How do I resolve the CNAMEAlreadyExists error when I set up a CNAME alias for my CloudFront distribution?

Short description

The CNAMEAlreadyExists error occurs when the CNAME alias that you are trying to add is already associated with another CloudFront distribution. You can't use the same CNAME alias for more than one CloudFront distribution. The error looks similar to the following:

One or more of the CNAMEs you provided are already associated with a different resource. (Service: AmazonCloudFront; Status Code: 409; Error Code: CNAMEAlreadyExists; Request ID: a123456b-c78d-90e1-23f4-gh5i67890jkl*

If you have access to both Source and Target distributions, first manually remove the CNAME association from the existing CloudFront distribution. Then, associate the CNAME with the new CloudFront distribution.

Note: If manually associating the CNAME, you might not be able to associate the CNAME with the new distribution until the old distribution's status is Deployed.

If you don't know the distribution ID, use the ListConflictingAliases CloudFront API to find partial information about the distribution and the account ID for the conflicting CNAME alias. Then, use AssociateAlias API to move your CNAME from existing distribution (source distribution) to the new distribution (Target distribution). Choose one of the following resolutions based on your scenario:

• If your source and target distributions are in the same account, then complete the steps in the Use the AssociateAlias API to move your CNAME section.
• If your source and target distributions are in different AWS accounts, then complete the steps in the Deactivate source distribution with the conflicting CNAME section.
• If your source and target distributions are in different AWS accounts, and the source distribution can't be deactivated because of downtime to existing traffic, then complete the steps in the Use wildcard to move the alternate domain name section.

Resolution

Use the AssociateAlias API to move your CNAME

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    In the AWS Identity and Access Management (IAM) policy of the user or role that's making the API request, add the following resource-level permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudFrontCnameSwapSameAcc",
      "Effect": "Allow",
      "Action": [
        "cloudfront:GetDistribution",
        "cloudfront:ListConflictingAliases",
        "cloudfront:AssociateAlias",
        "cloudfront:UpdateDistribution"
      ],
      "Resource": [
        "arn:aws:cloudfront::SourceAcccount:distribution/SourceDistroID",
        "arn:aws:cloudfront::TargetAccount:distribution/TargetDistroID"
      ]
    }
  ]
}

Important: The IAM user or role that's making the request must have the preceding resource-level permissions in the IAM policy for both the source distribution and target distribution.

Note: Replace SourceAcccount with the AWS account number of the source distribution. Replace SourceDistroID with the Source distribution ID. Replace TargetAccountID with the AWS account number of the target distribution. Replace TargetDistroID with Target distribution ID.

2.    Identify the distribution with the conflicting CNAME. If you don't know which distribution has the conflicting CNAME, use the ListConflictingAliases API to find that distribution. Replace YourDistributionID with the ID of your distribution. Replace YourCNAME with the conflicting CNAME alias.

$ aws cloudfront list-conflicting-aliases --distribution-id YourDistributionID --alias YourCNAME

Note: To verify ownership, you must have read access to YourDistributionID. You must also have an SSL certificate associated with the CloudFront distribution that secures the conflicting CNAME.

3.    Verify ownership of the domain by creating a DNS TXT record for the CNAME that resolves to the target distribution’s canonical name. Your TXT record must include an underscore before the CNAME, Apex, or Wildcard. For example:

_.example.com.         900   IN   TXT     "dexample123456.cloudfront.net"
_cname.example.com.    900   IN   TXT     "dexample123456.cloudfront.net"
_*.example.com.        900   IN   TXT     "dexample123456.cloudfront.net"

4.    Verify that the target distribution has a valid SSL certificate.
Note: The subject name or subject alternative name must match or overlap with the given CNAME alias. It's a best practice to have a valid certificate issued from a trusted CA, listed at the CA certificate list on Mozilla's wiki or at AWS Certificate Manager.

5.    Run the AssociateAlias API request from the account that owns the Target distribution:

$ aws cloudfront associate-alias --target-distribution-id YourTargeDistributiontID --alias your_cname.example.com

Deactivate the source distribution with the conflicting CNAME

If your source distribution and target distribution are in different AWS accounts, first disable the source distribution associated with the conflicting domain. Then, use the AssociateAlias API to move the CNAME.

Apex domains can also be moved between different AWS accounts using the associate-alias command.

1.    Open the CloudFront console.

2.    On the navigation pane, choose Distributions

3.    Select the source distribution, and then choose Disable.
If you don't know which distribution has the conflicting CNAME, then use the ListConflictingAliases API to find that distribution. Be sure to replace YourDistributionID with the ID of your distribution and YourCNAME with the name of the conflicting CNAME:

$ aws cloudfront list-conflicting-aliases --distribution-id YourDistributionID --alias YourCNAME

Note: The ListConflictingAliases API requires the GetDistribution and ListConflictingAliases permissions.

After you deactivate the source distribution, follow the steps in the Use the AssociateAlias API to move your CNAME section.

If you don't have access to the AWS account with the source distribution, or if you can't deactivate source distribution, then contact AWS Support.

Use a wildcard to move the alternate domain name

If your source distribution and target distribution are in different AWS accounts but the source distribution can't be deactivated, use a wildcard to move the CNAME. You must have access to both source distribution and target distribution for this process.

Note: You can’t use a wildcard to move an apex domain (example.com). To move an apex domain when the source and target distributions are in different AWS accounts, contact AWS Support to move an alternate domain name.

Important: This process involves multiple updates to both source and target distributions. Wait for each distribution to fully deploy the latest change before proceeding to the next step.

1.    Update the target distribution to add a wildcard CNAME that covers the alternate domain name that you are moving. If your domain is www.example.com, add the wildcard alternate domain name *.example.com to the target distribution.

Note: You must have an SSL/TLS certificate on the target distribution that secures the wildcard domain name

2.    Update the DNS settings for the CNAME to point to the target distribution’s canonical name. If your domain is www.example.com, then update the DNS record for www.example.com to route traffic to the target distribution’s canonical name. For example:

www.example.com.         86400   IN   CNAME     "dexample123456.cloudfront.net"

Note: Even after you update the DNS settings, requests using the alternate domain name are served by the source distribution. This is because the alternate domain name is still associated to the source distribution.

3.    Update the source distribution to remove the alternate domain name.
Note: There's no interruption to the live traffic during this step. Live traffic uses the target distribution settings because the requested domain name matches the wildcard domain added to the target distribution.

4.    Update the target distribution to add the alternate domain name that you want to move.

5.    Use dig or a similar DNS query tool to validate the DNS record for the CNAME For example:

dig CNAME www.example.com +short
nslookup example.com

6.    (Optional) Update the target distribution to remove the wildcard alternate domain name.