I have multiple AWS accounts managed through AWS organization. I have a generic account which is used to share resources. In this generic account, I have created a Route53 hosted zone which is related to a domain I purchased through Route53. Lets call this domain mydomain.example.
I want to wire subdomains of this main domain to different ECS services in my test and production account. For example: test.mydomain.example and production.mydomain.example. So far, so good. I've created these domains in the hosted zone in the generic account and pointed them to my load balancer (which does host based routing).
The problem now is TLS. How can I make an ACM certificate for which the validation records are stored in a hosted zone in another account? Cross account IAM seems to be implementation-specific for each AWS service.
I once created a solution for creating records in another account. Di did this with sns and lambdas. In my case I hade a CF creating a record and a CR triggering a lambda to publish to a sns topic in the account with the main HZ in this account I had a Lambda as a subscriber to that sns topic. And the lambda in the main account added the record in the main HZ.