Update 2017-09
The official ACM guide in the AWS guide contains a section regarding CAA:
http://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html
It does contain an example identical the one below, claims that ACM now does respects CAA configuration, and clarifies that no flag should be set (flags=0):
if you do not have a CAA record that specifies one of the following
four Amazon CAs, ACM cannot issue a certificate to your domain or
subdomain
Please bear in mind that until Amazon promises unconditional CAA validation in their certification practice statement,
CAA checking is optional if the CA or an Affiliate of the CA is the
DNS Operator (as defined in RFC 7719) of the domain’s DNS.
as per Ballot 187 of the CAB Forum (effective 2019-09-08).
Original Post
You can just use
example.org. CAA 0 issue "amazon.com"
Why amazon.com?
Because just about any CA out there recommends to use the most memorable domain under their control, and amazon has not yet made any more specific communications.
https://www.rfc-editor.org/rfc/rfc6844#section-3
issue <Issuer Domain Name> [; <name>=<value> ]* :
The issue property
entry authorizes the holder of the domain name or a party acting under the explicit authority of the holder
of that domain name to issue certificates for the domain in which
the property is published.
Why not use flags (e.g. flags=128: mark it critical)?
Because, as of now (2017-08), Amazon doesnt care for the CAA record, so setting it up, potentially not adhering to guidelines they publish at a later time, you are just preparing yourself for some headache in figuring out what went wrong.
Amazon may or may not additionally recommend to use aws.amazon.com and/or an account name, and their report to browser vendors looks like they do.
The Amazon Trust public document repository contains a document called Amazon Trust Services Certification Practice Statement v1.X and there you can search for "CAA". In v1.0.5 this states
Amazon Root CAs do not check CAA records prior to issuing certificates.
