How to register a domain, wire it to Route 53, secure it with a free SSL certificate from ACM, and serve it over HTTPS through CloudFront start to finish.
In our last article, we deployed a static website to S3 and served it through CloudFront. The site was live, fast, and global but it was loading on a URL that looked like d1abc2xyz.cloudfront.net. Not exactly something you'd print on a business card.
This article fixes that. We're going to take that same site and give it a proper home: a custom domain, a free SSL certificate, and a verified HTTPS padlock that browsers love and employers notice.
By the end, your portfolio will load at yourname.com over HTTPS secured, professional, and running entirely on AWS managed infrastructure.
"A CloudFront URL tells the world you know AWS. A custom HTTPS domain tells them you finished the job."
What We're Building
This setup chains five AWS services together. Here's the full picture before we touch anything:
🌍 Browser (yourname.com)
→ 🗂️ Route 53 (DNS lookup)
→ 🔒 ACM Certificate (attached to CloudFront)
→ ☁️ CloudFront (CDN + HTTPS termination)
→ 🪣 S3 (private origin)
Route 53 translates yourname.com into CloudFront's address. CloudFront terminates the HTTPS connection using an ACM certificate, then fetches content from the private S3 bucket as needed.
The four phases:
| Phase | What you're doing |
|---|---|
| Phase 1 | Register your domain (or bring an existing one) |
| Phase 2 | Create a hosted zone and update nameservers |
| Phase 3 | Request a free SSL certificate via ACM with DNS validation |
| Phase 4 | Attach the domain and certificate to CloudFront |
Phase 1 — Register Your Domain
You have two paths: register directly through Route 53, or bring a domain you already own from another registrar.
Option A: Register through Route 53
Navigate to Route 53 → Registered domains → Register domain. Search for your name, add it to cart, and complete checkout. AWS automatically creates a hosted zone and configures the nameservers Phase 2 is essentially done for you.
⚠️ Pricing heads-up: Route 53 domain registration starts at $13/year for .com and varies by TLD. Unlike S3 and CloudFront, domain registration has no free tier. Hosted zones also cost $0.50/month.
Option B: Bring a domain from another registrar
If you already own a domain from Namecheap, GoDaddy, or elsewhere great. Skip this phase and go straight to Phase 2. You'll update the nameservers at your existing registrar to point at Route 53.
Phase 2 — Connect Your Domain to Route 53
This is the step that hands DNS authority over to AWS. Once done, Route 53 controls where traffic for your domain goes.
Step 1 — Create a hosted zone
Go to Route 53 → Hosted zones → Create hosted zone.
- Enter your domain name (e.g.
yourname.com) - Leave type as Public hosted zone
- Click Create hosted zone
AWS generates four nameserver (NS) records automatically. They look something like this:
ns-412.awsdns-51.com
ns-1624.awsdns-11.co.uk
ns-879.awsdns-45.net
ns-1383.awsdns-44.org
Copy all four. You'll paste them into your registrar in the next step.
Step 2 — Update nameservers at your registrar
Log into wherever you registered your domain and find the nameserver settings. Replace the existing nameservers with the four AWS values from your hosted zone and save.
⚠️ DNS propagation takes time: Nameserver changes can take anywhere from a few minutes to 48 hours to propagate globally. In practice most registrars update within 15–30 minutes. Check propagation status at
dnschecker.orgby searching your domain for NS records.🔍 What's actually happening here: When a browser looks up your domain, it asks the internet "who's authoritative for yourname.com?" The answer comes from your registrar's registry and it points to your nameservers. By switching those nameservers to Route 53, you're telling the entire DNS system: "Ask AWS. They know where this site lives."
Phase 3 — Request a Free SSL Certificate with ACM
AWS Certificate Manager issues free, auto-renewing SSL/TLS certificates. Before you click anything, read this:
⚠️ Region matters — use us-east-1 only: CloudFront only accepts ACM certificates created in the
us-east-1(N. Virginia) region. No exceptions. Before you start, confirm the region selector in the top-right corner of the AWS console says US East (N. Virginia).
Step 1 — Request the certificate
Navigate to ACM → Request a certificate → Request a public certificate.
- Under Fully qualified domain names, enter your root domain:
yourname.com - Click Add another name and add the www version:
www.yourname.com - Select DNS validation — faster and fully automated compared to email validation
- Click Request
✅ Always cover both root and www: One certificate can cover both
yourname.comandwww.yourname.com. Do this it means visitors reach your site regardless of whether they type www or not.
Step 2 — Validate ownership via DNS
ACM puts the certificate in Pending validation state. It needs proof you own the domain before issuing the cert.
Open the certificate in ACM and you'll see a validation section with CNAME records that need to be added to your DNS. Since your domain is already in Route 53, AWS makes this a single click:
Click Create records in Route 53. AWS adds the CNAME records automatically. Within minutes, ACM detects them and flips the certificate status to Issued.
🔍 Why DNS validation works this way: ACM can't issue a certificate for a domain you don't control. DNS validation proves ownership by asking you to add a specific CNAME to your DNS something only the domain owner can do. The record stays in your DNS permanently, which is how ACM silently auto-renews the certificate each year without any action from you.
For reference, the CNAME ACM asks you to create looks like this:
Name: _a79865eb4cd1a6ab990a45779b4e0b96.yourname.com
Type: CNAME
Value: _424c7224e9b0a0d17feb4a6acf5c0c1f.acm-validations.aws
Wait until the certificate status shows Issued before continuing. Using Route 53 for DNS, this typically takes 2–5 minutes.
Phase 4 — Attach Everything to CloudFront
A hosted zone, an issued certificate now let's wire it all together.
Step 1 — Update your CloudFront distribution
Go to CloudFront → Your distribution → Edit (General tab).
Under Alternate domain names (CNAMEs), add both:
yourname.comwww.yourname.com
Under Custom SSL certificate, select the certificate you just issued. It should appear in the dropdown automatically this is why the us-east-1 region requirement exists.
Click Save changes. CloudFront will redeploy globally give it a few minutes.
Step 2 — Create DNS records in Route 53
Final step: tell Route 53 to send traffic for your domain to CloudFront. Go to Route 53 → Hosted zones → yourname.com → Create record.
Create an A record for the root domain:
- Record name: leave blank (targets root domain)
- Record type: A
- Alias: toggle on
- Route traffic to: Alias to CloudFront distribution
- Select your distribution from the dropdown
Repeat the same steps for www: create another A alias record, enter www in the record name, point it at the same CloudFront distribution.
🔍 Why alias records instead of CNAMEs? Route 53 alias records are an AWS-specific DNS extension. They work at the root domain level regular CNAMEs can't. They also update automatically when CloudFront's underlying IPs change and don't incur an extra DNS query charge.
Confirm Your Site Loads Over HTTPS
Open a browser and visit https://yourname.com. You should see:
- Your website loading correctly
- A padlock icon in the address bar
- A valid certificate issued to your domain (click the padlock → Certificate to verify)
-
http://yourname.comautomatically redirecting to HTTPS
🎉 You're fully live — on your own domain, over HTTPS. Your site is now globally distributed through CloudFront, secured with a certificate AWS renews automatically every year, at a URL you actually own.
Troubleshooting Common Issues
Certificate not appearing in the CloudFront dropdown
Almost always a region issue. The certificate was created outside of us-east-1. Re-request it in the correct region it only takes a few minutes.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH or certificate warning
The alternate domain name entered in CloudFront doesn't exactly match what's on the ACM certificate. Double-check for typos they must be identical.
Site loads on the CloudFront URL but not the custom domain
DNS hasn't propagated yet, or the Route 53 alias records are missing or misconfigured. Run nslookup yourname.com in your terminal if it doesn't return a CloudFront address, the A records need attention.
www loads but the root domain doesn't (or vice versa)
One of the two A alias records is missing. Return to Route 53 and confirm you have alias records for both the root and the www subdomain, both pointing at the same CloudFront distribution.
What I Learned From This Project
Before doing this as part of the Cloud Engineering Program, DNS was a black box. You typed a domain, a page appeared, and everything in between was a mystery. Wiring up Route 53, ACM, and CloudFront by hand made it concrete and a few things genuinely clicked:
- Nameservers are delegation, not redirection — you're not moving your domain, you're transferring authority over it. The internet now asks AWS, not your registrar, for answers about your domain.
- DNS validation is cryptographic proof of ownership — ACM never emails you a link. The CNAME record is the proof. Only the domain owner can add it, so adding it is the trust signal.
- Alias records solve a real DNS spec limitation — CNAMEs are forbidden at the root domain level by the DNS protocol itself. Route 53 alias records are AWS's pragmatic workaround, and they're better in every measurable way.
- ACM auto-renewal is quietly brilliant — the validation CNAME never gets deleted. It sits in your DNS forever, letting ACM silently re-verify and renew your certificate each year without any action from you.
None of this clicked from reading documentation. It clicked from doing it, watching something break, and figuring out why.
Quick Reference: The Full Chain
# The complete setup, end to end
Domain registrar → nameservers updated to Route 53
Route 53 → hosted zone with A alias records → CloudFront
ACM (us-east-1) → SSL cert, DNS-validated via Route 53 CNAME
CloudFront → custom domain + ACM cert attached, HTTP→HTTPS redirect
S3 bucket → private origin, OAC-restricted to CloudFront only
# End result
https://yourname.com → globally distributed · HTTPS · auto-renewing cert
What's Next?
Now that your site lives on a custom domain over HTTPS, the next step is removing the manual deploy process entirely. Hopefully we will cover setting up a GitHub Actions pipeline that auto-deploys on every git push and triggers a CloudFront cache invalidation so your changes go live without you ever opening the AWS console again.
I’m also excited to share that I’ve been able to secure a special discount, in partnership with Sanjeev Kumar’s team, for the DevOps & Cloud Job Placement / Mentorship Program.
For those who may not be familiar, Sanjeev Kumar brings over 20 years of hands-on experience across multiple domains and every phase of product delivery. He is known for his strong architectural mindset, with a deep focus on Automation, DevOps, Cloud, and Security.
Sanjeev has extensive expertise in technology assessment, working closely with senior leadership, architects, and diverse software delivery teams to build scalable and secure systems. Beyond industry practice, he is also an active educator, running a YouTube channel dedicated to helping professionals successfully transition into DevOps and Cloud careers.
This is a great opportunity for anyone looking to level up their DevOps/Cloud skills with real-world mentorship and career guidance.
Do refer below for the link with a dedicated discount automatically applied at checkout;
DevOps & Cloud Job Placement / Mentorship Program.
If you also found this interesting and would love to take the next steps in the application process with AltSchool Africa do use my referral link below;
Apply here or use this Code: W2jBG8 during the registration process and by so doing, you will be supporting me and also getting a discount!
Special Offer: By signing up through the link and using the code shared, you’ll receive a 10% discount!
Don’t miss out on this opportunity to transform your future and also save while doing it! Let’s grow together in the tech space. Also feel free to reach out if you need assistance or clarity regarding the program.
I’m Ikoh Sylva, a passionate cloud computing enthusiast with hands-on experience in AWS. I’m documenting my cloud journey here from a beginner’s perspective, aiming to inspire others along the way.
If you find my contents helpful, please like and follow my posts, and consider sharing this article with anyone starting their own cloud journey.
Let’s connect on social media. I’d love to engage and exchange ideas with you!
Top comments (0)