# The certificate specified is not in the us-east-1 region. The certificate must be in the us-east-1 region to use with CloudFront

- **ID:** `policy/cloudfront-custom-ssl-certificate-not-in-us-east-1`
- **Domain:** policy
- **Category:** config_error
- **Verification:** ai_generated
- **Fix Rate:** 95%

## Root Cause

CloudFront requires that custom SSL certificates be stored in ACM (AWS Certificate Manager) in the us-east-1 region, regardless of the distribution's edge location or origin region.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| CloudFront API 2020-05-31 | active | — | — |
| ACM API 2015-12-08 | active | — | — |
| AWS SDK for JavaScript v3 | active | — | — |
| AWS CLI v2 | active | — | — |

## Workarounds

1. **Request or import the SSL certificate in ACM region us-east-1, then associate it with the CloudFront distribution. Use AWS CLI: aws acm request-certificate --domain-name example.com --region us-east-1** (95% success)
   ```
   Request or import the SSL certificate in ACM region us-east-1, then associate it with the CloudFront distribution. Use AWS CLI: aws acm request-certificate --domain-name example.com --region us-east-1
   ```
2. **If using Terraform, set the provider region to us-east-1 for the ACM resource: provider "aws" { alias = "cloudfront-cert" region = "us-east-1" } resource "aws_acm_certificate" "cert" { provider = aws.cloudfront-cert domain_name = "example.com" }** (90% success)
   ```
   If using Terraform, set the provider region to us-east-1 for the ACM resource: provider "aws" { alias = "cloudfront-cert" region = "us-east-1" } resource "aws_acm_certificate" "cert" { provider = aws.cloudfront-cert domain_name = "example.com" }
   ```
3. **Use AWS CloudFront's default CloudFront certificate (*.cloudfront.net) if custom domain is not required, bypassing the need for a custom SSL certificate.** (80% success)
   ```
   Use AWS CloudFront's default CloudFront certificate (*.cloudfront.net) if custom domain is not required, bypassing the need for a custom SSL certificate.
   ```

## Dead Ends

- **** — CloudFront only accepts certificates from us-east-1; other regions are not supported for custom SSL. (95% fail)
- **** — CloudFront requires ACM certificates for custom SSL; IAM certificates are deprecated and may cause compatibility issues. (70% fail)
- **** — The console will block the association entirely, and the error persists until the certificate is in us-east-1. (100% fail)