This migration should have taken five minutes.

Move DNS. Add domain. Attach cert. Done.

Instead it turned into a multi hour investigation into how CloudFront handles alternate domain ownership across accounts.

The failure mode is simple and brutal: if a domain is attached to any CloudFront distribution anywhere, in any AWS account, past or present, CloudFront will reject it with the message "already in use by another distribution."

No account information is shown.
No distribution is listed.
No hint is provided.
The console and standard CLI tools both report that nothing is wrong.

In this case the domain was still attached to a distribution in an unknown AWS account, likely from a previous developer or hosting setup. There was no way to discover this through the UI.

The only reliable path was:

Install AWS CLI v2
Create a temporary distribution with a matching ACM certificate
Use the list-domain-conflicts API to query global alias ownership
Extract the masked account and distribution ID
Open an AWS support case to request release

Until AWS manually intervenes, the domain is effectively locked.