Yes exactly; What I did after all is a CloudFormation Custom Resource which generates a Let'sEncrypt certificate, stores its fullchain in ACM and its private key in AWS Secrets Manager; which are pulled by the container at bootstrap. not ideal, but I couldn't find a better way