We have an AWS organization w many AWS accounts. Certificates are created in specific accounts, while the validation often happens by creating the CNAME in a centralized Hosted Zone in a central account.
Now we have a lot of CNAMEs there. What's the best way to check if the corresponding certificate is still in use/valid?
From time to time we remove certs and delete accounts but those records are not always cleaned up. I was looking for a way by using dig or nslookup but I couldn't find some useful information from the records. Of course the CNAME resolves to a _xxx.yyy.acm-validations.aws. record but is there an easy way to find the corresponding certificate instead of looping over all accounts and all certs to find a match.
