Enable AWS Route 53 Domain Transfer Lock

Ensure that your AWS Route 53 registered domains are locked to prevent any unauthorized transfers to another domain name registrar

Risk Level: Low
Cloud Entity: Amazon Route 53
CloudGuard Rule ID: D9.AWS.DNS.03
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

Route53Domain should not have transferLock=false

REMEDIATION

From Portal
Use following steps to enable Transfer Lock for domains:

  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.
  2. In the navigation pane, choose Registered Domains.
  3. Choose the name of the domain that you want to update.
  4. Click on the 'Domain Name' as a link to access the configuration settings and click on the 'Enable' option next to 'Transfer Lock'.

From TF

resource "aws_route53domains_registered_domain" "example" {
	domain_name = "example.com"
	auto_renew =  true
	transfer_lock = true
	name_server {
		name = "example.com"
	}
}

From Command Line
Run following command to enable the transfer lock on a Domains.

aws route53domains enable-domain-transfer-lock --region REGION_NAME --domain-name DOMAIN_NAME

References

  1. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-lock.html
  2. https://awscli.amazonaws.com/v2/documentation/api/2.4.19/reference/route53domains/enable-domain-transfer-lock.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53domains_registered_domain

Amazon Route 53

Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications by translating names like www.example.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. Amazon Route 53 is fully compliant with IPv6 as well.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset