Your setup could be easier: since you use both Route53 and Cloudfront, then ACM (AWS Certificate Manager) could generate TLS certificates for you, and will handle certificate rotation for you: now 90 days renewal to manage yourself or automate yourself.
I love Let'sEncrypt (EFF is the only non-healthcare organization I give donations to each year), but when there's a way to get a simpler setup (both easier to set up and easier to maintain because of automatic renewal), there's no reason to not use it ;-)