A customer is deploying an SSL enabled web application to AWS and would like to implement a
separation of roles between the EC2 service administrators that are entitled to login to instances
as well as making API calls and the security officers who will maintain and have exclusive access
to the application’s X.509 certificate that contains the private key.
Upload the certificate on an S3 bucket owned by the security officers and accessible only by EC2
Role of the web servers.
Configure the web servers to retrieve the certificate upon boot from an CloudHSM is managed by
the security officers.
Configure system permissions on the web servers to restrict access to the certificate only to the
authority security officers
Configure IAM policies authorizing access to the certificate store only to the security officers and
terminate SSL on an ELB.