I have a mandate to encrypt traffic between services running on AWS EC2 instances, presumably with TLS. My (current) question is: how do I get the private key files onto my instances automatically (e.g. when using auto-scaling or spot instances)? There seem to be a number of options, but at least some of them seem red herrings:
- In https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html, it looks like you can upload certificates and private keys to IAM, but then you can't download the private keys.
- With AWS Certificate Manager, it looks like the private keys are only available to certain services, not EC2 instances (https://serverfault.com/questions/947057/install-aws-ssl-certificate-to-ec2-instance-without-load-balancer).
- Is there some other service I can use (Key Manangement Service, Secrets Manager, etc.)?
- Can I use instance metadata?
- Is there a way to safely store the private keys on the AMIs?
- Is SSL/TLS offload (https://docs.aws.amazon.com/cloudhsm/latest/userguide/ssl-offload.html) the best way to go? It seems complicated and subject to network latency issues.
How can (and how should) I do this?