A customer is deploying an SSL-enabled Web application on AWS that reads the certificate from ACM. They would like to implement a separation of roles between the EC2 service administrators entitled to login to Instances and make API calls and the security officers who maintain and have exclusive access to the application`s X.509 certificate contains the private key. Which configuration option would satisfy the above requirements?

Answer options:

A.Configure IAM policies authorizing access to the ACM certificate store only to the authorized security officers.
B.Configure system permissions on the web servers to restrict access to the certificate only to the authorized security officers.
C.Upload the certificate on an S3 bucket owned by the security officers and accessible only by the EC2 role of the web servers
D.Configure the web servers to retrieve the certificate upon boot from a CloudHSM that is managed by the security officers.

Answer – A
Option A is CORRECT because (a) only the security officers have access to the certificate store, and (b) the certificate is not stored on EC2 instances, hence avoiding giving access to it to the EC2 service administrators.
Option B is incorrect because it will still involve storing the certificate on the EC2 instances and additional configuration overhead to access the security officers, which is unnecessary.
Options C and D are both incorrect because giving EC2 instances access to the certificate should be avoided. It is better to let ELB manage the SSL certificate, instead of the EC2 web servers.
For more information, please refer to the links given below.
http://docs.aws.amazon.com/IAM/latest/APIReference/API_UploadServerCertificate.html
https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/
https://docs.aws.amazon.com/acm/latest/userguide/authen-overview.html