Make sure the contact email is visible in whois for the domain. Go here to open up contact information for .io domains:
Then provision stacks in this order:
In the region us-east-1:
- global (CloudFront requires certificates in this region)
Accept the approval emails triggered by the certificate generation, and then in the region of your choice:
- storage
- main
- dns
Add origin access protection: