Amazon CloudFront enhances the security for adding alternate domain names to a distribution
Starting today, Amazon CloudFront has made the process of adding an alternate domain name to a distribution even more secure than before. Now, when you add an alternate domain name, like www.example.com, to a distribution, you must also attach a SSL/TLS certificate to that distribution that covers the alternate domain name. With today's release, only those with authorized access to your domain's certificate can add your domain to a CloudFront distribution as an alternate domain name.
Adding alternate domain names to CloudFront allows you to serve your content using a custom CNAME from your DNS records, such as www.example.com, instead of the default domain that CloudFront assigns such as d111111abcdef8.cloudfront.net. With this change, when you add an alternate domain name using the AWS Management Console or the CloudFront API, you will now need to attach a certificate to the distribution to confirm that you have authorized rights to use the alternate domain name. The certificate must be valid and come from a publicly trusted Certificate Authority like AWS Certificate Manager which provides public SSL/TLS certificates for free. All alternate domain names that are already added to a CloudFront distribution before this change goes into effect will continue to work as they were before. No action is required to maintain your traffic as it is today.
To learn more about how this new process works, please read our blog detailing the change as well as the updated CloudFront Developer Guide. To get started with CloudFront, visit our Getting Started page.