Cloudfront default domain need to disable

Question

We want to disable the Cloudfront default domain. Please let us know how.

Riku_Kobayashi · Answer

Hello.

You cannot disable CloudFront's default domain as stated in re:Post Agent's answer.
If you use CloudFront Function, it is possible to make access on the default domain a 403 error.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/function-code-choose-purpose.html

function handler(event) {
    var request = event.request;
    var host = request.headers.host.value;

    if (host.includes('cloudfront.net')) {
        return {
            statusCode: 403,
            statusDescription: 'Forbidden',
            body: {
                "encoding": "text",
                "data": "<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>"
            }
        };
    }

    return request;
}

It is also possible to block using AWS WAF as introduced in the blog below.
https://skildops.com/blog/denying-connections-originating-from-default-aws-domain-using-waf

403 Forbidden

" } }; } return request; } ``` It is also possible to block using AWS WAF as introduced in the blog below. https://skildops.com/blog/denying-connections-originating-from-default-aws-domain-using-waf

re:Post Agent · Answer

I apologize, but there is a misunderstanding in your request. You cannot directly disable the default CloudFront domain for a distribution. The default domain (e.g., d1234abcd.cloudfront.net) is an integral part of how CloudFront works and cannot be disabled or removed.

However, if your goal is to stop using the default CloudFront domain and exclusively use custom domain names, you can achieve this by:

1. Setting up custom domain names (CNAMEs) for your CloudFront distribution.
2. Updating your DNS records to point your custom domain to the CloudFront distribution.
3. Configuring your origin and application to only accept requests from your custom domain names.

If you want to completely stop using a CloudFront distribution, including its default domain, you would need to disable and then delete the entire distribution. This process involves:

1. Disabling the distribution in the CloudFront console.
2. Waiting for the disabled status to propagate to all edge locations.
3. Deleting the distribution once it's fully disabled.

Keep in mind that deleting a distribution will stop all content delivery for both the default domain and any custom domains associated with it. If you're using custom domains, make sure to update your DNS records to point to a different resource before deleting the distribution to avoid service interruption.  
**Sources**  
[Delete a distribution - Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/HowToDeleteDistribution.html)  
[Remove an alternate domain name - Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/alternate-domain-names-remove-domain.html)

Saurabh Kavhar · Answer

To disable or remove the default CloudFront domain (e.g., `d12345678.cloudfront.net`), you'll need to configure a **custom domain name** for your CloudFront distribution. Here’s how you can do it:

### Steps to Disable the Default CloudFront Domain:

1. **Set up a Custom Domain Name**:
   - Go to the **CloudFront Console**.
   - Select the **CloudFront Distribution** that you want to update.
   - Under the **General** settings, in the **Alternate Domain Names (CNAMEs)** field, add your custom domain name (e.g., `www.example.com`).

2. **Update DNS Records**:
   - In your DNS provider (like Route 53 or any other DNS service), create a **CNAME** record that points your custom domain (e.g., `www.example.com`) to the **CloudFront distribution domain** (e.g., `d12345678.cloudfront.net`).
   - If you are using **Route 53**, create a **Record Set** for the custom domain with the type **CNAME** pointing to the CloudFront distribution.

3. **SSL Certificate (Optional but Recommended)**:
   - If you want to serve your content over HTTPS, request an SSL certificate from **AWS Certificate Manager (ACM)** for your custom domain.
   - Attach the SSL certificate to your CloudFront distribution under **SSL Certificate** settings (choose either "Custom SSL certificate" and select the certificate from ACM or use the default CloudFront certificate for your custom domain).

4. **Disable the Default CloudFront Domain**:
   - After configuring the custom domain and updating your DNS records, you can **disable the default CloudFront domain** by simply **removing** the `*.cloudfront.net` domain from the **Alternate Domain Names (CNAMEs)** field in the CloudFront distribution settings.
   
5. **Deploy Changes**:
   - Once you’ve made the changes, **save** and **deploy** the CloudFront distribution.
   - It may take some time for CloudFront to propagate the changes.

### Notes:
- The default CloudFront domain (e.g., `d12345678.cloudfront.net`) will still be functional if it’s not removed from the configuration. However, your custom domain will become the primary access point.
- If you **remove** the CloudFront default domain, make sure all traffic is routed through your custom domain to avoid downtime.

### References:
- [Getting Started with CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.html)
- [Configure Alternate Domain Names (CNAMEs) in CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html)
- [SSL Certificates in CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html)

Cloudfront default domain need to disable

Steps to Disable the Default CloudFront Domain:

Notes:

References:

Add your answer

Relevant content