What should a solutions architect recommend to meet this requirement?
Add a rule in ACM to publish a custom message to an Amazon Simple Notification Service (Amazon SNS) topic every day, beginning 30 days before any certificate will expire.
Create an AWS Config rule that checks for certificates that will expire within 30 days. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke a custom alert by way of Amazon Simple Notification Service (Amazon SNS) when AWS Config reports a noncompliant resource.
Use AWS Trusted Advisor to check for certificates that will expire within 30 days. Create an Amazon CloudWatch alarm that is based on Trusted Advisor metrics for check status changes. Configure the alarm to send a custom alerts by way of Amazon Simple Notification Service (Amazon SNS).
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect any certificates that will expire within 30 days. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS).
Explanations:
ACM itself doesnothave a built-in feature to publish custom messages to SNS based on certificate expiration. You would need to implement a custom solution to achieve this.
AWS Configcan be used to check for resources that are noncompliant with specific rules. You can create aConfig ruleto check for certificates expiring within 30 days.EventBridgecan then be used to trigger an alert viaSNSwhen Config reports a noncompliant resource (in this case, an expiring certificate). This is the most straightforward and managed approach.
Trusted Advisorprovides best practice checks, including checks for expiring certificates. However, it doesnotprovide metrics that can be directly used for CloudWatch alarms. Therefore, you cannot create a CloudWatch alarm based on Trusted Advisor checks in the way described.
While you could use EventBridge and Lambda to check for expiring certificates and send notifications, this requires writing and maintaining custom code in the Lambda function. Using AWS Config is a more managed and simpler approach, as it provides built-in rules for compliance checking.
I classify that the answer is:
Create an AWS Config rule that checks for certificates that will expire within 30 days. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke a custom alert by way of Amazon Simple Notification Service (Amazon SNS) when AWS Config reports a noncompliant resource.