High-level Certificate Manager builder following AWS security best practices. **Default Security Settings:** - Validation method = DNS (more secure than email validation) - Key algorithm = RSA_2048 (industry standard) - Transparency logging = enabled (default AWS behavior) **Rationale:** These defaults follow AWS Well-Architected Framework security pillar: - DNS validation is automated and doesn't rely on email - RSA_2048 provides strong encryption with broad compatibility - Certificate transparency helps detect mis-issuance **Use Cases:** - HTTPS for CloudFront distributions - HTTPS for Application Load Balancers - Custom domain names for API Gateway **Escape Hatch:** Access the underlying CDK Certificate via the `Certificate` property for advanced scenarios not covered by this builder.