Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in how to efficiently detect and notify about expiring imported ACM certificates using event-driven AWS services without polling or complicated orchestration. In production, this is about knowing exactly which AWS event sources natively signal certificate expiration and how to tie these into existing messaging mechanisms like SNS and SQS. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
A mid-sized fintech startup, FinSecure Apps, imports SSL certificates purchased from an external certificate authority into AWS Certificate Manager (ACM) to secure their public-facing web applications. The development team must implement a robust, automated notification system to alert the security operations team exactly 90 days before any imported certificate expires. FinSecure already uses an Amazon Simple Queue Service (SQS) queue to handle internal alerts and has an Amazon Simple Notification Service (SNS) topic configured with the security team’s email address subscribed.
The Requirement: #
Create a solution that guarantees the security team receives timely notification about all imported ACM certificates expiring in 90 days, leveraging existing AWS services with minimal operational overhead.
The Options #
-
A) Create an Amazon EventBridge rule filtered for ACM certificate “Approaching Expiration” event type. Set the SNS topic as the rule’s target to send notifications directly.
-
B) Develop an AWS Lambda function which periodically scans all ACM certificates and identifies those expiring within 90 days. For each expiring certificate found, send its Amazon Resource Name (ARN) as a message to the existing SQS queue.
-
C) Build an AWS Step Functions workflow triggered by certificate expiration events logged in AWS CloudTrail. Include a Lambda function in the workflow that sends each expiring certificate’s ARN to the SQS queue.
-
D) Enable AWS Config’s managed rule
acm-certificate-expiration-checkto run daily. Configure an EventBridge rule to detect Config compliance changes related to this rule, and target the SNS topic so the security team is notified of non-compliant (expiring) certificates.
Google adsense #
leave a comment:
Correct Answer #
D
Quick Insight: The Developer Imperative #
AWS Lambda polling solutions (Option B) add unnecessary operational complexity and cost.
Options A and C rely on non-existent or overly complicated event sources for imported ACM certificates.
AWS Config’s managed rule provides a fully managed, daily compliance check specifically targeting certificate expiration with built-in automation integration.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option D
The Winning Logic #
AWS Config offers a fully managed, rule-based compliance framework with predefined managed rules like acm-certificate-expiration-check that monitor imported ACM certificates and detect imminent expirations based on a configurable snapshot frequency, here every 24 hours.
When the compliance state changes (e.g., a certificate moves to non-compliant because it will expire within 90 days), this generates a Config Rules Compliance Change event. By creating an EventBridge rule targeting these events and forwarding them to the SNS topic subscribed to by the security team, this provides an operationally simple, fully automated, “set and forget” notification pipeline with strong auditability and no custom polling logic.
The Trap (Distractor Analysis): #
-
Why not Option A?
EventBridge does not emit a native event type specifically called “ACM certificate Approaching Expiration” for imported certificates. This kind of event is not exposed via EventBridge at this granularity, making A a non-functional choice for this use case. -
Why not Option B?
Lambda-based polling requires implementing scheduled logic to periodically call ListCertificates and DescribeCertificate APIs, adding operational cost, complexity, and possible API rate limits. It also risks missing real-time notification and leads to unnecessary extraneous invocations. -
Why not Option C?
CloudTrail logs management events but does not produce detailed certificate expiration notifications. Using Step Functions triggered by CloudTrail for this is a heavyweight and incorrect approach given the lack of relevant event depth.
The Technical Blueprint #
B) For Developer (Code/CLI Snippet): #
A minimal AWS CLI example to enable AWS Config managed rule:
aws configservice put-config-rule --config-rule '{
"ConfigRuleName": "acm-certificate-expiration-check",
"Description": "Checks imported ACM certificates for expiration within 90 days",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ACM_CERTIFICATE_EXPIRATION_CHECK"
},
"Scope": {},
"InputParameters": "{\"expirationInDays\":\"90\"}"
}'
Example EventBridge rule JSON pattern to catch compliance change events and target the SNS topic:
{
"source": ["aws.config"],
"detail-type": ["Config Rules Compliance Change"],
"detail": {
"configRuleName": ["acm-certificate-expiration-check"],
"newEvaluationResult": {
"complianceType": ["NON_COMPLIANT"]
}
}
}
The Comparative Analysis #
| Option | AWS API/Event Usage Complexity | Operational Overhead | Real-time Notification | Best Practice Compliance |
|---|---|---|---|---|
| A | EventBridge - ACM Expiration Event (Nonexistent) | Low | No | No - Event does not exist |
| B | Lambda Polling ACM API | High | Delayed (Polling Interval) | No - Reinventing Built-in |
| C | Step Functions + CloudTrail Event | Very High | No | No - CloudTrail not suited |
| D | AWS Config Managed Rule + EventBridge + SNS | Low | Near-real-time (Daily) | Yes - Uses Managed AWS Best Practice |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick AWS Config managed rules when you see compliance checks involving resource properties like expiration or lifecycle management.
Real World #
In production, leveraging AWS Config managed rules dramatically reduces custom code and operational burdens. However, some teams might build Lambda polling for ultra-frequent checks or integrations with third-party systems lacking Config support.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.