AWS Route 53 Domain Name Renewal (7 days before expiration)

Ensure that all the domain names registered with AWS Route 53 or transferred to AWS Route 53 are renewed 7 days before their expiry

Risk Level: High
Cloud Entity: Amazon Route 53
CloudGuard Rule ID: D9.AWS.DNS.04
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

Route53Domain should not have expirationTime before(7, 'days')

REMEDIATION

From Portal
Use following steps to validate expiry date for a domain:

  1. Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.
  2. In the left navigation panel, under Domains, click Registered Domains.
  3. Select the relevant domain.
  4. On Your Domains 'domain name' page, in the domain name configuration section, check the domain expiration date - next to 'Expires on'. If the selected domain is about to expire within 7 days, continue with the renewal process.

Use following steps to enable auto renew for the domains expiring within 7 days:

  1. Sign in to the AWS Management Console and open the Route 53 console.
  2. In the navigation pane, choose Registered Domains.
  3. Choose the name of the domain that you want to update.
  4. Choose Enable to turn on automatic renewal. Once the renewal process for the domain is successfully completed, AWS will send you an email with the renewal details.

From TF

resource "aws_route53domains_registered_domain" "example" {
	domain_name = "example.com"
	auto_renew =  true
	name_server {
		name = "example.com"
	}
}

Note: 'auto_renew = true/false' parameter is used to ensure whether the domain registration is set to renew automatically or not.

From Command Line
Run following command to enable the Auto Renew feature for the selected domain:

aws route53domains enable-domain-auto-renew --domain-name DOMAIN_NAME

References

  1. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-enable-disable-auto-renewal.html
  2. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-extend.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53domains_registered_domain#auto_renew
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/route53domains/enable-domain-auto-renew.html
  5. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-renew.html

Amazon Route 53

Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications by translating names like www.example.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. Amazon Route 53 is fully compliant with IPv6 as well.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset