How do I find out what AWS account a CloudFront distribution belongs to?

Last updated: 2022-05-16

I want to locate the AWS account that an Amazon CloudFront distribution belongs to. How can I do this?

Short description

To find information about an AWS account that a distribution belongs to, use the ListConflictingAliases command to get information about the AWS account.

First, create a new CloudFront distribution and associate with an SSL certificate. This SSL certificate must cover the domain associated with the CloudFront distribution whose AWS account you're trying to locate.

Then, run the ListConflictingAliases command, using the ID of the new distribution and the alternate domain name associated with the distribution you want to find.

Note: To use this method, the distribution must have alternate domain name associated to it. If the CloudFront distribution you are trying to locate does not have an alternate domain name associated, then contact AWS Support.


Create a CloudFront distribution

Create a new CloudFront distribution, and be sure to:

  • Associate an SSL certificate that covers the domain associated with the CloudFront distribution whose AWS account you're trying to locate.
  • Don't specify a domain name in Alternate Domain Name. A value in this field causes a "CNAME already exists" error.

If you don't want to create a new distribution, you can update an existing CloudFront distribution with a custom SSL certificate.

Run the ListConflictingAliases command

Note: The ListConflictingAliases command requires GetDistribution and ListConflictingAliases permissions. To verify ownership, you must have read access to YourDistributionID. You must also have a certificate associated that secures the conflicting CNAME.

1.    In the AWS Identity and Access Management (IAM) policy for the distribution that you created, add the following resource-level permissions to the IAM user or role that's making the API request.

For DISTRIBUTION-ID, enter the ID of the new distribution you created.

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "CloudFrontCnameSwapCrossAcc",
      "Effect": "Allow",
      "Action": [
      "Resource": [

2.    Verify that the new distribution has a valid certificate.

3.    Run the ListConflictingAliases command:

$ aws cloudfront list-conflicting-aliases --distribution-id YourDistributiontID --alias YourCNAME
For YourDistributionId, enter the ID of the new distribution created in your AWS account. For YourCNAME, enter the alias (alternate domain name) associated with the CloudFront Distribution that you are trying to locate.

4.    The output provides a list of CloudFront distributions and the associated account ID that conflicts with the alias that you entered in the ListConflictingAliases command.
The domain name in the --alias parameter is associated with the CloudFront distribution that you are trying to find. The AWS account ID associated with the distribution ID is also listed in the output.
For example:

$ aws cloudfront list-conflicting-aliases --distribution-id EABCDSXK9UXYZ --alias
  "ConflictingAliasesList": {
    "MaxItems": 100,
    "Quantity": 1,
    "Items": [
        "Alias": "",
        "DistributionId": "*******NOOCXYZ",
        "AccountId": "******091234"

Note: CloudFront distribution created through edge-optimized API endpoint in API Gateway or AWS Amplify managed hosting are managed by the AWS Managed Account. In this case, the AWS Account ID in the output is related to the AWS Managed Account. CloudFront distributions created for edge-optimized API endpoint in API Gateway can be identified by a Region-specific API Gateway account ID. For a full list of Region-specific API Gateway account IDs, see Log custom domain name creation in CloudTrail.

Did this article help?

Do you need billing or technical support?