Troubleshooting CloudFront CloudFormation template



I am new to AWS and my experience is limited. I am trying to learn more by migrating my smaller static sites over to S3 with Route 53 for DNS and CloudFront to improve performance and enable HTTPS.

Here is the resource I used: Configuring a static website using a custom domain registered with Route 53

For Step 1, instead of registering a domain, I added my existing domain as a new Hosted Zone. I completed Steps 2 through 12 without issue. I am able to access the domain from a web browser over HTTP.

Next, I need to set up CloudFront to improve logging and performance, and to take advantage of HTTPS.

The first article links to here: Speeding up your website with Amazon CloudFront

I tried the first step, "Automating set up with an AWS CloudFormation template", but I encountered issues when running the Stack. The AcmCertificateStack step fails with status "CREATE_FAILED" and reason "Embedded stack ... was not successfully created: The following resource(s) failed to create: [Certificate]."

I have tried multiple attempts to Create stack,

  • Both including a Hosted zone ID and not including one
  • Using the 'www' subdomain and not specifying it

Each fail when trying to create the certificate and the process is rolled back.


  • Do I need to set CloudFront up manually instead of using the AWS CloudFormation template?
  • Is this issue caused because I already have the static site content in my exiting S3 bucket?
  • I am signed in as my account’s root user. Do I need to set up IAM User or Roles?


  • The Stack always seems to fail at the AcmCertificateStack step, and I have a hunch it may have to do with DNS validation.
  • It was my understanding that since I use S3, the CNAME record would be created by the template. Clarification: Route 53*
  • I noticed this created new S3 buckets, one for logs and one for root. I already have existing S3 bucket set up for this with content, logs, and a redirect bucket for 'www'.

Please advise. Hoping to resolve this issue so I can continue to leverage AWS to save on hosting costs. Thanks in advance for any assistance.



  • Are you able to create a certificate manually in the ACM console using DNS validation? In which AWS region are you deploying the CloudFormation template/stack? What value did you use in the CreateApex parameter? Check the error message in the nested/embedded stack (not the Root stack), it will give you more information about why the creation failed.

  • @joahna I was able to manually request one in the ACM console using DNS validation. It was able to automatically add the CNAME in Route 53 and the and were successfully validated. Did I make a mistake by requesting it for both and or is it correct procedure to request cert for both domains? Thanks, again.

  • It is okay to request for both. I ran the CloudFormation template, used the following similar parameters and the DNS validation worked fine for my domain. Certificate was created successfully. CreateApex yes DomainName HostedZoneId Z0123456789ABC1234 SubDomain www

    Try to delete your manually created certificates in ACM and then re-run your CloudFormation template. Hopefully, it will work this time.

1 Answer

Hello Maurice, let us know if Joahna's suggestions worked. Thanks.

profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions