Do you have to purchase the domain from Route53, in order for the ACM certificate to automatically renew?
The exam tips states: "SSL certificates renew automatically, provided you purchase the domain from Route53 and it’s not for an Route53 private hosted zone."
AWS documentation say’s "ACM can automatically renew DNS-validated certificates before they expire, as long as the DNS record remains in place and the certificates are in use. Renewals are fully automatic and touchless."
If you use a different registrar and host the ACM CNAME record outside of Route53, will you still achieve automatic renewal; assuming AWS can resolve the CNAME record at your registrar (outside of AWS Route53)?
"Automatic renewal is not available for either imported certificates or for certificates associated with Route 53 private hosted zones. You must renew these manually. For more information, see How Manual Domain Validation Works."
UPDATE for clarification: You do not need to purchase the domain from Route53. I am not sure why the exam tip says that, but it would be worthwhile bringing it up with the course author. My domain wasn’t purchased through Route53, and it renewed automatically this year.
I can confirm that ACM can renew your certificate for domains purchased from another registrar.
The process requires that you click on a confirmation link that in an automatically-generated e-mail sent by AWS to the various validation e-mails (ex: email@example.com).
If your AWS root account is different than any of your domain validation e-mail addresses, a reminder is sent to your AWS root account e-mail to check the validation e-mail inboxes.