[TheNewsIsHere]

Using CNAME delegation for the ACME challenge domain and directing that to a Route 53 zone is my preferred approach. Then (as long as you have CloudWatch configured) you get inherent auditing and very flexible privilege management.

[cj]

That wouldn't work for this use case though would it? AWS doesn't allow downloading the certificate (I could be wrong)? Typically certificates can only be used with other AWS services. E.g. you can't download the certificate and serve it from a home server.

[vladvasiliu]

You're not wrong, but the idea here is not to use AWS' certificate manager but their DNS service on which you would only handle the acme-challenge subdomain. This would allow you to limit who can update which subdomain. The LE cert is obtained normally.