Can we do automated cert renewals for APIGW or ELB (certs managed via ACM) without downtime (zero downtime) ?
Assumptions: The ACM Cert and AWS Service are eligible for automated renewals and there are no gaps/issues on the domain validation side. In fact, Let's assume that ACM has already obtained the renewed cert.
If you have an ACM generated certificate this will automatically be renewed and rolled out ahead of time to each resource that has it applied.
ACM provides managed renewal for your Amazon-issued SSL/TLS certificates. This includes both public and private certificates issued by using ACM. If possible, ACM renews your certificates automatically with no action required from you.
You cannot trigger the renewals for these certificates, in fact they are created with a 13 month expiry with ACM renewing the certificate at 12 months (with 1 month left until expiry).
If you upload your own certificates to ACM you will need apply to each resource, however there is no downtime whilst this applies to the resource. To avoid downtime from an expired SSL ensure you roll this out ahead of time.
You can validate the status of your ACM certificate, for more details on its renewal process.