We have a site in AWS Amplify. Creating a custom domain requires pointing the URL to a CNAME issued by them. We want to use the Amplify website for our root domain, "example.com". RFC 1034 says that the zone apex must be an A Record, and not a CNAME.
According to the article at https://aws.amazon.com/blogs/networking-and-content-delivery/solving-dns-zone-apex-challenges-with-third-party-dns-providers-using-aws/, there are three options: Route53, Elastic IPs with EC2 instances, and Global Accelerator.
Since we are using AWS Amplify, we can't do the EC2 option. The Route53 option won't work with our old DNS server, which only works with IP addresses. The third option is to use AWS Global Accelerator and an Application Load Balancer (ALB) which does a 301 redirect to our Cloudfront distribution that has the custom SSL cert for our Amplify instance.
When we point our DNS at the IP associated with AWS Global Accelerator, the 301 redirect to Cloudfront is working. Certain configurations within Cloudfront are causing a 403 error.
Under Edit behavior > Cache key and origin requests, if the Cache policy is disabled, and origin request policy is set to none, the Amplify site will load but with a Cloudfront distribution URL.
When I enable any caching, either for the cache policy or origin request policy, it breaks. It just returns a 403 error saying that the request could not be satisfied.
Is there a setting in Amplify that I am missing that is causing the 403 error? Should I do something completely different?
