AWS Lambda, AWS API Gateway, AWS Cloudfront gives 403 error

There are three, maybe four possibilities:

• you have in fact configured this domain as an Alternate Domain Name in CloudFront -- in this AWS account or in another account and you've forgotten about it, or

• someone else has accidentally or deliberately configured this domain on a CloudFront distribution, or

• you already configured this in API Gateway, but in a different AWS Region, or

• this is a bug in the integration between API Gateway and CloudFront.

To troubleshoot:

Go to CloudFront and create a new distribution.

Try to set this hostname as an alternate domain name.

If that works, then this seems like a bug in the API Gateway/CloudFront integration. Delete the hostname from Alternate Domain Names for that new distribution, wait a few minutes for the distribution to go back to Deployed status, then try again in API Gateway. (Later, delete the distribution -- it isn't needed).

But, I'm going to assume that the above will not work. You should get an error from CloudFront, CNAMEAlreadyExists. (It's not really a CNAME but that's what they unfortunately called it.)

So, follow the official process to prove ownership and control of your domain name and associate it with the new CloudFront distribution.

This process should release that hostname from whatever CloudFront distribution is claiming it.

Once that completes, remove this hostname from the Alternate Domain Names setting of the new distribution, save changes, wait for it to return to the Deployed state, and go back to API Gateway and try again. (Later, delete the unused distribution.)

The issue here is that -- just like the S3 bucket namespace -- the CloudFront front-end Host: header namespace is global. A hostname can't be associated with more than one CloudFront distribution, including the "stealth" distributions that API Gateway uses. The error implies that the one you're trying to use, for some reason, already is.

This should be unrelated to a wildcard you may have from ACM.

It sounds like you need another CNAME record pointing at your default API gateway domain. So for instance, if your custom domain is my.domain.com, you need to add a CNAME to my.domain.com that points to abcdefg.execute-api.us-east-1.amazonaws.com or whatever your API gateway domain currently is.

This is separate from the CNAME you already added, because that one was just to verify your ownership of the domain in question. With ACM, the verification CNAME sits on a subdomain of the domain you're verifying, so if you're verifying my.domain.com then the CNAME goes on e.g. _abcdef123456.my.domain.com. Which, obviously, doesn't help people who are trying to look up the address of my.domain.com.