Why Is The AWS Team So Disjointed?

How I hackishly verified a domain for ACM

Amazon Web Services is great. It makes this whole “cloud” thing stupid easy.

Except when it doesn’t.

So here’s the scenario. Here’s how you validate domains with three different AWS services:

AWS SES — the process is pretty straight forward. You submit the domain, they generate some TXT and CNAME values you need to update in your DNS settings and it periodically checks and verifies once all is done.

AWS Certificate Manager (ACM) — In theory pretty straight forward process as well (we’ll come back to that). Provide the domain(s) you want verified for certificate generation and it will send an e-mail to the following addresses:

  • administrator@your_domain
  • hostmaster@your_domain
  • postmaster@your_domain
  • webmaster@your_domain
  • admin@your_domain

You receive this e-mail, follow a link and click approve. Done.

AWS API Gateway — I still have no effing clue how to set up domains with this. It makes zero sense whatsoever. It’s unclear how domains are even verified. If anyone ever figures that out, let me know.

At a minimum there are THREE different processes for verifying domains in AWS. The SES process is by far the most straight forward process and there is pretty much no room for error. It does not make any kind of logical sense that they need 3 different processes for this -streamline AWS!

Okay — back to the original point of the story. I set up a domain with SES yesterday using the DNS settings method. Easy enough — done in five minutes. Today, however, I go to set up the very same domain for Amazon Certificate Manager (yes, even though one service verified it, it has to be verified again) and have to go through this e-mail process.

Depending on how your e-mail provider is configured, you may never receive these messages as some mail providers view them as spam. Even worse, if you have yet to set up an e-mail provider (because you don’t really need one for this domain), it will e-mail the above listed addresses which depending on your registrar may be filtered and not forwarded to you (this is what happened to me).

I didn’t feel like going through the process of setting up (and paying for) a Google Apps For Work account so I could verify this domain. There are no simple solutions for setting up e-mail accounts… Unless you use AWS!

SES has a function that allows you to set up receipt rules (what it does when it receives an e-mail on an address that you specify). One of those options is to store the message in an S3 bucket.

So using my already AWS SES verified domain, I added a rule to accept mail for admin@my_domain and administrator@my_domain. The process created an S3 bucket for me to store them in. I forced ACM to resend the validation e-mails and they arrived in my S3 bucket and voila! domain verified in ACM.

There is zero reason I should had to do this other than the fact that the team AWS has no structured process for sharing effective methodologies across service teams. For a group that has such fantastic offerings you would really think they were more in sync.

Anyway — that was my fun for the day… Now off to deal with AWS Load Balancers in EC2!