I have deployed an open-source server on an EC2 instance and I need the EC2 server to connect to AWS IoT Core. I have two options for creating an IoT certificate for the server:
1.Generate the certificate myself
2.Allow the IoT thing to auto-generate the certificate
Considering that the EC2 server needs to access AWS IoT Core, I have chosen to generate my own certificate and private key. However, a concern arises when uploading the certificate to AWS IoT Core using the AWS::IoT::Certificate resource in CloudFormation. The certificate are included in the CloudFormation source code, potentially exposing sensitive information.
My EC2 server accesses AWS IoT Core using the AWS IoT Device SDK. To ensure secure handling of the certificate and private key, I store them in AWS Secrets Manager. The EC2 server retrieves the self-generated certificate and private key from Secrets Manager during runtime to establish a secure connection with AWS IoT Core.
Ideally, I want to manage the entire infrastructure using CloudFormation, including generating the certificate and private key and uploading them to Secrets Manager. However, I encountered a limitation where CloudFormation does not allow downloading the certificate and private key if they are created within the stack. As a workaround, I decided to generate the certificate and private key manually.
Nevertheless, I still want CloudFormation to assist in creating the IoT thing and attaching the certificate to it. The challenge is that including the certificate in the CloudFormation source code could potentially expose sensitive information.
What the best practice for combining AWS IoT Core and EC2 using CloudFormation for infrastructure?