MERLONIX
Built for AWS agencies — 14-day free trial

ACM certificates are regional.
Renew the CloudFront copy and the ALB cert silently expires.

AWS agencies running EC2 / ECS behind ALB with CloudFront and Route53 deal with ACM certs being regional and easy to forget duplicating, CloudFront-to-S3 SNI mismatches that cache the wrong response forever after a custom CNAME is added, and ACM auto-renewal silently stopping when DNS migrates off Route53. Merlonix monitors SSL and DNS so the regional ALB cert doesn't expire while the CloudFront copy looks healthy.

Start free for 14 daysOr start free — $0, no cardHow it works

No credit card either way — start free, or trial the full workspace.

Check cadence (Agency)
1 min
SSL pre-expiry alert
30 days
Independent DNS resolvers
3
Vendors watched
11

Where AWS agencies get caught out

Three failure modes specific to AWS deployments with ACM-managed certs across multiple regions, CloudFront-to-S3 origin SSL, and Route53 DNS migrations to other providers.

AWS agencies deal with ACM certs being regional and silent when the us-east-1 (CloudFront) copy renews but the us-west-2 (ALB) copy fails because validation CNAMEs were never set up, CloudFront-to-S3 SNI mismatches that cache the wrong response forever after a custom CNAME is added (cached old content works perfectly, invalidations fail), and ACM auto-renewal silently stopping when DNS migrates off Route53 because the _acm-validations CNAMEs got deleted during zone import.

Regional ACM certs renew separately

The us-east-1 CloudFront cert renews cleanly while the us-west-2 ALB cert silently expires

An AWS agency builds a client B2B SaaS deployed to us-west-2 with an ECS service behind an ALB at api.client.com and static assets fronted by CloudFront at app.client.com. The agency provisions two ACM certificates at launch: one in us-east-1 (the only region CloudFront accepts certs from) for app.client.com, and a second in us-west-2 for the ALB at api.client.com. Both certs are configured with DNS validation against Route53 records. Auto-renewal is enabled on both. Twelve months pass. The us-east-1 cert renews cleanly — Route53 validation CNAMEs are present in the zone, ACM completes the renewal. The us-west-2 cert renewal attempts to validate against the SAME Route53 zone — but the engineer who set up the us-east-1 cert added the validation CNAME for that cert only, and the us-west-2 cert had different CNAMEs that were never created. The us-west-2 renewal fails silently. ACM eventually marks the cert as expired. The ALB continues to serve the old cert from cache for several days; once the cert expires, browsers and SDKs hit api.client.com with cert errors. The agency engineer logs into the AWS console, sees CloudFront's app.client.com cert is healthy and current, and assumes the issue is in ECS or ALB config rather than the ACM cert duplication. Discovery takes most of a day.

CloudFront-to-S3 SNI mismatch

A custom CNAME makes CloudFront forward the wrong Host to S3, so the origin handshake fails and invalidations break

An AWS agency builds a client e-commerce product where product images are served from S3 via CloudFront. The CloudFront distribution is created with the S3 bucket as origin, origin protocol policy set to "HTTPS Only" (security best practice). Initial QA tests against the .cloudfront.net distribution URL pass — TLS handshake to S3 origin works because CloudFront forwards the bucket's S3 hostname as the Host header, and S3 returns the matching *.s3.amazonaws.com cert. After QA, the agency adds the alternate domain cdn.client.com to the distribution and configures Route53 to point cdn.client.com at the .cloudfront.net distribution. Initial requests work because CloudFront serves from cache. The agency invalidates the cache for a content update; CloudFront tries to fetch new content from the S3 origin and forwards cdn.client.com as the Host header (because the distribution-level forwarding policy was never adjusted to use the bucket's actual hostname). S3 attempts to present a cert for cdn.client.com, finds none, returns its default *.s3.amazonaws.com cert. The TLS handshake fails. CloudFront returns 502 to clients trying to fetch invalidated content. Cached old content still serves perfectly. The agency engineer assumes the issue is the invalidation system and submits a ticket to AWS support; the actual fix is configuring the origin to use the S3 bucket hostname (not the distribution's alternate domain) as the forwarded Host.

DNS migration strips ACM validation CNAMEs

A Route53-to-Cloudflare migration deletes the _acm-validations CNAMEs, so ACM auto-renewal silently fails

An AWS agency operates a client product with DNS on Route53 and ACM-issued certs for both api.client.com (us-west-2 ALB) and app.client.com (us-east-1 CloudFront). The client requests adding Cloudflare in front for WAF rules and DDoS protection. The agency moves DNS to Cloudflare: exports the Route53 zone via the AWS CLI, imports the records into Cloudflare via the dashboard's zone import, updates the registrar to point at Cloudflare's nameservers. Both ACM-related "_acm-validations.<id>" CNAME records are present in the export, but the agency engineer reviewing the Cloudflare import deletes them — they look like leftover setup records that don't serve any obvious purpose. The migration completes successfully. Two months later, ACM's renewal cycle runs against api.client.com's cert. Validation requires querying the _acm-validations CNAMEs that were deleted. The renewal fails. The cert expires. The ALB continues serving the expired cert from cache; once cache expires, mobile apps and SDKs hit api.client.com with cert errors. The agency engineer doesn't connect the DNS migration to the cert expiry for several hours; once they do, re-creating the validation CNAMEs requires re-issuing the ACM cert (which requires NEW validation CNAMEs because the old ones are no longer linked).

How it works

SSL and DNS monitoring for AWS agencies across regional ACM certificate duplication, CloudFront-to-S3 origin SNI handshakes, and Route53 to Cloudflare DNS migrations.

Merlonix monitors SSL expiry and CNAME integrity across every AWS-attached subdomain — app.* (CloudFront), api.* (ALB), cdn.* (CloudFront + S3 origin), plus per-region ALB endpoints — and catches renewal failures caused by regional ACM cert duplication where us-east-1 (CloudFront) renews cleanly but us-west-2 (ALB) silently fails, CloudFront-to-S3 origin SNI mismatches that cache the wrong response forever after a custom CNAME is added, and DNS migration off Route53 that strips _acm-validations CNAMEs and breaks ACM auto-renewal — before the regional ALB cert expires while the CloudFront copy looks healthy in the AWS console.

01

Add AWS application domains — apex, www.*, app.*, api.*, cdn.*, plus per-region ALB endpoints — with DNS TXT record verification

Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — app.* (CloudFront-fronted), api.* (ALB-backed), cdn.* (CloudFront + S3 origin), plus any per-region ALB endpoints — are added without additional verification. Monitoring every AWS-attached subdomain catches the regional ACM cert duplication problem (us-east-1 CloudFront cert renewal succeeding while us-west-2 ALB cert renewal silently fails) by validating each cert independently rather than trusting the AWS console's region-scoped view. Under two minutes per client.

02

CNAME and A record monitoring across CloudFront aliases, ALB DNS names, S3 bucket origins, and Route53 vs Cloudflare DNS migrations that strip _acm-validations CNAMEs

Three independent DNS resolvers check every CNAME delegation on every monitoring interval. When a client moves DNS off Route53 to Cloudflare or another provider, the registrar nameserver change is logged immediately — alongside any missing _acm-validations CNAMEs that an aggressive zone-import cleanup may have removed. The ACM auto-renewal failure two months later has a clear root cause from the audit log rather than appearing as a mysterious "ACM cert expired" event with no obvious trigger.

03

SSL monitoring 30 days before expiry across us-east-1 ACM certs (CloudFront), per-region ACM certs (ALB), CloudFront-to-S3 origin SNI handshakes, and full chain validation across multi-region deployments

Full SSL chain validation on every AWS-attached subdomain — apex, app.*, api.*, cdn.*. Independent checks per-region catch the duplicated-ACM-cert renewal divergence pattern where the us-east-1 CloudFront cert renews cleanly but the us-west-2 ALB cert renewal silently fails because validation CNAMEs were never set up. CloudFront-to-S3 origin SSL is checked end-to-end so SNI mismatches that break invalidations (while serving cached old content perfectly) are caught before the next content update fails. An expiry alert fires 30 days before the certificate expires — enough lead time to identify whether the failure is a regional ACM cert without renewal CNAMEs, a CloudFront-to-S3 origin Host header mismatch, or DNS migration that stripped _acm-validations records.

04

Vendor status for AWS (per-region status pages — us-east-1, us-west-2, eu-west-1), CloudFront, Route53, and Cloudflare to distinguish AWS regional incidents from AWS-account-specific SSL configuration failures

Merlonix monitors AWS's per-region status pages, CloudFront, Route53, and Cloudflare alongside client SSL and DNS. When a us-east-1 ACM regional incident causes cert provisioning failures across multiple client accounts simultaneously, you see the vendor event — not a cluster of individual SSL alerts that each require separate investigation to determine whether the root cause is a us-east-1 ACM regional outage, a CloudFront-to-S3 SNI mismatch from a recent CNAME addition, or DNS migration that stripped _acm-validations CNAMEs.

What the numbers mean for AWS agencies

Monitoring built for AWS agencies where one client product means a CloudFront distribution at app.* (us-east-1 ACM cert), an ALB-fronted ECS service at api.* (us-west-2 ACM cert), and a CloudFront-to-S3 origin pipeline at cdn.* — each with independent cert lifecycles and independent failure modes.

AWS agencies managing ACM cert renewal across multi-region deployments, CloudFront-to-S3 origin SNI configurations across multi-CNAME distributions, and Route53 to Cloudflare DNS migrations across multi-client portfolios need monitoring that covers every AWS-attached subdomain — because a regional ACM cert renewal failure is silent until the cert expires up to 60 days later, and the AWS console shows the CloudFront copy as healthy while the regional ALB cert is silently failing.

< 10 min

Time from DNS change to alert — catches Route53-to-Cloudflare DNS migrations that strip _acm-validations CNAMEs, CloudFront alternate-domain CNAME flips that cause SNI mismatch on S3 origins, and per-region ALB DNS endpoint changes during multi-region failover

30 days

SSL expiry warning lead time — enough time to identify a regional ACM cert without renewal CNAMEs (the us-east-1 CloudFront copy renewed cleanly but us-west-2 ALB silently failed), a CloudFront-to-S3 origin Host header mismatch breaking invalidations, or a DNS migration that stripped _acm-validations records — and correct it before regional ALB serves an expired cert

11 vendors

Upstream services monitored — AWS per-region status pages (us-east-1, us-west-2, eu-west-1), CloudFront, Route53, and Cloudflare included to distinguish AWS regional incidents from account-specific SSL configuration failures

250 assets

Maximum monitored domains on the Agency plan — covers AWS app.* (CloudFront), api.* (per-region ALB), cdn.* (CloudFront + S3 origin), plus per-region ALB endpoints across a full AWS client portfolio

Pricing

Flat monthly fee. Every AWS region, every CloudFront distribution, every ALB endpoint included.

No per-region charges. No per-distribution fees. Pick the tier that fits your AWS client and per-region cert count and monitor every CloudFront, ALB, and CloudFront-to-S3 origin SSL surface without billing surprises.

See full feature comparison →

Starter

For individual AWS developers managing a small client portfolio with single-region ACM certs and CloudFront distributions.

$19/ month

  • 15 monitored assets
  • 3 seats
  • 5 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Starter
Most chosen

Team

For AWS agencies managing multi-region ACM cert deployments with separate CloudFront, ALB, and S3 origin SSL surfaces.

$79/ month

  • 60 monitored assets
  • 10 seats
  • 1 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Team

Agency

For agencies with a full AWS client roster including multi-region ALB endpoints, multi-distribution CloudFront, and per-tenant subdomain SSL.

$199/ month

  • 250 monitored assets
  • Unlimited seats
  • 1 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Agency

Compliance

For regulated-vertical teams that need continuous, audit-ready evidence.

$699/ month

  • 500 monitored assets
  • Unlimited seats
  • 1 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Compliance

Hosting & cloud

Monitoring for related stacks

Same SSL, DNS, uptime, and vendor monitoring — tuned for every platform your agency ships on.

Know when a regional ACM cert is about to expire while the CloudFront copy looks healthy.

Add your first AWS client domain in under two minutes. CloudFront, ALB, and CloudFront-to-S3 origin SSL across every region for that client are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 daysOr start free — $0Read the agency SSL checklist →