Day 5: Domains and HTTPS — Route 53, ACM, and CloudFront | Deploy to AWS

Route 53, ACM, and CloudFront

By day 4 you have: a static frontend on S3, a containerized API on App Runner, and a database on RDS. Now you need a custom domain, HTTPS, and a CDN. Route 53 + ACM + CloudFront handles all of that.

Register or Transfer a Domain with Route 53

Terminal — Create hosted zone

# If domain is already registered elsewhere, create a hosted zone
aws route53 create-hosted-zone \
  --name myapp.com \
  --caller-reference $(date +%s)

# Get the nameservers to add at your registrar
aws route53 list-hosted-zones-by-name \
  --dns-name myapp.com \
  --query 'HostedZones[0].Id' --output text

Issue a Free TLS Certificate with ACM

Terminal — Request certificate

# IMPORTANT: ACM certificates for CloudFront MUST be in us-east-1
aws acm request-certificate \
  --domain-name myapp.com \
  --subject-alternative-names "*.myapp.com" \
  --validation-method DNS \
  --region us-east-1

# Get the CNAME validation record
aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123:certificate/abc \
  --query 'Certificate.DomainValidationOptions[0].ResourceRecord'

Add the CNAME validation record to Route 53 — ACM will validate automatically within a few minutes.

Create a CloudFront Distribution

cloudfront.json — Distribution config

{
  "Origins": {
    "Quantity": 1,
    "Items": [{
      "Id": "S3Origin",
      "DomainName": "myapp.s3-website-us-east-1.amazonaws.com",
      "CustomOriginConfig": {
        "HTTPPort": 80,
        "OriginProtocolPolicy": "http-only"
      }
    }]
  },
  "DefaultCacheBehavior": {
    "TargetOriginId": "S3Origin",
    "ViewerProtocolPolicy": "redirect-to-https",
    "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
    "Compress": true
  },
  "ViewerCertificate": {
    "ACMCertificateArn": "arn:aws:acm:us-east-1:123:certificate/abc",
    "SslSupportMethod": "sni-only",
    "MinimumProtocolVersion": "TLSv1.2_2021"
  },
  "Aliases": { "Quantity": 1, "Items": ["myapp.com"] },
  "Enabled": true,
  "HttpVersion": "http2"
}

Point Route 53 to CloudFront

Route 53 — A record alias to CloudFront

{
  "Changes": [{
    "Action": "CREATE",
    "ResourceRecordSet": {
      "Name": "myapp.com",
      "Type": "A",
      "AliasTarget": {
        "HostedZoneId": "Z2FDTNDATAQYW2",
        "DNSName": "d1234abcde.cloudfront.net",
        "EvaluateTargetHealth": false
      }
    }
  }]
}

💡

CloudFront's hosted zone for Route 53 aliases is always Z2FDTNDATAQYW2 — that's the magic string you need for every CloudFront alias record.

Day 5 Exercise

End-to-End: Domain + HTTPS + CDN

Create a Route 53 hosted zone for your domain
Request an ACM certificate in us-east-1 with DNS validation
Create a CloudFront distribution pointing to your S3 static site
Add an A record alias in Route 53 pointing to CloudFront
Visit your custom domain over HTTPS and confirm it works

Day 5 Summary — AWS Deploy Course Complete

ACM certificates for CloudFront must be in us-east-1 regardless of your app's region
CloudFront's Route 53 alias hosted zone is always Z2FDTNDATAQYW2
CloudFront redirect-to-https forces HTTPS without any server code
Route 53 alias records are free — use them instead of CNAME for root domains
Full stack: S3 → CloudFront → Route 53 / App Runner / RDS

Want to go deeper in 3 days?

Our in-person AI bootcamp covers advanced AI development, agentic systems, and production deployment. Five cities. $1,490.

Reserve Your Seat →

←

Day 4: RDS — Managed Postgres in Production

Course Complete

Back to Course Overview

→