John Skiles Skinner's portfolio

The Secret was CNAMEs

What I learned about linking Amazon s3, Route53, CloudFront and a domain name registrar

I wish to point a domain name registered with GoDaddy to a website created with Amazon Web Services Quickstart for Websites. Here were the hitches I came across.

My registrar needs to know what nameservers to use. GoDaddy has a DNS Management form into which the names of the nameservers can be pasted. It's not so obvious from the AWS console for my quickstarted website where the names for the nameservers might come from. A sidebar in the console offers to sell me a domain, and it notes "You can also associate your own domain with your website" but it does not say how!

The nameserver names come from AWS's Route53 console. I read that one must create a hosted zone to act as a container for the nameservers. I press the Create Hosted Zone button and enter my domain name in the box. A new entry appears in the list of hosted zones. It contains a table of record sets. One of these is of Type NS, which, rather obscurely, means nameservers. I copy the list of four nameserver names.

Each of the names ends in a dot. This feels a little wrong to me; things that resemble URLs don't usually end in dots. But I read that a fully qualified domain name does indeed include a trailing dot. However, my registrar treats the trailing dot as an invalid character. So I strip out the final dots and hope for the best.

Further, I read that I need to create an Alias. This will be used to point to the AWS CloudFront name through which my website is accessible. An Alias is another Route53 record set, so I press the Create Record Set button within my new hosted zone. Upon selecting a radio button to mark the record set as an Alias, I'm asked for an Alias Target. I extract this out of the URL that AWS has assigned to my website, so that it looks something like, and hit Save Record Set.

At this point, once the DNS changes propagate, I'm hoping to see my new website at my new domain. Instead, my browser shows me this error:

The request could not be satisfied.
Bad request.
Generated by cloudfront (CloudFront)

Now at least I know that visitors to my new domain name are getting as far as AWS CloudFront. HTTP status 403 is an authorization error. Is there some permission set incorrectly somewhere? Or an SSL certificate issue? I experimented with these guesses but didn't get far. Through much trial and error (which I don't want to ever re-do, hence this blog post) I discovered that the fix is adding a CNAME.

In the CloudFront console I clicked on the ID of my distribution on the list. (The correct item on the list can be hard to identify if the list is long; I found it by comparing the randomly-generated strings in CloudFront names.) I went to the General tab, clicked the Edit button, and pasted my domain name into the CNAME box.

I was under the impression that CNAMEs were something I had to concern myself with only if I were using a subdomain, which I'm not. Evidently I misunderstood, because when I entered the domain name itself, bare of any subdomain, as a CNAME, it immediately resulted in my new website replacing the 403 error page.

I think it's a little strange that AWS needs me to specify my domain name a second time — remember, I already entered it when I created a hosted zone, and now again as a CNAME. I'm happy it works, but it looks like I have much more to learn.

Top of page | Blog index | Return home