The only way to obtain wildcard (*.domain.com) certificate is via DNS verification. Certbot support a number of DNS operators - you can check if your DNS provider is listed
by executing $ certbot plugins
If you want to use it with Amazon Cloud you should install plugin for AWS:
pip install certbot-dns-route53
Note
If you are using certbot under macOS and you installed it via brew then you should use:
$( brew --prefix certbot )/libexec/bin/pip install certbot-dns-route53
You should store your credentials in ~/.aws/credentials (you may want to create dedicated policy for updating DNS as described in plugin’s documentation:
[default] aws_access_key_id = <key_id> aws_secret_access_key = <key>
And afterward you should execute certbot with --dns-route53 parameter
