Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For AWS DVA-C02 candidates, the confusion often lies in understanding how to automate notifications based on imported ACM certificates’ expiration, given ACM’s limited native event generation for imported certificates. In production, this is about knowing exactly how to orchestrate event-driven workflows with Lambda, EventBridge, and SNS to guarantee timely alerts. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
Innovasoft Solutions manages its externally issued SSL/TLS certificates by importing them into AWS Certificate Manager (ACM). These certificates secure the company’s public-facing web applications. A lead developer is tasked with implementing an automated notification to alert the security operations team at least 90 days before any imported certificate expires. Innovasoft already uses an Amazon Simple Queue Service (SQS) queue to buffer messages and an Amazon Simple Notification Service (SNS) topic subscribed by the security team’s email distribution list.
The Requirement: #
Create a solution to notify the security team 90 days prior to expiration of imported SSL certificates managed in ACM, leveraging the existing SQS queue and SNS topic where applicable.
The Options #
-
A) Create an Amazon EventBridge rule that listens for the ACM Certificate Approaching Expiration event type and set the SNS topic as the target.
-
B) Develop an AWS Lambda function that regularly scans ACM for certificates expiring within 90 days and sends each certificate’s ARN as a message to the SQS queue.
-
C) Build an AWS Step Functions workflow triggered by AWS CloudTrail expiry notification events for certificates, which invokes a Lambda function to send certificate ARNs to the SQS queue.
-
D) Configure AWS Config with the
acm-certificate-expiration-checkmanaged rule running every 24 hours. Create an EventBridge rule for Config Rule compliance changes and set the SNS topic as the target.
Google adsense #
leave a comment:
Correct Answer #
D
Quick Insight: The Developer Imperative #
The challenge with imported ACM certificates is that they do not emit native EventBridge expiration events like ACM-managed certificates do, making EventBridge direct triggers (Option A) ineffective. Instead, AWS Config’s managed rule proactively checks expiration and integrates cleanly with EventBridge to drive notifications. This pattern ensures reliable, timely alerts with minimal custom polling or complex workflows.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option D
The Winning Logic #
AWS Config’s managed managed rule acm-certificate-expiration-check periodically evaluates ACM certificates for impending expirations, including imported ones. When the rule detects a non-compliant resource (certificate expiring soon), it triggers a compliance state change event in EventBridge. You can create an EventBridge rule that listens for these compliance changes and routes a notification to an SNS topic subscribed by the security team. This leverages a fully managed solution that does not depend on native ACM expiration events or complex custom polling logic. It also works with imported certificates, which ACM events do not natively support.
The Trap (Distractor Analysis): #
-
Why not A?
- ACM emits expiration events only for certificates it manages fully (issued by ACM). Imported certificates do NOT generate these EventBridge events, so this rule won’t detect imported certificate expiration.
-
Why not B?
- A Lambda polling approach can work but requires custom scheduling, querying ACM APIs, and handling message dispatch to SQS. It adds operational overhead and complexity.
-
Why not C?
- CloudTrail does not emit certificate expiration notifications. Step Functions workflow triggered by such events isn’t feasible. This option misunderstands CloudTrail event scope.
The Technical Blueprint #
# Example AWS CLI to create EventBridge rule and add SNS target for AWS Config compliance events
aws events put-rule \
--name AcmCertificateExpirationRule \
--event-pattern '{"source":["aws.config"],"detail-type":["Config Rules Compliance Change"],"detail":{"configRuleName":["acm-certificate-expiration-check"]}}'
aws events put-targets \
--rule AcmCertificateExpirationRule \
--targets 'Id'="1",'Arn'="arn:aws:sns:region:account-id:SecurityTeamNotifications"
The Comparative Analysis #
| Option | API/Service Used | Pros | Cons | Use Case Fit |
|---|---|---|---|---|
| A | EventBridge ACM Expiration Event | Simple direct event-driven model | Doesn’t support imported cert expirations | Only for ACM-managed certificates |
| B | Lambda + ACM API + SQS | Custom, flexible | Requires custom polling logic, maintenance | Works but less elegant, higher ops |
| C | Step Functions + CloudTrail + Lambda | Complex orchestration | CloudTrail doesn’t have expiration events | Not feasible - CloudTrail limitation |
| D | AWS Config + EventBridge + SNS | Fully managed, native imported cert support | Slightly delayed by AWS Config evaluation | Best fit for imported cert expiration |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick AWS Config when you see “certificate expiration compliance” for imported certs requiring proactive alerting.
Real World #
In practice, you might consider augmenting this with Lambda polling for immediate custom actions or integrating with SIEM solutions for centralized alerting, but AWS Config remains the most straightforward and reliable baseline.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the DVA-C02 exam.