Question 874 of 1,024
Security and CompliancemediumMultiple ChoiceObjective-mapped

CLF-C02 Security and Compliance Practice Question

This CLF-C02 practice question tests your understanding of security and compliance. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: aCM automatically renews certificates validated via DNS or email.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses a custom domain name and requires HTTPS for all traffic. The security team provisions an SSL/TLS certificate using AWS Certificate Manager (ACM) and associates it with the ALB. Which of the following is an advantage of using ACM over manually managing certificates?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

ACM automatically renews the certificate before it expires, and the renewed certificate is automatically applied to the associated load balancer.

Option A is correct because AWS Certificate Manager (ACM) automatically renews SSL/TLS certificates before they expire, and the renewed certificate is seamlessly applied to the associated AWS resources, such as an Application Load Balancer (ALB). This eliminates the manual effort of tracking expiration dates, generating new certificates, and re-associating them, which is a key operational advantage over self-managed certificates.

Key principle: ACM automatically renews certificates validated via DNS or email.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • ACM automatically renews the certificate before it expires, and the renewed certificate is automatically applied to the associated load balancer.

    Why this is correct

    Correct. When DNS validation is configured, ACM automatically renews certificates before expiration and applies the renewed certificate to the associated AWS resources such as an ALB, eliminating the need for manual renewal and reducing the risk of certificate expiration.

    Related concept

    ACM automatically renews certificates validated via DNS or email.

  • ACM encrypts the traffic between the ALB and the EC2 instances, ensuring end-to-end encryption.

    Why it's wrong here

    Incorrect. ACM provisions certificates for the ALB to terminate HTTPS connections from clients. Encryption between the ALB and backend instances is configured separately via the ALB listener and target group settings (e.g., using HTTPS or TCP with TLS). ACM does not manage backend encryption.

  • ACM provides a certificate that can be exported and installed on any on-premises server for free.

    Why it's wrong here

    Incorrect. ACM certificates cannot be exported for general use outside of AWS. They are intended for use only with integrated AWS services (e.g., ALB, CloudFront, API Gateway). Exporting is not supported, so they cannot be installed on on-premises servers.

  • ACM requires the company to store the private key in a secure location outside of AWS.

    Why it's wrong here

    Incorrect. ACM manages the private key securely within AWS and does not expose it to customers. Customers do not have to generate, store, or rotate private keys; ACM handles key management as part of the service.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may confuse ACM's automatic renewal with encryption capabilities or assume ACM certificates are portable, when in fact ACM only manages certificates for AWS services and does not provide encryption between the load balancer and backend instances.

Detailed technical explanation

How to think about this question

ACM leverages AWS-managed Certificate Authority (CA) to handle the full lifecycle of public and private certificates, including automatic renewal approximately 60 days before expiration using DNS validation or email validation. The renewed certificate is automatically deployed to integrated services like ALB without any downtime, which is critical for maintaining compliance with security policies that require short-lived certificates (e.g., 13-month validity per CA/Browser Forum). In contrast, manually managed certificates require tracking expiration, generating new CSRs, and updating the ALB listener, which can lead to accidental outages if missed.

KKey Concepts to Remember

  • ACM automatically renews certificates validated via DNS or email.
  • Renewed ACM certificates are automatically deployed to integrated AWS services.
  • ACM eliminates the need for manual certificate tracking and renewal.
  • ACM certificates cannot be exported for use outside of AWS.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

ACM automatically renews certificates validated via DNS or email.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Review aCM automatically renews certificates validated via DNS or email., then practise related CLF-C02 questions on the same topic to reinforce the concept.

Related practice questions

Related CLF-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CLF-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CLF-C02 question test?

Security and Compliance — This question tests Security and Compliance — ACM automatically renews certificates validated via DNS or email..

What is the correct answer to this question?

The correct answer is: ACM automatically renews the certificate before it expires, and the renewed certificate is automatically applied to the associated load balancer. — Option A is correct because AWS Certificate Manager (ACM) automatically renews SSL/TLS certificates before they expire, and the renewed certificate is seamlessly applied to the associated AWS resources, such as an Application Load Balancer (ALB). This eliminates the manual effort of tracking expiration dates, generating new certificates, and re-associating them, which is a key operational advantage over self-managed certificates.

What should I do if I get this CLF-C02 question wrong?

Review aCM automatically renews certificates validated via DNS or email., then practise related CLF-C02 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

ACM automatically renews certificates validated via DNS or email.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CLF-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CLF-C02 exam.