diff --git a/aws/resource_aws_cognito_user_pool_domain.go b/aws/resource_aws_cognito_user_pool_domain.go
index 08c70a478fd..22adcf82df7 100644
--- a/aws/resource_aws_cognito_user_pool_domain.go
+++ b/aws/resource_aws_cognito_user_pool_domain.go
@@ -22,10 +22,15 @@ func resourceAwsCognitoUserPoolDomain() *schema.Resource {
 
 		Schema: map[string]*schema.Schema{
 			"domain": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"certificate_arn": {
 				Type:         schema.TypeString,
-				Required:     true,
+				Optional:     true,
 				ForceNew:     true,
-				ValidateFunc: validateCognitoUserPoolDomain,
+				ValidateFunc: validateArn,
 			},
 			"user_pool_id": {
 				Type:     schema.TypeString,
@@ -57,10 +62,21 @@ func resourceAwsCognitoUserPoolDomainCreate(d *schema.ResourceData, meta interfa
 
 	domain := d.Get("domain").(string)
 
+	timeout := 1 * time.Minute //Default timeout for a basic domain
+
 	params := &cognitoidentityprovider.CreateUserPoolDomainInput{
 		Domain:     aws.String(domain),
 		UserPoolId: aws.String(d.Get("user_pool_id").(string)),
 	}
+
+	if v, ok := d.GetOk("certificate_arn"); ok {
+		customDomainConfig := &cognitoidentityprovider.CustomDomainConfigType{
+			CertificateArn: aws.String(v.(string)),
+		}
+		params.CustomDomainConfig = customDomainConfig
+		timeout = 60 * time.Minute //Custom domains take more time to become active
+	}
+
 	log.Printf("[DEBUG] Creating Cognito User Pool Domain: %s", params)
 
 	_, err := conn.CreateUserPoolDomain(params)
@@ -78,7 +94,8 @@ func resourceAwsCognitoUserPoolDomainCreate(d *schema.ResourceData, meta interfa
 		Target: []string{
 			cognitoidentityprovider.DomainStatusTypeActive,
 		},
-		Timeout: 1 * time.Minute,
+		MinTimeout: 1 * time.Minute,
+		Timeout:    timeout,
 		Refresh: func() (interface{}, string, error) {
 			domain, err := conn.DescribeUserPoolDomain(&cognitoidentityprovider.DescribeUserPoolDomainInput{
 				Domain: aws.String(d.Get("domain").(string)),
@@ -119,6 +136,10 @@ func resourceAwsCognitoUserPoolDomainRead(d *schema.ResourceData, meta interface
 	desc := domain.DomainDescription
 
 	d.Set("domain", d.Id())
+	d.Set("certificate_arn", "")
+	if desc.CustomDomainConfig != nil {
+		d.Set("certificate_arn", desc.CustomDomainConfig.CertificateArn)
+	}
 	d.Set("aws_account_id", desc.AWSAccountId)
 	d.Set("cloudfront_distribution_arn", desc.CloudFrontDistribution)
 	d.Set("s3_bucket", desc.S3Bucket)
diff --git a/aws/resource_aws_cognito_user_pool_domain_test.go b/aws/resource_aws_cognito_user_pool_domain_test.go
index 678b782865f..78439f42cf8 100644
--- a/aws/resource_aws_cognito_user_pool_domain_test.go
+++ b/aws/resource_aws_cognito_user_pool_domain_test.go
@@ -3,6 +3,7 @@ package aws
 import (
 	"errors"
 	"fmt"
+	"os"
 	"testing"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -37,6 +38,54 @@ func TestAccAWSCognitoUserPoolDomain_basic(t *testing.T) {
 	})
 }
 
+func TestAccAWSCognitoUserPoolDomain_custom(t *testing.T) {
+	poolName := fmt.Sprintf("tf-acc-test-pool-%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum))
+	// This test must always run in us-east-1
+	// BadRequestException: Invalid certificate ARN: arn:aws:acm:us-west-2:123456789012:certificate/xxxxx. Certificate must be in 'us-east-1'.
+	oldvar := os.Getenv("AWS_DEFAULT_REGION")
+	os.Setenv("AWS_DEFAULT_REGION", "us-east-1")
+	defer os.Setenv("AWS_DEFAULT_REGION", oldvar)
+
+	customDomainName := os.Getenv("AWS_COGNITO_USER_POOL_DOMAIN_ROOT_DOMAIN")
+	if customDomainName == "" {
+		t.Skip(
+			"Environment variable AWS_COGNITO_USER_POOL_DOMAIN_ROOT_DOMAIN is not set. " +
+				"This environment variable must be set to the fqdn of " +
+				"an ISSUED ACM certificate in us-east-1 to enable this test.")
+	}
+
+	customSubDomainName := fmt.Sprintf("%s.%s", fmt.Sprintf("tf-acc-test-domain-%d", acctest.RandInt()), customDomainName)
+	// For now, use an environment variable to limit running this test
+	certificateArn := os.Getenv("AWS_COGNITO_USER_POOL_DOMAIN_CERTIFICATE_ARN")
+	if certificateArn == "" {
+		t.Skip(
+			"Environment variable AWS_COGNITO_USER_POOL_DOMAIN_CERTIFICATE_ARN is not set. " +
+				"This environment variable must be set to the ARN of " +
+				"an ISSUED ACM certificate in us-east-1 to enable this test.")
+	}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSCognitoUserPoolDomainDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSCognitoUserPoolDomainConfig_custom(customSubDomainName, poolName, certificateArn),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckAWSCognitoUserPoolDomainExists("aws_cognito_user_pool_domain.main"),
+					resource.TestCheckResourceAttr("aws_cognito_user_pool_domain.main", "domain", customSubDomainName),
+					resource.TestCheckResourceAttr("aws_cognito_user_pool_domain.main", "certificate_arn", certificateArn),
+					resource.TestCheckResourceAttr("aws_cognito_user_pool.main", "name", poolName),
+					resource.TestCheckResourceAttrSet("aws_cognito_user_pool_domain.main", "aws_account_id"),
+					resource.TestCheckResourceAttrSet("aws_cognito_user_pool_domain.main", "cloudfront_distribution_arn"),
+					resource.TestCheckResourceAttrSet("aws_cognito_user_pool_domain.main", "s3_bucket"),
+					resource.TestCheckResourceAttrSet("aws_cognito_user_pool_domain.main", "version"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSCognitoUserPoolDomain_import(t *testing.T) {
 	domainName := fmt.Sprintf("tf-acc-test-domain-%d", acctest.RandInt())
 	poolName := fmt.Sprintf("tf-acc-test-pool-%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum))
@@ -118,3 +167,17 @@ resource "aws_cognito_user_pool" "main" {
 }
 `, domainName, poolName)
 }
+
+func testAccAWSCognitoUserPoolDomainConfig_custom(customSubDomainName, poolName, certificateArn string) string {
+	return fmt.Sprintf(`
+resource "aws_cognito_user_pool_domain" "main" {
+  domain = "%s"
+  user_pool_id = "${aws_cognito_user_pool.main.id}"
+  certificate_arn = "%s"
+}
+
+resource "aws_cognito_user_pool" "main" {
+  name = "%s"
+}
+`, customSubDomainName, certificateArn, poolName)
+}
diff --git a/website/docs/r/cognito_user_pool_domain.markdown b/website/docs/r/cognito_user_pool_domain.markdown
index 178e6e119a5..d052d3888c0 100644
--- a/website/docs/r/cognito_user_pool_domain.markdown
+++ b/website/docs/r/cognito_user_pool_domain.markdown
@@ -12,6 +12,7 @@ Provides a Cognito User Pool Domain resource.
 
 ## Example Usage
 
+### Amazon Cognito domain
 ```hcl
 resource "aws_cognito_user_pool_domain" "main" {
   domain = "example-domain"
@@ -22,6 +23,20 @@ resource "aws_cognito_user_pool" "example" {
   name = "example-pool"
 }
 ```
+### Custom Cognito domain
+```hcl
+resource "aws_cognito_user_pool_domain" "main" {
+  domain = "example-domain.exemple.com"
+  certificate_arn = "${aws_acm_certificate.cert.arn}"
+  user_pool_id = "${aws_cognito_user_pool.example.id}"
+}
+
+resource "aws_cognito_user_pool" "example" {
+  name = "example-pool"
+}
+```
+
+
 
 ## Argument Reference
 
@@ -29,6 +44,7 @@ The following arguments are supported:
 
 * `domain` - (Required) The domain string.
 * `user_pool_id` - (Required) The user pool ID.
+* `certificate_arn` - (Optional) The ARN of an ISSUED ACM certificate in us-east-1 for a custom domain.
 
 ## Attribute Reference