. Common Use Cases

  1. Securing web applications and APIs.
  2. Simplifying SSL/TLS certificate management.
  3. Automating the renewal of certificates to prevent downtime.

4. Question

A company is deploying a new public web application to AWS. The application will run behind an Application Load Balancer (ALB). The application needs to be encrypted at the edge with an SSL/TLS certificate that is issued by an external certificate authority (CA). The certificate must be rotated each year before the certificate expires. What should a solutions architect do to meet these requirements?

  1. Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificate. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
  2. Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificate. Import the key material from the certificate. Apply the certificate to the ALUse the managed renewal feature to automatically rotate the certificate.
  3. Use AWS Certificate Manager (ACM) Private Certificate Authority to issue an SSL/TLS certificate from the root CA. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
  4. Use AWS Certificate Manager (ACM) to import an SSL/TLS certificate. Apply the certificate to the ALB. Use Amazon EventBridge (Amazon CloudWatch Events) to send a notification when the certificate is nearing expiration. Rotate the certificate manually. (Correct Ans)