Failed to validate the SSL certificate for s3.amazonaws.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: TLS/SSL connection has been closed (EOF) (_ssl.c:727)."
https://s3.amazonaws.com/amazoncloudwatch-agent/assets/amazon-cloudwatch-agent.gpg doesn't have a valid SSL cert resulting in a failure when attempting to grab RPM key (imagine this is also an issue for APT):
https://github.com/christiangda/ansible-role-amazon-cloudwatch-agent/blob/master/tasks/install-redhat.yml#L3