What should a solutions architect do to meet these requirements?
Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificate. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificate. Import the key material from the certificate. Apply the certificate to the ALUse the managed renewal feature to automatically rotate the certificate.
Use AWS Certificate Manager (ACM) Private Certificate Authority to issue an SSL/TLS certificate from the root CA. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
Use AWS Certificate Manager (ACM) to import an SSL/TLS certificate. Apply the certificate to the ALB. Use Amazon EventBridge (Amazon CloudWatch Events) to send a notification when the certificate is nearing expiration. Rotate the certificate manually.
Explanations:
AWS Certificate Manager (ACM) can issue an SSL/TLS certificate, but ACM certificates are limited to certificates managed by Amazon, not externally issued ones. The managed renewal feature applies only to ACM-issued certificates, not to certificates issued by an external certificate authority.
ACM allows users to import certificates, but the managed renewal feature is not available for imported certificates. Managed renewals apply only to ACM-issued certificates, not externally issued ones. Therefore, this does not meet the requirement for manual rotation each year.
ACM Private Certificate Authority (CA) issues private certificates, which are not trusted by public users. This option is incorrect because the application needs a publicly trusted certificate from an external CA, not an internal private CA.
Importing an SSL/TLS certificate into ACM meets the requirement of using an externally issued certificate. EventBridge (CloudWatch Events) can send notifications for certificate expiration, allowing for timely, manual rotation of the certificate each year, as required.