CloudFront Distribution cannot be removed

I was advised to post here by AWS Support. I have a CloudFront distribution that is associated with an ACM certificate. The distribution appears to have been created by Cognito, but I have deleted the Cognito user pool and I cannot delete the CF distribution. I told Support that this post and this post both suggested that I reach out to AWS Support to have the association (and hopefully the distribution) removed, but, as I said, Support directed me to post here. I need to be able to remove this distribution or at least disassociate it from the certificate, otherwise I will need to close all of my accounts and move my business to another cloud provider.

Oleksii Bebych EXPERT
13 days ago
What error do you see when trying to remove CloudFront ?
jimmyv
13 days ago
@Oleksii Bebych I actually cannot see any CloudFront distributions since the distribution was created by AWS. When I try to delete the ACM certificate, I get this error:

Certificate is in use The certificate (X) is in use (associated with other AWS resources) and cannot be deleted. Dissociate the certificate from each resource in the list and try again. Associated resources arn:aws:cloudfront::X:distribution/X

Topics

Security, Identity, & Compliance Networking & Content Delivery

Tags

Amazon Cognito Amazon CloudFront AWS Certificate Manager

Language

English

jimmyv

asked 13 days ago731 views

1 Answer

Newest
Most votes
Most comments

Accepted Answer

I would suggest not deleting a CloudFront distribution while it has a custom TLS certificate associated with it. It's safest to disassociate custom certificates from the distribution first, let it wait for a while to reach eventual consistency, and only delete the distribution when it's switched to using CloudFront's default TLS certificate and not your custom certificate.

If you can see the distribution in your AWS account, you should be able to modify its settings not to use a custom SSL certificate, causing it to fall back to CloudFront's default certificate, making it ready to be deleted.

If you mean that you aren't seeing the CloudFront distribution at all and perhaps never did, if it is/was an AWS-managed CloudFront distribution automatically created behind the scenes for the Cognito User Pool, and you're just seeing in the ACM certificate's details it still linked to the invisible CloudFront distribution, then that's what I've seen before with our custom CloudFront distros, when they've been deleted without first detaching our custom certificate. Since you already deleted the Cognito User Pool, you won't be able to modify its TLS settings, so I believe it will have to be removed by AWS's CloudFront or Cognito service team, to whom AWS support can escalate the case.

I suppose you know this, but to be sure, ACM certificates are free, so there's no financial impact to the ACM certificate lingering.

EXPERT

Leo K

answered 13 days ago

jimmyv
13 days ago
Thanks for the info. Yes to the second case ("you aren't seeing the CloudFront distribution at all and perhaps never did"), I cannot view the CloudFront distribution and I'm unable to delete the ACM certificate until the association with this invisible distribution is removed. I can see the distribution's ID from the ACM certificate page.

Like you said, I've contacted AWS Support but they closed my case and told me to either post about the issue here, open a new case, or pay for premium support. I've opened a new case in the hopes that they will fix it this time around.
Leo K EXPERT
13 days ago
Clear. That's the same phenomenon we've seen before for our custom CloudFront distributions, when CloudFormation has deleted it without detaching the certificate first. We got those resolved through Enterprise support, but I have no wisdom to share on how unpaid support handles these. I can only guess they suggested re:Post thinking incorrectly that there's nothing to fix on AWS's side but only advice and guidance needed that could be obtained here. Hopefully they'll be more responsive to your new case.
jimmyv
13 days ago
Thanks, hope so too

Relevant content

How to provision CloudFront distribution with ACM certificate in CloudFormation?
Gabriel Oliveira
asked 2 years ago
ECDSA 384 doesn't appear to be supported by CloudFront Distributions
Accepted Answer
cloudblue
asked 8 months ago
ACM indicates my certificate is attached to a Cloudfront distribution that does not exist
Daniel
asked 10 months ago
I can't delete my certificate because it's associated with an invisible cloudfront distribution
Accepted Answer
ben
asked 2 years ago
Why can't I find my imported certificate for my load balancer or CloudFront distribution?
AWS OFFICIALUpdated 2 years ago
How can I troubleshoot issues with using a custom SSL certificate for my CloudFront distribution?
AWS OFFICIALUpdated a year ago
Can I associate multiple SSL certificates with my CloudFront distribution?
AWS OFFICIALUpdated a year ago
How do I configure my CloudFront distribution to use an SSL/TLS certificate?
AWS OFFICIALUpdated 20 days ago
Workaround for CNAME to external web sites at the zone apex
EXPERT
slope roll
published 4 months ago
How to pick distribution keys and sort keys for Amazon Redshift?
EXPERT
MilindOke
published 3 hours ago