I want to add a rule to my aws security group to allow for incoming traffic from the acme server (I guess it is acme-v01.api.letsencrypt.org) to issue and automate the renewal of my cert;
What is the best way of doing this, given that sg rules do not support hostnames but only IPs?
You just can not because from Let's Encrypt FAQ:
What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.
You will need a reverse proxy (usually a WAF), routing /.well-know/acme to a machine and answering the challenges (from anywhere) and doing the IP filtering before forwarding to your application all other requests.
