- A
ACM automatically renews the certificate before it expires, and the renewed certificate is automatically applied to the associated load balancer.
Correct. When DNS validation is configured, ACM automatically renews certificates before expiration and applies the renewed certificate to the associated AWS resources such as an ALB, eliminating the need for manual renewal and reducing the risk of certificate expiration.
- B
ACM encrypts the traffic between the ALB and the EC2 instances, ensuring end-to-end encryption.
Why wrong: Incorrect. ACM provisions certificates for the ALB to terminate HTTPS connections from clients. Encryption between the ALB and backend instances is configured separately via the ALB listener and target group settings (e.g., using HTTPS or TCP with TLS). ACM does not manage backend encryption.
- C
ACM provides a certificate that can be exported and installed on any on-premises server for free.
Why wrong: Incorrect. ACM certificates cannot be exported for general use outside of AWS. They are intended for use only with integrated AWS services (e.g., ALB, CloudFront, API Gateway). Exporting is not supported, so they cannot be installed on on-premises servers.
- D
ACM requires the company to store the private key in a secure location outside of AWS.
Why wrong: Incorrect. ACM manages the private key securely within AWS and does not expose it to customers. Customers do not have to generate, store, or rotate private keys; ACM handles key management as part of the service.
CLF-C02 Security and Compliance Practice Question
This CLF-C02 practice question tests your understanding of security and compliance. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: aCM automatically renews certificates validated via DNS or email.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses a custom domain name and requires HTTPS for all traffic. The security team provisions an SSL/TLS certificate using AWS Certificate Manager (ACM) and associates it with the ALB. Which of the following is an advantage of using ACM over manually managing certificates?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
ACM automatically renews the certificate before it expires, and the renewed certificate is automatically applied to the associated load balancer.
Option A is correct because AWS Certificate Manager (ACM) automatically renews SSL/TLS certificates before they expire, and the renewed certificate is seamlessly applied to the associated AWS resources, such as an Application Load Balancer (ALB). This eliminates the manual effort of tracking expiration dates, generating new certificates, and re-associating them, which is a key operational advantage over self-managed certificates.
Key principle: ACM automatically renews certificates validated via DNS or email.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
ACM automatically renews the certificate before it expires, and the renewed certificate is automatically applied to the associated load balancer.
Why this is correct
Correct. When DNS validation is configured, ACM automatically renews certificates before expiration and applies the renewed certificate to the associated AWS resources such as an ALB, eliminating the need for manual renewal and reducing the risk of certificate expiration.
Related concept
ACM automatically renews certificates validated via DNS or email.
- ✗
ACM encrypts the traffic between the ALB and the EC2 instances, ensuring end-to-end encryption.
Why it's wrong here
Incorrect. ACM provisions certificates for the ALB to terminate HTTPS connections from clients. Encryption between the ALB and backend instances is configured separately via the ALB listener and target group settings (e.g., using HTTPS or TCP with TLS). ACM does not manage backend encryption.
- ✗
ACM provides a certificate that can be exported and installed on any on-premises server for free.
Why it's wrong here
Incorrect. ACM certificates cannot be exported for general use outside of AWS. They are intended for use only with integrated AWS services (e.g., ALB, CloudFront, API Gateway). Exporting is not supported, so they cannot be installed on on-premises servers.
- ✗
ACM requires the company to store the private key in a secure location outside of AWS.
Why it's wrong here
Incorrect. ACM manages the private key securely within AWS and does not expose it to customers. Customers do not have to generate, store, or rotate private keys; ACM handles key management as part of the service.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates may confuse ACM's automatic renewal with encryption capabilities or assume ACM certificates are portable, when in fact ACM only manages certificates for AWS services and does not provide encryption between the load balancer and backend instances.
Detailed technical explanation
How to think about this question
ACM leverages AWS-managed Certificate Authority (CA) to handle the full lifecycle of public and private certificates, including automatic renewal approximately 60 days before expiration using DNS validation or email validation. The renewed certificate is automatically deployed to integrated services like ALB without any downtime, which is critical for maintaining compliance with security policies that require short-lived certificates (e.g., 13-month validity per CA/Browser Forum). In contrast, manually managed certificates require tracking expiration, generating new CSRs, and updating the ALB listener, which can lead to accidental outages if missed.
KKey Concepts to Remember
- ACM automatically renews certificates validated via DNS or email.
- Renewed ACM certificates are automatically deployed to integrated AWS services.
- ACM eliminates the need for manual certificate tracking and renewal.
- ACM certificates cannot be exported for use outside of AWS.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
ACM automatically renews certificates validated via DNS or email.
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Review aCM automatically renews certificates validated via DNS or email., then practise related CLF-C02 questions on the same topic to reinforce the concept.
- →
Security and Compliance — study guide chapter
Learn the concepts, then practise the questions
- →
Security and Compliance practice questions
Targeted practice on this topic area only
- →
All CLF-C02 questions
1,024 questions across all exam domains
- →
AWS Certified Cloud Practitioner CLF-C02 study guide
Full concept coverage aligned to exam objectives
- →
CLF-C02 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related CLF-C02 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Cloud Concepts practice questions
Practise CLF-C02 questions linked to Cloud Concepts.
Security and Compliance practice questions
Practise CLF-C02 questions linked to Security and Compliance.
Cloud Technology and Services practice questions
Practise CLF-C02 questions linked to Cloud Technology and Services.
Billing, Pricing, and Support practice questions
Practise CLF-C02 questions linked to Billing, Pricing, and Support.
AWS shared responsibility model practice questions
Practise CLF-C02 questions linked to AWS shared responsibility model.
AWS IAM practice questions
Practise CLF-C02 questions linked to AWS IAM.
AWS pricing practice questions
Practise CLF-C02 questions linked to AWS pricing.
AWS support plans practice questions
Practise CLF-C02 questions linked to AWS support plans.
AWS S3 practice questions
Practise CLF-C02 questions linked to AWS S3.
AWS EC2 practice questions
Practise CLF-C02 questions linked to AWS EC2.
Practice this exam
Start a free CLF-C02 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this CLF-C02 question test?
Security and Compliance — This question tests Security and Compliance — ACM automatically renews certificates validated via DNS or email..
What is the correct answer to this question?
The correct answer is: ACM automatically renews the certificate before it expires, and the renewed certificate is automatically applied to the associated load balancer. — Option A is correct because AWS Certificate Manager (ACM) automatically renews SSL/TLS certificates before they expire, and the renewed certificate is seamlessly applied to the associated AWS resources, such as an Application Load Balancer (ALB). This eliminates the manual effort of tracking expiration dates, generating new certificates, and re-associating them, which is a key operational advantage over self-managed certificates.
What should I do if I get this CLF-C02 question wrong?
Review aCM automatically renews certificates validated via DNS or email., then practise related CLF-C02 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
ACM automatically renews certificates validated via DNS or email.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 11, 2026
This CLF-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CLF-C02 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.