Manage CNAME records in AWS CloudFront

This document will guide you through the steps to create, modify and delete the CNAME record(s) necessary for implementing OneTag 2.0 in the AWS CloudFront hosting platform.


OneTag 2.0 is Criteo’s latest cross-device innovation protecting your reach of shoppers as well as facilitating ad relevance and ensuring accurate sales attribution.

To implement OneTag 2.0 it is necessary that you delegate Criteo a sub-domain by creating a CNAME record in your name-server/hosting platform. In a Domain Name System (DNS) context, a Canonical Name (often abbreviated CNAME) record is a name-server resource record that maps one domain name (an alias) to another domain name (the Canonical name) section 3.3.1 of RFC 1035.

Sub-domain delegation

Please create the following CNAME record(s) on your AWS CloudFront hosting platform:

Sub-domain to delegate CNAME/Points to

You should be able to achieve this by following the steps below or in the AWS CloudFront Support Center.

Create a CNAME record

Before you begin

Make sure that you do the following before you update your distribution to add an alternate domain name: - Register the domain name with Route 53 or another domain provider. - Add a certificate from an authorized certificate authority (CA) to CloudFront that covers the domain name you plan to use with the distribution, to validate that you are authorized to use the domain. For more information, see Requirements for Using Alternate Domain Names.

  1. Sign in to the AWS Management Console and open the CloudFront console.
  2. Choose the ID for the distribution that you want to update.
  3. On the General tab, choose Edit.
  4. Update the following values:

    Field Explanation
    Alternate Domain Names (CNAMEs) Add your alternate domain names. Separate domain names with commas, or type each domain name on a new line.
    SSL Certificate (Web Distributions Only) Choose the following setting: Use HTTPS – Choose Custom SSL Certificate, and then choose a certificate from the list. The list can include certificates provisioned by AWS Certificate Manager (ACM), certificates that you purchased from another CA and uploaded to ACM, and certificates that you purchased from another CA and uploaded to the IAM certificate store. If you uploaded a certificate to the IAM certificate store but it doesn't appear in the list, review the procedure Importing an SSL/TLS Certificate to confirm that you correctly uploaded the certificate. If you choose this setting, we recommend that you use only an alternate domain name in your object URLs ( If you use your CloudFront distribution domain name (, a viewer might behave as follows, depending on the value that you choose for Clients Supported: All Clients: If the viewer doesn't support SNI, it displays a warning because the CloudFront domain name doesn't match the domain name in your TLS/SSL certificate. Only Clients that Support Server Name Indication (SNI): CloudFront drops the connection with the viewer without returning the object.
    Clients Supported (Web Distributions Only) Choose an option: - All Clients: CloudFront serves your HTTPS content using dedicated IP addresses. If you select this option, you incur additional charges when you associate your SSL/TLS certificate with a distribution that is enabled. For more information, see - Only Clients that Support Server Name Indication (SNI) (Recommended): Older browsers or other clients that don't support SNI must use another method to access your content.
  5. Choose Yes, Edit.

  6. On the General tab for the distribution, confirm that Distribution Status has changed to Deployed. If you try to use an alternate domain name before the updates to your distribution have been deployed, the links that you create in the following steps might not work.
  7. Configure the DNS service for the domain to route traffic for the domain, such as, to the CloudFront domain name for your distribution, such as The method that you use depends on whether you're using Route 53 as the DNS service provider for the domain or another provider.

Route 53

Create an alias resource record set. With an alias resource record set, you don't pay for Route 53 queries. In addition, you can create an alias resource record set for the root domain name (, which DNS doesn't allow for CNAMEs. For more information, see Routing Queries to an Amazon CloudFront Distribution in the Amazon Route 53 Developer Guide.