I have access to a number of AWS accounts belonging to a client, and would like to set up a public certificate using DNS validation. I believe this means I also need to set up DNS too.
I have two accounts:
The new cert/DNS shall be:
gatekeeper.s.aws.example.com
This is set up in account dsc-staging. I have gone through the "DNS validation" option, and it says that it is pending. To start with there is no DNS for this name in either account, so this would eventually fail if left like that.
So, in the same account, I have created a HostedZone in Route 53, which creates default NS and SOA records.
Now, in the other account, eds-staging, there are existing records for:
s.aws.example.internal (NS record with four rows in a single value)s.aws.example.internal (SOA record)I have added the validation record in here, as a CNAME. (I am informed that it would be OK to have put the validation record in the local Route 53, but I have chosen for now to do it here).
Now, I believe that I need to inform AWS how to connect gatekeeper.s.aws.example.com with the known internal name s.aws.example.internal, which already exists, and is used by other things. I believe the process of connecting the two is called "delegation". I was given some instructions to take the NS records from the local account for gatekeeper.s.aws.example.com and copy them to the parent domain s.aws.example.internal in the other account.
However, the AWS UI in Route 53 seems to disallow adding another NS record - is it because one already exists? If so can I just add my four records under the existing four (ie. in the same record)?
I believe that if I wire up this DNS so that it is resolvable, the certificate will automatically become validate-able, and that will happen automatically. Is this assumption correct?
I would break it down like this:
Register or transfer the domain to your AWS master billing account. This is the only account that registers domains.
In each sub account eg dev prod, create a R53 hosted zone for the top level domain provisioned in step 1. Make sure the NS servers in step 1 are assigned to the zone here. Pay close attention that they agree both on name AND number of servers - usually 4.
Create a ACM cert request for the root AND wild card domain EG example.com and *.example.com. Request DNS validation. Key here is to include the wild card. This means it will work for any host name in the domain.
In ACM, request that the service create the R53 validation DNS records for you. This is only possible if you have done step 2 in the same account.
Wait for approval. It can take a few mins, to all day. Check back every hour or so.
This process, if followed exactly, will always provide a validated ACM cert that works for any AWS supported service, for both the root domain and any subhost under it.