I have a workflow for creating AWS credentials that are restricted to doing the LetsEncrypt DNS challenges for just a single sub-domain, and that seems to be working well. https://linsomniac.gitlab.io/post/2019-09-10-letsencrypt-wit...