diff --git a/docs/security/tls.md b/docs/security/tls.md
index 895cad4..ade4ed5 100644
--- a/docs/security/tls.md
+++ b/docs/security/tls.md
@@ -198,6 +198,9 @@ acme.sh --issue --dns dns_nsupdate -d stg.centos.org -d '*.stg.centos.org' --cha
 ```
 All certs/keys obtained through acme are under /root/.acme.sh/{hostname}/ so you'll then have to import those into this pkistore dir
 
+!!! note
+    worth knowing that for AWS/Route53 hosted zones (as we now have some for CI infra and openshift), one can use `--dns dns_aws` [option](https://github.com/acmesh-official/acme.sh/wiki/dnsapi#10-use-amazon-route53-domain-api to request new TLS certs. And it will be automatic for renewal so nothing to worry aboutt
+
 ##### For http challenge 
 Normally we prefer DNS challenge, but there are corner cases like delegated records for which that would be problematic. That's the case for {buildlogs,cloud,vault}.centos.org nodes (delegated records to pdns/geoip)