Automate DNS-01 with Route 53

Connecting Route 53 lets aethercert create and remove the DNS TXT records ACME uses for DNS-01 validation automatically.

1. Create a scoped IAM user in AWS

  1. Sign in to the AWS IAM console and find your hosted zone's ID under Route 53 (Hosted zones).
  2. Create an IAM policy scoped to that zone, granting only route53:ChangeResourceRecordSets and route53:GetChange on arn:aws:route53:::hostedzone/<your-zone-id> (and route53:ListHostedZones/route53:ListResourceRecordSets at the account level, since those can't be scoped to a single zone).
  3. Create an IAM user (or role) with no console access, attach the policy, and generate an access key pair for it.

2. Connect it in aethercert

  1. Make sure the domain is already added and verified under Build > Domains (or Manage > Domains for an existing one).
  2. On that domain's setup step 2 ("DNS provider"), choose AWS Route 53 from the provider dropdown.
  3. Enter the Access key ID and Secret access key.
  4. Leave Region as us-east-1 unless AWS support tells you otherwise - Route 53 itself is global.
  5. Optionally set Hosted zone ID directly if you'd rather skip the zone lookup step.
  6. Click Test & save - aethercert verifies the credentials can actually reach the zone before saving them.

3. Use it

Any certificate you create for this domain (or its subdomains) can now use DNS-01, including wildcards. Credentials are stored write-only and never displayed back in the dashboard once saved.