Which of the following configurations will support these requirements?
Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this role. Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group. Have the launched instances generate a certificate signature request with the instance’s assigned instance-id to the key management service for signature.
Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
Configure the launched instances to generate a new certificate upon first boot. Have the Key management service poll the Auto Scaling group for associated instances and send new instances a certificate signature (hat contains the specific instance-id.
Explanations:
While using an IAM Role to access an S3 bucket for a signed certificate is a valid method, it does not ensure that the certificate is specifically tied to the instance-id as required. This option fails to meet the requirement for each instance to have a unique x.509 certificate based on its instance-id.
Embedding a certificate into the AMI does not allow for unique certificates per instance since the same certificate would be used for every instance launched from that AMI. Additionally, generating a certificate signature request without the instance-id does not satisfy the requirement of having a certificate that includes the specific instance-id.
This option directly addresses the requirement by sending a notification to the Key Management Service (KMS) whenever a new instance is launched. KMS can then generate a signed certificate with the instance-id and send it to the instance, ensuring that each instance has a unique certificate as required.
While this option suggests generating a new certificate upon first boot, it relies on KMS polling the Auto Scaling group for associated instances. This method can introduce delays and may not guarantee that the certificate is issued immediately or contains the specific instance-id in a timely manner, making it less reliable than option C.