What should the security engineer do to resolve this issue?
Purchase a valid wildcard certificate authority (CA) certificate that supports managed renewal. Import this certificate into ACM in Account B.
Add NS records for the subdomain dev.example.com to the Route 53 parent zone example.com in Account A.
Use AWS Certificate Manager Private Certificate Authority to create a subordinate certificate authority (CA). Use ACM to generate a private certificate that supports managed renewal.
Resend the email message that requests ownership validation of dev.example.com.
Explanations:
The issue is related to DNS validation, not the purchase or import of a wildcard certificate. The ACM validation method for DNS requires the correct CNAME records.
The CNAME records for DNS validation need to be in the public DNS zone for dev.example.com, but the parent zone example.com in Account A must have proper delegation (NS records) to the dev.example.com zone in Account B.
Creating a private CA does not resolve DNS validation issues for a public domain. The certificate is for a public DNS zone, which requires DNS validation via Route 53.
Email validation is not required in this scenario because DNS validation is already being used for the certificate. Email validation would only be necessary for domain validation.
If I’m correct, the answer is:
Add NS records for the subdomain dev.example.com to the Route 53 parent zone example.com in Account A.