What should a solutions architect do to meet these requirements?
Use AWS Certificate Manager (ACM) to issue an SSUTLS certificate. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
Use AWS Certificate Manager (ACM) to issue an SSUTLS certificate. Import the key material from the certificate. Apply the certificate to the ALB.
Use the managed renewal feature to automatically rotate the certificate. Use AWS Certificate Manager (ACM) Private Certificate Authority to issue an SSUTLS certificate from the root CA. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
Use AWS Certificate Manager (ACM) to import an SSUTLS certificate. Apply the certificate to the ALB. Use Amazon EventBridge (Amazon CloudWatch Events) to send a notification when the certificate is nearing expiration. Rotate the certificate manually.
Explanations:
AWS Certificate Manager (ACM) can issue certificates, but it only supports ACM-managed certificates. Since the certificate is issued by an external CA, ACM cannot manage the renewal automatically for this type of certificate.
Importing the certificate into ACM would allow the certificate to be applied to the ALB, but ACM will not manage automatic renewal for an externally issued certificate. Therefore, manual rotation would still be required.
AWS Certificate Manager Private Certificate Authority (ACM PCA) is used for issuing internal certificates. The requirement specifies an externally issued SSUTLS certificate, making ACM PCA unnecessary. Additionally, automatic renewal is not supported for external certificates.
This option involves importing the externally issued SSUTLS certificate into ACM and applying it to the ALB. Using EventBridge (CloudWatch Events) allows for monitoring the expiration date and triggering a manual certificate rotation before expiration. This meets the requirement for certificate rotation before expiration, even though manual intervention is needed.