How do I resolve the CNAMEAlreadyExists error when I set up a CNAME alias for my CloudFront distribution?

Last updated: 2021-08-18

I receive the CNAMEAlreadyExists error when I set up a CNAME alias for my Amazon CloudFront distribution.

Short description

When I try to add a CNAME alias to my CloudFront distribution, I get an error similar to the following:

One or more of the CNAMEs you provided are already associated with a different resource. (Service: AmazonCloudFront; Status Code: 409; Error Code: CNAMEAlreadyExists; Request ID: a123456b-c78d-90e1-23f4-gh5i67890jkl*

You receive this error because you can't use the same CNAME alias for more than one CloudFront distribution. The CNAMEAlreadyExists error occurs when the CNAME alias that you're trying to add is already associated with another CloudFront distribution.

To resolve this error, you can use the AssociateAlias or ListConflictingAliases CloudFront APIs to locate and move your CNAME.

Choose one of the following resolutions based on your scenario:

  • If your source distribution and target distribution are on the same account, complete the steps in the Use the AssociateAlias API to move your CNAME section.
  • If your source distribution and target distribution are on different accounts, complete the steps in the Use the ListConflictingAliases API to move your CNAME section.

Resolution

Use the AssociateAlias API to move your CNAME

1.    (Required) In the AWS Identity and Access Management (IAM) policy for both your source distribution and target distribution, add the following resource-level permissions to the IAM user or role that's making the API request:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudFrontCnameSwapSameAcc",
      "Effect": "Allow",
      "Action": [
        "cloudfront:GetDistribution",
        "cloudfront:ListConflictingAliases",
        "cloudfront:AssociateAlias",
        "cloudfront:UpdateDistribution"
      ],
      "Resource": [
        "arn:aws:cloudfront::123456789:distribution/SourceDistroID",
        "arn:aws:cloudfront::123456789:distribution/TargetDistroID"
      ]
    }
  ]
}

Important: The IAM user or role that's making the request must have the preceding resource-level permissions in the IAM policy for both the source distribution and target distribution.

2.    Identify the distribution with the conflicting CNAME.

If you don’t know which distribution has the conflicting CNAME, use the ListConflictingAliases API to find that distribution. For example:

$ aws cloudfront list-conflicting-aliases --distribution-id YourDistributiontID --alias YourCNAME

Note: To verify ownership, you must have read access to the YourDistributionID. You must also have an SSL certificate associated with the CloudFront distribution that secures the conflicting CNAME.

3.    Verify ownership of the domain by creating a DNS TXT record for the CNAME that resolves to the target distribution’s canonical name. Your TXT record must include an underscore before the CNAME, Apex, or Wildcard. For example:

_.example.com.         900   IN   TXT     "dexample123456.cloudfront.net"
_cname.example.com.    900   IN   TXT     "dexample123456.cloudfront.net"
_*.example.com.        900   IN   TXT     "dexample123456.cloudfront.net"

4.    Verify that the target distribution has a valid certificate.

Note: The subject name or subject alternative name must match or overlap with the given CNAME alias. It's a best practice to have a valid certificate issued from a trusted CA listed at Mozilla Included CA Certificate List or AWS Certificate Manager.

5.    Run the AssociateAlias API request from the same account where the source and destination distribution belong:

$ aws cloudfront associate-alias --target-distribution-id YourTargeDistributiontID --alias your_cname.example.com

Use the ListConflictingAliases API to move your CNAME

Important: The source distribution can't be deployed on your behalf by any AWS managed service, such as an edge-optimized Amazon API Gateway.

You must set the source distribution state to Disabled. To disable your distribution:

1.    Open the CloudFront console.

2.    On the navigation pane, choose Distributions.

3.    Select your distribution, and then choose Disable.

If you don’t know which distribution has the conflicting CNAME, use the ListConflictingAliases API to find that distribution. For example:

$ aws cloudfront list-conflicting-aliases --distribution-id YourDistributiontID --alias YourCNAMEtoAdd

The ListConflictingAliases API requires the GetDistribution and ListConflictingAliases permissions.

Note: To verify ownership, you must have read access to YourDistributionID. You must also have a certificate associated that secures the conflicting CNAME.

Next, do the following:

1.    (Required) In the IAM policy for the target distribution, add the following resource-level permissions to the IAM user or role that's making the API request:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudFrontCnameSwapCrossAcc",
      "Effect": "Allow",
      "Action": [
        "cloudfront:AssociateAlias",
        "cloudfront:UpdateDistribution"
      ],
      "Resource": [
        "arn:aws:cloudfront::123456789:distribution/TargetDistroID"
      ]
    }
  ]
}

2.    Verify ownership of the domain by creating a DNS TXT record for the CNAME that resolves to the target distribution’s canonical name. Your TXT record must include an underscore before the CNAME or Apex. For example:

_cname.example.com.   900   IN   TXT     "dexample123456.cloudfront.net"
_.example.com.        900   IN   TXT     "dexample123456.cloudfront.net

3.    Verify that the target distribution has a valid certificate.

Note: The subject name or subject alternative name must match or overlap with the given CNAME alias. It's a best practice to have a valid certificate issued from a trusted CA listed at Mozilla Included CA Certificate List or AWS Certificate Manager.

4.    Run the ListConflictingAliases API:

$ aws cloudfront associate-alias --target-distribution-id YourTargetDistributionID --alias your_cname.example.com

Did this article help?


Do you need billing or technical support?