An AWS customer is deploying an application in a separate, highly constrained execution environment ( enclaves ) composed of an auto-scaling group of EC2 Instances. The customer`s security policy requires that every outbound connection from these instances to any other service within the customer`s Virtual Private Cloud must be authenticated using a unique X.509 certificate that contains the specific instance ID. 

Answer options:

A.Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure an Auto Scaling group to launch instances with this role. Have the instances bootstrap, get the certificate from Amazon S3 upon first boot.
B.Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group Have the launched instances, generate a certificate signature request with the instance’s assigned instance-id to the AWS KMS for signature.
C.Configure the AutoScaling group to send an SNS notification of the launch of a new instance to the AWS Certificate Manager. Create a signed certificate using AWS Certificate Manager (ACM).
D.Configure the launched instances to generate a new certificate upon first boot. Have the AWS KMS poll the Auto Scaling group for associated instances and send new instances a certificate signature (that contains the specific instance-id).

Answer – C
This scenario requires (a) an x.509 certificate per instance created in the auto-scaling group, (b) the certificate should be unique that contains the instance id.
Option A is incorrect because (a) storing the signed certificate in S3 is a bad idea as it will not be unique for each instance id, and (b) S3 is not a key management service and cannot generate such certificates.
Option B is incorrect because you need to generate the instance id first before generating the certificate that will be unique for that instance id. Therefore, embedding a certificate in the image and then launching the instance will not be useful at all.
Option C is correct because once the new instance is launched, the ASG is configured to send the notification through SNS to the ACM. The ACM then generates the new certificate.
Nitro enclaves and ACM:
Manager (ACM) for Nitro Enclaves allows you to use public and private SSL/TLS certificates with your web applications and web servers running on Amazon EC2 instances with AWS Nitro Enclaves. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the internet and resources on private networks.
Previously, when running a web server on an EC2 instance, you would have created SSL certificates and stored them as plaintext on your instance. With ACM for Nitro Enclaves, you can now bind AWS Certificate Manager certificates to an enclave and use those certificates directly with your web server without exposing the certificates in plaintext form to the parent instance and its users.
ACM for Nitro Enclaves removes the time-consuming and error-prone manual process of purchasing, uploading, and renewing SSL/TLS certificates. ACM for Nitro Enclaves creates secure private keys, distributes the certificate and its private key to your enclave, and manages certificate renewals. With ACM for Nitro Enclaves, the certificate`s private key remains isolated in the enclave, preventing the instance, and its users, from accessing it.
Please also check https://docs.aws.amazon.com/enclaves/latest/user/enclaves-user.pdf#nitro-enclave-refapp (page 39) on how to use ACM for Nitro Enclaves.
Option D is incorrect because (a) the onus is on the EC2 instances to generate the signed certificate, (b) the requirement is to use a key management service to generate the signed certificate, and (c)AWS KMS does not have any feature to `poll` any service.
Please check below AWS Docs for more details.
https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html
https://docs.aws.amazon.com/enclaves/latest/user/enclaves-user.pdf#nitro-enclave-refapp