route 53

Adding Hosted Zones to Route 53 and Creating ACM Certificates

  9 minute read

One of the most amazing services in AWS is Route 53. Route 53, named aptly for the port that DNS typically uses (port 53), is the service that AWS uses to host DNS zones and their associated records. They basically took DNS and put it on steroids.

In this post, we’ll go through the steps to setup a new Route 53 Zone and an associated ACM record (SSL Certificate).

Why are we creating a Route 53 zone and creating the ACM certificate in the same tutorial? In this tutorial, we’re using DNS validation for the certificates to make sure our certificates are able to renew automatically and this is honestly the easiest way to do it. 🤷‍♂️

As a note: Route 53 is extremely cheap, costing $0.50 per month (for the first 25 zones, $0.10 thereafter). ACM on the other hand is free, so it’s ideal for sharing your content to the world.

FYI If you use Route 53 to buy your domain, you can skip this first section.

Creating the Route 53 Zone

Without going into a ton of detail, think of Route 53 zones as the umbrella that all records fall under.

Take a look at the Route 53 console:

Click “Create hosted zone”. When you do this, you’ll be sent to a pretty simple form. You’ll enter the domain name that bought from the domain registrar of your choice.

Once you’ve filled out the form, you’ll see a confirmation. Awesome!

Notice that there are a few records already in your new zone. Make a note of the first record in the list the “NS” record. You’ll want to save the values in that record for later.

Delegating the Route 53 Zone

If you didn’t use Route 53 as your DNS registrar, you’ll need to “delegate the zone.” But what does that mean?

So basically, you need to let the registrar you used to buy your domain know that the zone you just created is legit. So login to your registrar and add a NS Record with the values that you saved from the previous step.

It could take several hours (up to 72 hours) for your AWS zone to start being recognized by the rest of the internet.

An easy way to tell if your Route 53 zone is to use a command like dig, for example:

dig +short NS

If the response is what you took note of when we created the Route 53 zone, you’re ready for the next step.

Creating your ACM Certificate

Now that your Route 53 zone has been created, you’re able to create your ACM certificate.

Now, buckle up, because this process is …. cumbersome to say the least.

From the getting started page of the Certificate Manager, click “Get started” under Provision certificates. (Private certificates are pretty expensive, so be sure to not do that one unless you really mean to.)

We’ll be creating a public certificate for this, so make sure the public certificate option is selected and click “Request a certificate”.

In the page that comes up next, you’ll enter the domain you initially registered. As an added bonus, we can create something known as a wildcard certificate: all you have to do is add *. to the front of the domain. (See the screenshot below as an example)

Wildcard certificates allow you encrypt traffic for any domain that is a single level down from the domain you registered. For instance, if you create a certificate for * it will cover anything like NOTE: If you try to use that same certificate for a domain like the certificate will show up as invalid.

Once you add the domains to that form, click “Next”. You’ll then be prompted with how you want to validate your certificate. We’re going to choose the DNS validation option because that’s the best way to not have to worry about it later. One the next page you can, optionally, add any tags you want.

As a final gut check, after you add your tags (or skip that step), make sure the details of the certificate you’re creating is valid. If so, click “Confirm and request”.

On the next page, you’ll see a page that lets you know your certificate has been requested. All the statuses should show as “Pending Validation”.

Click on the domain without the *. and you’ll see a button and some DNS records show up. AWS gives you the option to add the records manually, or you can click the shiny blue button and let AWS do the work. For this, what do you think we’re going to do? Click the blue button because that makes our lives easier.

Once clicked, you’ll be asked to confirm our choice. “Duh, AWS. Quick slowing us down!”

Once we’ve confirmed that we were sure we didn’t want to deal with the extra steps of creating the DNS records, you’ll see a confirmation message, letting you know that the certificate is being validated and could take up to 30 minutes.

At this point, it’s a game of luck; sometimes it’s almost instantaneous, other times, you have to wait a while. If you click “Continue” you’ll be sent to the ACM dashboard where you can see all your certificates. You’ll notice that until the DNS validation is completed, the certificate statuses will be listed as “Pending validation”.

Disclaimer: Until the status changes to “Issued” your certificate will not be usable with the services in AWS.


At this point that’s about it. Obviously, I’d recommend that you automate all of that one way or another.

As of the date I’m writing this article, Atomized is working towards building out our “Greenfield Account Setup” which essentially takes all those steps and only asks you for your hostname. Once you provide us with that information, we’ll build out the necessary pieces to have your account ready to go with a new Route 53 zone and a new shiny ACM certificate that you don’t have to mess with (well, because, automation). Greenfield Account Setup will also be able to assist with the creation of the networking within your account.

Interested in learning more about how Atomized can help make deploying to AWS easier? Reach out to us at or shoot us a chat message from this website.

Start simplifying your CI/CD processes

Atomized helps developers deploy application infrastructure
without installing CLI tools or spinning up Kubernetes clusters

Atomized makes it easier to deploy your applications to your cloud

Funded by Y Combinator