A customer is deploying an SSL enabled web application to AWS and would like to implement a separation of roles between the EC2 service administrators that are ...

A customer is deploying an SSL enabled web application to AWS and would like to implement a separation of roles between the EC2 service administrators that are entitled to login to instances as well as making API calls and the security officers who will maintain and have exclusive access to the application's X.
509 certificate that contains the private key.