Your company is working on a new project. Certificates need to be issued from private Certificate Authorities. You would like to create and manage private CAs in AWS Certificate Manager. As part of the redundancy and disaster recovery plan for the project, the private CAs need to be highly available. The application should still work even when one AWS region has an outage. How would you design the private CAs through ACM to meet the redundancy and DR requirements?

Answer options:

A.Create multiple root CAs in two different AWS Regions in ACM. Each root CA and its subordinate CAs operate independently in an AWS region.
B.Create root and subordinate CAs in ACM. As ACM is a global service, all CAs installed are configured in different regions automatically.
C.Create a root CA in one region through AWS Certificate Manager. Create several redundant subordinate CAs that chain to the root CA in other regions.
D.Create a root CA in ACM in one region. Export the CA from ACM and import to ACM in another region to provide extra redundancy.

Correct Answer – A
A private CA in ACM is a highly available service. However, its scope is within an AWS region. You need to create multiple CAs that run independently in at least two regions for redundancy and disaster recovery. For details, please refer to
https://docs.aws.amazon.com/acm-pca/latest/userguide/ca-best-practices.html.
Option A is CORRECT: As multiple root CAs work independently in different regions, the private CAs are still functional even if one region has an outage.
Option B is incorrect: Because ACM is not a global service and private CAs should be installed in multiple regions.
Option C is incorrect: Because the limitation of the method is that there is no redundant root CA in the event of a disaster that affects the AWS Region in which your root CA exists.
Option D is incorrect: Because in ACM, you cannot import a private CA. You need to create a new private CA in a different region.