How to Deploy a Next.js App with Custom Domain on AWS Using SST: Complete Guide
By Braincuber Team
Published on March 21, 2026
We audited a client paying Vercel $3,600/month for hosting a simple Next.js storefront. It's highway robbery. The "click to deploy" platforms package AWS services, slap a UI on top, and charge you a 400% markup. If you want to scale a D2C brand or web application without burning cash, you need to own your infrastructure. Serverless Stack Toolkit (SST) lets you deploy directly to AWS while keeping the developer experience intact. This step by step beginner guide shows you how to bypass the middlemen and set up your Next.js app with a custom domain on AWS using SST.
What You'll Learn:
- Why Infrastructure as Code (IaC) saves you from vendor lock-in
- How to initialize SST in drop-in mode on a Next.js app
- Uploading files to an S3 bucket programmatically
- Pointing your DNS CNAME correctly to CloudFront
- Validating an ACM SSL Certificate without breaking the region rule
Why Bother with SST Instead of Vercel or Netlify?
Ease of use is expensive. Platforms like Vercel manage the servers for you, but at a premium. SST gives you the same local development experience but deploys directly to your own AWS account using Cloud Development Kit (CDK). You pay raw AWS pricing.
Cost Optimization
Stop paying per-seat licenses for developers just to access deployment logs. You pay AWS specifically for the compute and bandwidth you actually use.
Infrastructure as Code
Your entire backend stack is defined in TypeScript. Anyone on your team can read the configuration and know exactly what AWS services are provisioned. No manual clicking through consoles.
Live Lambda Development
SST proxies requests from your local machine to AWS. You can test your serverless functions immediately without waiting 4 minutes for a deployment to spin up.
Limitless Integrations
Because it's just an AWS wrapper, you can seamlessly connect your frontend to RDS databases, DynamoDB, or S3 storage buckets without weird third-party API configurations.
Step by Step Implementation Blueprint
Configure AWS Credentials
You need an IAM user with programmatic access. Open your terminal and run aws configure. Enter your Access Key ID, Secret Access Key, and default region. Without this, SST cannot provision resources.
yarn create next-app
cd my-app
yarn create sst
yarn install
Define the Next.js Infrastructure Stack
SST creates an sst.config.ts file. This is your master control node. We'll use the 'NextjsSite' construct to deploy the entire frontend, and bind a public S3 bucket directly to it so we can handle user file uploads dynamically.
import { SSTConfig } from "sst";
import { Bucket, NextjsSite } from "sst/constructs";
export default {
config(_input) {
return { name: "sst-tutorial", region: "us-east-1" };
},
stacks(app) {
app.stack(function Site({ stack }) {
const bucket = new Bucket(stack, "public");
const site = new NextjsSite(stack, "site", { bind: [bucket] });
stack.addOutputs({ SiteUrl: site.url });
});
},
} satisfies SSTConfig;
Provide CloudFront DNS CNAME
Once you run yarn sst deploy --stage prod, SST passes your build to OpenNext, deploys to AWS, and hands you a CloudFront URL (e.g. d1234.cloudfront.net). Copy that URL. Log into Cloudflare or GoDaddy, and create a CNAME record pointing your custom domain target to that CloudFront output. Do not include 'https://' in the CNAME target.
Create The SSL Certificate in N. Virginia
This is exactly where engineers get stuck. CloudFront requires your AWS Certificate Manager (ACM) certificate to be strictly generated in the us-east-1 (N. Virginia) region. Even if you are deploying out of London or Sydney, the certificate must exist in us-east-1 to bind to the edge distribution. Request the cert, do the email validation, and copy the Certificate ARN.
Critical Region Warning
If you create the ACM certificate in us-west-2, it simply won't show up in the CloudFront distribution dropdown. You will waste an hour debugging your code. Build the certificate in us-east-1 exclusively.
Bind Domain to SST Layout
Now we tell SST that our domain lives outside Route53 via an external provider. Pass the certificate ARN straight into your NextjsSite configuration and re-deploy.
import { Certificate } from "aws-cdk-lib/aws-certificatemanager";
// Inside the site component of your script:
const certArn = 'arn:aws:acm:us-east-1:123456789:certificate/xxxxx';
const site = new NextjsSite(stack, "site", {
bind: [bucket],
customDomain: {
isExternalDomain: true,
domainName: "app.yourdomain.com",
cdk: {
certificate: Certificate.fromCertificateArn(stack, "MyCert", certArn),
},
},
});
| System Concept | Definition |
|---|---|
| Live Lambda Development | Proxies AWS serverless requests to your local VS Code terminal instantly. |
| OpenNext Adapter | Translates Vercel's proprietary Next.js build output into raw AWS Lambda functions. |
| ACM External Validation | Proves you own a domain outside of Route53 before AWS issues an SSL certificate. |
Frequently Asked Questions
Why does my Next.js deployment crash in SST without an index file?
SST requires the standard Next.js folder hierarchy. If you delete index.tsx from the pages router without pointing it correctly, the OpenNext build pipeline will panic during deployment.
Can I point my GoDaddy domain to an SST Next.js app?
Yes. You just set the isExternalDomain flag to true in SST, map your GoDaddy CNAME manually to the CloudFront distribution output, and validate your SSL certificate via email.
Where do I find my AWS CloudFront URL?
When you execute "yarn sst deploy --stage prod", the output log will print the raw CloudFront URL at the bottom of the stack trace. That's your CNAME target.
How much cheaper is SST than Vercel?
At enterprise traffic levels, deploying Next.js directly onto your own AWS account using SST will often cut bandwidth and custom function billing by up to 80%.
How do I verify the ACM certificate if I own the domain on Cloudflare?
Select Email Validation when requesting the cert in AWS. AWS will send a confirmation link to the admin/webmaster emails registered to that domain in your WHOIS record.
Stop Paying Middlemen for Raw Compute Power
If your cloud hosting bill is over $1,500/month for a standard web application, your CTO is being lazy. We migrate D2C brands off bloated vendor platforms and put them directly onto AWS. It takes us less than 72 hours, and the ROI is immediate. Print out your last Vercel invoice. Look at the bandwidth markup. If that number makes you sick, it's time to build proper infrastructure.