By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Root org account owns root domain hosted zone, can I route to sub-account CloudFront distribution?

0

I have a root organization account that "owns" all of my domains in a hosted zone, e.g. "amazingstuff.com"

I have "child" accounts where I actually have all of my infrastructure / application deployed using CDK, e.g. "dev", and "prod", that I deploy to using CDK. I use domain delegation to have, for example, control of prod.amazingstuff.com and dev.amazingstuff.com.

This works well but I would like to have a "special case", where my "prod" website uses amazingstuff.com.

From what I can tell this is not possible, because in order to allow CloudFront to handle amazingstuff.com, I need to add the other domains to "Alternate domain name" list in CloudFront. The issue with that is that I can't do that because when I try I get

The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements

I get this error even though I've already added a certificate in my root account to this domain.

Note that the instructions I was originally trying to follow are these: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements - in my root account I've added two (because IPv6) records to alias to my CloudFront domain. So the amazingstuff.com domain "works", in that I go to CloudFront it seems, but CloudFront appears to reject or otherwise not like the request as I get a 403 error with

The request could not be satisfied.

Repeating myself, but this is presumably (?) because the domain is not listed in the "alternate domain names" in the CloudFront distribution configuration (?).

Is there any solution here, or do I have no choice but to make "prod" the owner of the root Hosted Zone so it can control the root domain?

Thank you!!

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon Route 53AWS Certificate Manager
Language
English
shoelessone
asked 7 months ago186 views
1 Answer
0

Hi,

This blog post will detail you the recommended architecture for your use case: https://aws.amazon.com/blogs/architecture/using-route-53-private-hosted-zones-for-cross-account-multi-region-architectures/

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 7 months ago
  • shoelessone
    7 months ago

    Thank you very much Didier for taking the time to find that link!

    I am quite sure that all the answers I seek are there, but after attempting to read through it a few times I'm having a difficult time understanding how the architecture diagram solves my question / issue. I didn't see "CloudFront" mentioned in the artcile, but it seems like my specific issue in this case is that CloudFront is rejecting the requests because they are coming from a non-authorized domain?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content