Thank you for getting back to me. Yes my settings as just like the one you posted.
Also all the permission has been updated.
After the permission has been updated I am now getting
Amazon Route 53 DNS API :: Dns Record Create/Update: _acme-challenge-test.example.com - [RRSet with DNS name _acme-challenge-test.example.com. is not permitted in zone **.acme.example.com.]
This is because it’s not following the CNAME so it’s not updating the correct DNS entry.
I’m not familiar with posh acme but I heard this is another way.
Any suggestions? Thank you in advance