Upload the certificate on an S3 bucket owned by the security officers and accessible only by EC2 Role of the web servers.
Configure the web servers to retrieve the certificate upon boot from an CloudHSM is managed by the security officers.
Configure system permissions on the web servers to restrict access to the certificate only to the authority security officers
Configure IAM policies authorizing access to the certificate store only to the security officers and terminate SSL on an ELB.
Explanations:
Storing the certificate in an S3 bucket may ensure restricted access, but it does not provide sufficient security for sensitive SSL certificates as S3 lacks robust encryption and security specifically for private key management.
While CloudHSM offers high security for sensitive keys, it is primarily for cryptographic operations and not for certificate retrieval. Additionally, managing SSL certificates directly through CloudHSM is impractical and complex.
System permissions on the servers alone are insufficient, as administrators with EC2 access could potentially alter permissions, allowing unauthorized access to certificates, failing the separation of roles requirement.
Terminating SSL on an ELB with IAM policies for security officers restricts certificate access to only those officers. ELB abstracts SSL handling, meeting security and separation of roles requirements effectively and securely.
I measure that the answer is:
Configure IAM policies authorizing access to the certificate store only to the security officers and terminate SSL on an ELB.