YES! Why do they do that? It's so weird. I will deploy a whole config into us-west-1 or something; but then I need to create a new cert in us-east-1 JUST to let cloudfront answer an HTTPS call. So frustrating.

Agreed - in my line of work regulators want everything in the country we operate from but of course CloudFront has to be different.

Wouldn't using a global CDN for everything be off the table to begin with, in that case?

Apparently it's okay for static data (like a website hosted in S3 behind CloudFront) but seeing non-Australian items in AWS billing and overviews always makes us look twice.